Field level access control in schema
The documentation suggests that its possible to restrict access at granular field level within a schema: https://docs.aws.amazon.com/appsync/latest/devguide/security.html#using-additional-authorization-modes with an example given as
type Post @aws_api_key @aws_iam{
id: ID!
author: String
title: String
content: String
url: String
ups: Int!
downs: Int!
version: Int!
restrictedContent: String!
@aws_iam
}Based on this example it should be possible to implement restrictions on the email and phone fields in a user table like below
type Users @aws_auth(cognito_groups: ["Admin", "Everyone"]){
userid: String!
firstname: String
lastname: String
email: AWSEmail
@aws_auth(cognito_groups: ["Admin"])
phone: AWSPhone
@aws_auth(cognito_groups: ["Admin"])
public: Boolean
access: String
}However, this doesn't actually seem to work as all fields are returned regardless of group membership. Am I reading the docs correctly or is something mis-configured?
Hi,
I think your issue is that you're applying the "Admin" group both on the type and on the field. Have you set up multi auth on your API? If so, can you try changing @aws_auth usages to this:
@aws_cognito_user_pools(cognito_groups:\["Admin"]) ? It looks like you're trying to use the wrong Cognito directive to fulfill a multi auth use case. The one you're using was created before the implementation of multi auth, and it only works for top level fields.
Thanks,
Jeff
Thanks!
As you thought, the issue was with the auth directive. Changing to
@aws_cognito_user_pools(cognito_groups: ["Admin"])
works perfectly
type Users @aws_cognito_user_pools(cognito_groups: ["Everyone", "Admin"]){
userid: String!
firstname: String
lastname: String
email: AWSEmail
@aws_cognito_user_pools(cognito_groups: ["Admin"])
phone: AWSPhone
@aws_cognito_user_pools(cognito_groups: ["Admin"])
public: Boolean
access: String
}Relevant questions
Aurora Row level and column level security
Accepted AnswerMultitenacy in quicksight embedded dashboard without session capacity pricing
asked 2 months agoHow to restrict access to S3 assets (via CloudFront) based on asset meta data that is stored in a third party application?
Accepted Answerasked 2 years agoUsing single Secret Manager for mutliple schema creds with password rotation
asked 3 months agoAWS Organisation: IAM openid idp for all accounts in OU?
asked 3 months agoAre you able to hide tables in a database using Lake Formation Tagging
asked 2 months agoField level access control in schema
asked 3 years agoCreating schema with type "null" for genres throws error on AWS Console for Amazon Personalize
Accepted Answerasked 15 days agoMulti-tenancy in Neptune
asked 4 months agoCustom Identity Provider - Restricted
asked a year ago