AppSync Unauthorized Error When Called From PreSignUp Lambda Trigger


Hello Everyone,

I'm using AWS Amplify for provisioning resources via the CLI, and CI/CD. I have a presignup lambda trigger and a postconfirmation lambda trigger on my cognito pool. The presignup trigger calls my AppSync GraphQL API to create a User object in Dynamo. The postconfirm trigger makes the same call to update the User's status to confirmed in Dynamo.

I currently have this deployed in my dev environment. The PostConfirm trigger is working perfectly fine, but the PreSignUp trigger is throwing an unauthorized error:

"errors": [
            "path": [
            "data": null,
            "errorType": "Unauthorized",
            "errorInfo": null,
            "locations": [
                    "line": 3,
                    "column": 7,
                    "sourceName": null
            "message": "Not Authorized to access createUser on type Mutation"

This is very strange to me as both Lambdas have access to the same resource: arn:aws:appsync:us-west-2:XXXXXXX:apis/XXXXXXXX/types/Mutation/*

To troubleshoot I set the execution role of the PreSignUp trigger to the same execution role as the PostConfirmation trigger and that worked. This is a temporary fix for dev as I need the PreSignUp trigger to use it's respective role set by the Amplify CLI. I've looked at both roles in IAM and cannot see a single difference amongst policies.

1개 답변

Hello, Based on the scenario that you have outlined, It seems that you have IAM authorization configured on the User model like

@auth(rules: [{ allow: private, provider: iam }])

In this case, IAM-based @auth rules are scoped down to only work with Amplify-generated IAM roles. To allow-list a custom role (for e.g. PreSignUp Lambda trigger's execution role), you'd need to update the existing or create amplify/backend/api/<your-api-name>/custom-roles.json and include the custom role name. Kindly ensure that you push the changes to the backend once you have updated the custom-roles.json. Please find the reference documentation for the same here.

Having said that, if you are still facing the challenges, please feel free to reach out to us via Support Center with the resources information like schema.graphql, local amplify folder contents, code snippets of Lambda function that are making these requests.

지원 엔지니어
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠