Deny all Mutations in aws_lambda auth

[tayler-kemsley]

Hey,

I'm trying to create a simple API key based authentication system in AppSync using the AWS_LAMBDA authentication type.

This should allow read only access to the API. I was hoping a Lambda authorizer like this would work, but its not denying Mutations as expected.

This is a rough example of the Authorizer lambda code:

def lambda_handler(event, context):
    token = event.get('authorizationToken')
    if not token:
        raise Exception('Unexpected token format')
    response = {
        'isAuthorized': True, 
        'deniedFields': ['Mutation']
    }

I've tried things like Mutation.* and schema.Mutation but can't get it to work. This seems like a very common use case, is there a way to get it working?

[onlybakam]

This pattern is currenly not supported. Currently you must provide the full path of your type: either the ARN or the shorthand: Type.Field

ref: https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html#aws-lambda-authorization