search

aws / aws-appsync-community

The AWS AppSync community
https://aws.amazon.com/appsync
Apache License 2.0
506 stars 32 forks source link

With Correct Schema Auth Setup, AppSync returns ""Not Authorized" on Queries from Console and from API Calls from Lambda #259

Closed kuoaid closed 9 months ago

kuoaid commented 1 year ago

We are having auth problems when running queries from the console and from a lambda function written in Node.JS.

We expect the correct data to be returned, but we keep getting a "not authorized" message.

Specifically...

With the following schema:

getMyData(id: ID!): MyData
        @aws_api_key
@aws_iam
@aws_cognito_user_pools
    listMyDatas(filter: ModelMyDataFilterInput, limit: Int, nextToken: String): ModelMyDataConnection
        @aws_api_key
@aws_iam
@aws_cognito_user_pools
    syncMyDatas(
        filter: ModelMyDataFilterInput,
        limit: Int,
        nextToken: String,
        lastSync: AWSTimestamp
    ): ModelMyDataConnection
        @aws_api_key
@aws_iam
@aws_cognito_user_pools

Generated from Amplify Datastore:

type MyData
@model
@auth(rules: [
    {allow: owner},
    {allow: private, operations: [create, read, update], provider: iam},
    {allow: public, provider: apiKey, operations: [read, update, delete, create]}]) {
    id: ID!
    data1: String
}

Running the query:

query MyQuery {
  getMyData(id: "2f225e32-a4d1-4faf-xxxx-f54xxxxxxx55") {
    id
  }
}

From the AppSync console via either apiKey or IAM, returns:

{
  "data": {
    "getMyData": null
  },
  "errors": [
    {
      "path": [
        "getMyData"
      ],
      "data": null,
      "errorType": "Unauthorized",
      "errorInfo": null,
      "locations": [
        {
          "line": 2,
          "column": 3,
          "sourceName": null
        }
      ],
      "message": "Not Authorized to access getMyData on type MyData"
    }
  ]
}

While a lambda function that runs the same query returns the same thing. The lambda function is currently authorizing via the API key.

About the API key: The API key is valid. The AppSync console does not work before or after a successful key rotation.

kuoaid commented 1 year ago

Update:

After 24 hours, the schema magically turned into 

@auth(rules: [{allow: private}])

Which explains the behavior.

However, never was the schema defined this way. Please investigate.

onlybakam commented 9 months ago

Hello. Please open a support case if you are still experiencing the issue. I would also recommend opening an issue with AWS Amplify to investigate the model schema.