AWS AppSync Query Sanbox - authorization provider IAM returns "Not Authorized"

[Simon-PumpAndUp]

Hello,

I've search for a while and I couldn't find a solution so here I am.

When I use the sandbox, in AWS AppSync using IAM as authorization provider to test my queries, it doesn't work:

My model auth: @auth(rules: [ { allow: owner }, { allow: public, provider: iam }, { allow: private, operations: [read] } ])

Whereas with a connected user it works (Cognito).

I'm not sure how I'm supposed to set up this.

Thank you :)

[Simon-PumpAndUp]

custom-roles.json

{
  "adminRoleNames": [
     "roleName",
     "root"
  ]
}

No need of { allow: public, provider: iam } in the schema.

[undrash]

Why is this issue closed? What is the solution?

[Simon-PumpAndUp]

hello @undrash, you must set the @aws_iam flag in your graphql.schema if you want to be authorized to use the AppSync console with IAM (or a lambda....). Check this out: https://docs.amplify.aws/cli-legacy/graphql-transformer/auth/#private-authorization

type User @model @aws_iam @aws_cognito_user_pools @auth(rules: [ { allow: owner, identityClaim: "username" }, { allow: private, operations: [read] } ]) { ... }

You can also further refine the auth rules with the parameter "provider".

[undrash]

Thank you! This is what I was looking for from the docs:

Use IAM authorization within the AppSync console

IAM-based @auth rules are scoped down to only work with Amplify-generated IAM roles. To access the GraphQL API with IAM authorization within your AppSync console, you need to explicitly allow list the IAM user's name by adding them to amplify/backend/api/<your-api-name>/custom-roles.json. (Create the custom-roles.json file if it doesn't exist). Append the adminRoleNames array with the IAM role or user names.

[cpinjala]

What if we have multiple AWS accounts into which we need to deploy our code. How can we create account specific custom-roles.json files or should we add all account role names in the same file??