AppSync Unauthorized Error When Called From PreSignUp Lambda Trigger

Question

Hello Everyone,

I'm using AWS Amplify for provisioning resources via the CLI, and CI/CD.
I have a presignup lambda trigger and a postconfirmation lambda trigger on my cognito pool.
The presignup trigger calls my AppSync GraphQL API to create a User object in Dynamo.
The postconfirm trigger makes the same call to update the User's status to confirmed in Dynamo.

I currently have this deployed in my dev environment.
The PostConfirm trigger is working perfectly fine, but the PreSignUp trigger is throwing an unauthorized error:

```
"errors": [
        {
            "path": [
                "createUser"
            ],
            "data": null,
            "errorType": "Unauthorized",
            "errorInfo": null,
            "locations": [
                {
                    "line": 3,
                    "column": 7,
                    "sourceName": null
                }
            ],
            "message": "Not Authorized to access createUser on type Mutation"
        }
    ]
```

This is very strange to me as both Lambdas have access to the same resource:
`arn:aws:appsync:us-west-2:XXXXXXX:apis/XXXXXXXX/types/Mutation/*`

To troubleshoot I set the execution role of the PreSignUp trigger to the same execution role as the PostConfirmation trigger and that worked.
This is a temporary fix for dev as I need the PreSignUp trigger to use it's respective role set by the Amplify CLI.
I've looked at both roles in IAM and cannot see a single difference amongst policies.

Answer

Hello,
Based on the scenario that you have outlined, It seems that you have IAM authorization configured on the User model like 
```
@auth(rules: [{ allow: private, provider: iam }])
```
In this case, IAM-based @auth rules are scoped down to only work with Amplify-generated IAM roles. To allow-list a custom role (for e.g. PreSignUp Lambda trigger's execution role), you'd need to update the existing or create `amplify/backend/api//custom-roles.json` and include the custom role name. Kindly ensure that you push the changes to the backend once you have updated the `custom-roles.json`. Please find the reference documentation for the same [here](https://docs.amplify.aws/cli/graphql/authorization-rules/#use-iam-authorization-within-the-appsync-console).

Having said that, if you are still facing the challenges, please feel free to reach out to us via [Support Center](https://support.console.aws.amazon.com/) with the resources information like `schema.graphql`, local `amplify` folder contents, code snippets of Lambda function that are making these requests.

AppSync Unauthorized Error When Called From PreSignUp Lambda Trigger

相關內容