Amplify-cli: Policy statement must contain resources after upgrade to 3.2 and add @auth

Created on 13 Sep 2019 · 9Comments · Source: aws-amplify/amplify-cli

Upgraded from 3.0 to 3.2
Push failed (defaultAuthorization not set)
Ran update api
Push succeeds
Added @auth(rules:[{allow:public, provider:iam, operations:[read]}])
Push fails with:

Resource Name: theme-Unau-ES6W4PH9WDDZ (AWS::IAM::Policy)
Event Type: create
Reason: Policy statement must contain resources. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 0dbcd5ff-d5ca-11e9-93c6-3da30b79754d)

Removed aim from above to @auth(rules:[{allow:public, operations:[read]}])
Push succeeds...but is not what I need...

bug graphql-transformer

Source

GeorgeBellTMH

👍1

All 9 comments

Could you please share your Schema?

kaustavghosh06 on 13 Sep 2019

type LocationGPS{
longitude: Float
latitude: Float
address: String
}
type Location
@model
@auth(rules:[{allow:public, provider:iam, operations:[read]}])

{
id: String
url: String
site_name: String
directions:String
welcome: String
welcome_img: String
welcome_vid_youtube: String
phone: String
email: String
instagram: String
twitter: String
facebook: String
location: LocationGPS
visible: Boolean
}

GeorgeBellTMH on 13 Sep 2019

@GeorgeBellTMH I was able to successfully push the following schema that you'd provided with v3.2:

type LocationGPS{
longitude: Float
latitude: Float
address: String
}
type Location
@model
@auth(rules:[{allow:public, provider:iam, operations:[read]}])

{
id: String
url: String
site_name: String
directions:String
welcome: String
welcome_img: String
welcome_vid_youtube: String
phone: String
email: String
instagram: String
twitter: String
facebook: String
location: LocationGPS
visible: Boolean
}

Is there something else that I'm missing out here?

kaustavghosh06 on 13 Sep 2019

I imagine it is something to do with upgrading from 3.0 to 3.2?

GeorgeBellTMH on 13 Sep 2019

I have IAM as defaultAuth and have added the apiKey...also I have a custom resolver in the Schema

type Query {
getYoutubePlaylistItems(playlistId: String): YoutubePlaylistItems!
} .... and then the YoutubeSchema...

GeorgeBellTMH on 13 Sep 2019

I run into same error. I upgrade v3.0 to v3.2 too

bokuweb on 13 Sep 2019

@GeorgeBellTMH @bokuweb Yes, I was able to reproduce this issue when moving from 3.0 -> 3.2 with my existing API - didn't encounter this when creating a new one.
The issue is tied to the resource list being empty in the following Cloudformation resource:

 "UnauthRolePolicy": {
            "Type": "AWS::IAM::Policy",
            "Properties": {
                "PolicyName": "appsync-unauthrole-policy",
                "Roles": [
                    {
                        "Ref": "unauthRoleName"
                    }
                ],
                "PolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Action": [
                                "appsync:GraphQL"
                            ],
                            "Resource": []
                        }
                    ]
                }
            }
        }

We're looking into this.

kaustavghosh06 on 13 Sep 2019

👍1

To workaround this, you can choose API Key as the default auth mode and then choose IAM as the additional auth mode by going through amplify update api.
That should make your amplify push succeed. Just verified this. Please give it a try and let me know if it unblocks you.

kaustavghosh06 on 13 Sep 2019

Verified that the above works.

GeorgeBellTMH on 13 Sep 2019

👍1

Was this page helpful?

0 / 5 - 0 ratings