By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AppSync Unauthorized Error When Called From PreSignUp Lambda Trigger

0

Hello Everyone,

I'm using AWS Amplify for provisioning resources via the CLI, and CI/CD. I have a presignup lambda trigger and a postconfirmation lambda trigger on my cognito pool. The presignup trigger calls my AppSync GraphQL API to create a User object in Dynamo. The postconfirm trigger makes the same call to update the User's status to confirmed in Dynamo.

I currently have this deployed in my dev environment. The PostConfirm trigger is working perfectly fine, but the PreSignUp trigger is throwing an unauthorized error:

"errors": [
        {
            "path": [
                "createUser"
            ],
            "data": null,
            "errorType": "Unauthorized",
            "errorInfo": null,
            "locations": [
                {
                    "line": 3,
                    "column": 7,
                    "sourceName": null
                }
            ],
            "message": "Not Authorized to access createUser on type Mutation"
        }
    ]

This is very strange to me as both Lambdas have access to the same resource: arn:aws:appsync:us-west-2:XXXXXXX:apis/XXXXXXXX/types/Mutation/*

To troubleshoot I set the execution role of the PreSignUp trigger to the same execution role as the PostConfirmation trigger and that worked. This is a temporary fix for dev as I need the PreSignUp trigger to use it's respective role set by the Amplify CLI. I've looked at both roles in IAM and cannot see a single difference amongst policies.

Topics
ServerlessComputeFront-End Web & MobileSecurity, Identity, & ComplianceDatabase
Tags
AWS LambdaAWS AmplifyAmazon CognitoAmazon DynamoDBIAM Policies
Language
English
Basile
asked a year ago467 views
1 Answer
0

Hello, Based on the scenario that you have outlined, It seems that you have IAM authorization configured on the User model like

@auth(rules: [{ allow: private, provider: iam }])

In this case, IAM-based @auth rules are scoped down to only work with Amplify-generated IAM roles. To allow-list a custom role (for e.g. PreSignUp Lambda trigger's execution role), you'd need to update the existing or create amplify/backend/api/<your-api-name>/custom-roles.json and include the custom role name. Kindly ensure that you push the changes to the backend once you have updated the custom-roles.json. Please find the reference documentation for the same here.

Having said that, if you are still facing the challenges, please feel free to reach out to us via Support Center with the resources information like schema.graphql, local amplify folder contents, code snippets of Lambda function that are making these requests.

AWS
SUPPORT ENGINEER
Vishal_N
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content