Amplify-cli: multi @auth authorization Error (iam and groups)

I think I'm running into either the same or a similar issue. Here is my info for reference, I hope this helps in solving the issue:

My base schema:

type Post @model
  @auth (
      rules: [
          { allow: groups, groups: ["Admin"] },
          { allow: public }
      ]
  ) {
  id: ID!
  title: String!
  content: String!
}

The generated GraphQL mutations look like this:

createPost(input: CreatePostInput!): Post
  @aws_api_key
updatePost(input: UpdatePostInput!): Post
  @aws_api_key
  @aws_cognito_user_pools
deletePost(input: DeletePostInput!): Post
  @aws_api_key
  @aws_cognito_user_pools

It seems that the createPost mutation is missing the @aws_cognito_user_pools directive.

Also, when running the listPosts query I am getting Not Authorized to access listPosts on type Query while signed in using Amazon Cognito User Pools signed in as Admin whereas this query should work.

Here is the generated schema for the queries:

getPost(id: ID!): Post
  @aws_api_key
listPosts(filter: ModelPostFilterInput, limit: Int, nextToken: String): ModelPostConnection
  @aws_api_key

Here is the generated schema for the connection for listPosts:

type ModelPostConnection @aws_api_key {
  items: [Post]
  nextToken: String
}

Here is the generated schema for the subscriptions:

onCreatePost: Post
  @aws_subscribe(mutations: ["createPost"])
  @aws_api_key
onUpdatePost: Post
  @aws_subscribe(mutations: ["updatePost"])
  @aws_api_key
onDeletePost: Post
  @aws_subscribe(mutations: ["deletePost"])
  @aws_api_key

__Conclusion__: It seems that the missing @aws_cognito_user_pools on some of the operations is the issue. Once I manually add this everything works.

I find that in my case, I have to write like this

type Secret
  @model
  @auth(
    rules: [
      { allow: groups, groups: ["Admin"] },
      { allow: private },
      { allow: private, provider: iam, operations: [read] }
    ]
  ) {
  id: ID!
  secret: String!
}

This graphql shema's authority is

• Cognito User (group : Admin) : create, read, update, delete
• Cognito User : None
• IAM : read

and other examples,

type Secret
  @model
  @auth(
    rules: [
      { allow: groups, groups: ["Admin"], operations: [create, update, delete] },
      { allow: private },
      { allow: private, provider: iam, operations: [read] }
    ]
  ) {
  id: ID!
  secret: String!
}

this graphql auth is

• Cognito User (group : Admin) : create, read, update, delete
• Cognito User : read
• IAM : read

In my case, the problem has been resolved.

And if you can, could you please make official documents more clearly?

Thank you.

We've already had a PR merged for this
https://github.com/aws-amplify/amplify-cli/pull/2305
and it's pending release.

We released a new version of the CLI - v3.8.0 with a fix for this.

Thanks @kaustavghosh06 !!