Additional authentication providers causing AppSync authorization errors

[leosoaivan]

I've run into an issue where having an additional authentication provider is causing authorization errors for all authentication types.

I started with an AMAZON_COGNITO_USER_POOLS setup hooked up to AppSync to call two GraphQL operations, a simple user profile query and an update user profile mutation, both connected to a DynamoDB table.

After provisioning an Identity Pool to federate LinkedIn users and setting a additionalAuthenticationProviders with AWS_IAM, I'm running into a bizarre scenario due to 'unauthorized access':

• User pool users cannot get their profile, but updates are possible and reflected in the DB.
• Federated users can get their profile from the DB, but cannot make updates.

Not surprisingly, if I only set one authentication type, either COGNITO or AWS_IAM, the respective GraphQL operations work.

I should mention that my team initially started with AWS Amplify, but moved to provisioning a lot of our own resources via Serverless, as the CloudFormation bits of Amplify were really hard to work with.

Any insight would be appreciated.

"devDependencies": {
  "serverless-appsync-plugin": "^1.1.2",
},
"dependencies": {
  "aws-amplify": "^1.1.40",
  "aws-appsync": "^2.0.0",
  "serverless": "^1.50.0",
}

[leosoaivan]

Closing this, as I was able to resolve this by adding schema-level directives to my schema.graphql

[ChaminW]

@leosoaivan how did you add schema-level directives to schema?

[leosoaivan]

@ChaminW see here: https://docs.aws.amazon.com/appsync/latest/devguide/security.html#using-additional-authorization-modes

[krlozadan]

Just an update on the link. It is now here: https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html#using-additional-authorization-modes