By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AppSync IAM unauthenticated use cases err: "Not Authorized to access getTodo on type Todo"

0

Hi, I am trying to create an AppSync GraphQL API which can be called by unauthenticated users. I have created Cognito Identity pool with Unauthenticated user enabled and using the IAM role. When I try to run the Query with IAM authMode, from AWS AppSync console, get this error:- "Not Authorized to access getTodo on type Todo" This is how my schema looks like:-

type Query @aws_iam {
	getTodo(id: ID!): Todo
	listTodos(filter: ModelTodoFilterInput, limit: Int, nextToken: String): ModelTodoConnection
}

type Todo @aws_iam {
	id: ID!
	name: String!
	description: String
	createdAt: AWSDateTime!
	updatedAt: AWSDateTime!
}

Query

query MyQuery {
  getTodo(id: "") {
    id
  }
  listTodos {
    nextToken
  }
}

I followed these steps:-

  1. amplify init
  2. Add iam auth mode with Unauthenticated access enabled by running amplify add auth
  3. created todo app api by running amplify add api
  4. pushed the code by running amplify push
  5. In the AWS AppSync console, run the Query by choosing IAM AuthMode. I get the error.
Topics
ServerlessFront-End Web & MobileApplication IntegrationSecurity, Identity, & Compliance
Tags
AWS AppSyncAWS Identity and Access ManagementAWS Amplify
Language
English
chndev
asked a year ago237 views
1 Answer
0

Hello chndev, thank you for reaching out! It seems like you’re trying to set up some AppSync queries for unauthenticated users.

Do you think you can share your policy attached to your Unauthenticated users role. The error “Not Authorized” suggests that the role does not have sufficient permission but we can find out after taking a closer look at your IAM role permissions.

For a full guide on setting up AppSync for unauthenticated users you could follow these steps:

  1. Set the primary authorization mode for your schema to use IAM

    1. Under “Default authorization mode” set API-level to “AWS Identity and Access Management”

  2. Verify your created Cognito Identity pool with Unauthenticated users enabled has the proper IAM role permissions. For reference here is documentation:

    1. https://docs.aws.amazon.com/appsync/latest/devguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies
    2. https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappsync.html#awsappsync-field

  3. Verify the Amplify SDK configuration for your desired purpose.

Since you mentionned using Cognito user pool, another possibility is to: 1- Use the cognito authorization type by following these steps here: https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html#amazon-cognito-user-pools-authorization 2- Import your existing identity pool following these steps: https://docs.amplify.aws/cli/auth/import/#import-an-existing-identity-pool

Hint: This guide should help you figure out how to integrate your existing Amazon Cognito user pool and federated identities (identity pool) into an Amplify project via the Amplify Admin UI: https://aws.amazon.com/blogs/mobile/import-existing-amazon-cognito-resources-with-amplify-admin-ui/

Eduardo_C
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content