By using AWS re:Post, you agree to the Terms of Use
/Field level access control in schema/

Field level access control in schema

0

The documentation suggests that its possible to restrict access at granular field level within a schema: https://docs.aws.amazon.com/appsync/latest/devguide/security.html#using-additional-authorization-modes with an example given as

type Post @aws_api_key @aws_iam{
   id: ID!
   author: String
   title: String
   content: String
   url: String
   ups: Int!
   downs: Int!
   version: Int!
   restrictedContent: String!
   @aws_iam
}

Based on this example it should be possible to implement restrictions on the email and phone fields in a user table like below

type Users @aws_auth(cognito_groups: ["Admin", "Everyone"]){
	userid: String!
	firstname: String
	lastname: String
	email: AWSEmail
		@aws_auth(cognito_groups: ["Admin"])
	phone: AWSPhone
		@aws_auth(cognito_groups: ["Admin"])
	public: Boolean
	access: String
}

However, this doesn't actually seem to work as all fields are returned regardless of group membership. Am I reading the docs correctly or is something mis-configured?

2 Answers
0

Hi,

I think your issue is that you're applying the "Admin" group both on the type and on the field. Have you set up multi auth on your API? If so, can you try changing @aws_auth usages to this:

    @aws_cognito_user_pools(cognito_groups:\["Admin"])  

? It looks like you're trying to use the wrong Cognito directive to fulfill a multi auth use case. The one you're using was created before the implementation of multi auth, and it only works for top level fields.

Thanks,
Jeff

answered 3 years ago
0

Thanks!

As you thought, the issue was with the auth directive. Changing to @aws_cognito_user_pools(cognito_groups: ["Admin"]) works perfectly

type Users @aws_cognito_user_pools(cognito_groups: ["Everyone", "Admin"]){
	userid: String!
	firstname: String
	lastname: String
	email: AWSEmail
		@aws_cognito_user_pools(cognito_groups: ["Admin"])
	phone: AWSPhone
		@aws_cognito_user_pools(cognito_groups: ["Admin"])
	public: Boolean
	access: String
}
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions