Amplify-cli: @auth public/private IAM roles and other Providers

Following up, I believe I have sorted through this issue.

I've ensured my API uses both Cognito User Pools and IAM for authentication using the CLI. And verified within the console.

With the aws-exports.js configured to use Cognito User Pools as default:
"aws_appsync_authenticationType": "AMAZON_COGNITO_USER_POOLS",

I've updated my @auth transformer in my schema:

type CategoryGroup @model @auth(rules: [{ allow: public, provider: iam, operations: [read] }, { allow: groups, groups: ["Admin"] }]) {
  id: ID!
  title: String!
  description: String
  path: String!
  categories: [CategoryItem!]
  rank: Int!
}

type CategoryItem @aws_iam @aws_cognito_user_pools {
  id: String!
  title: String!
  path: String!
  rank: Int!
}

My assumption is that "Multi-Auth" would allow me to use either Cognito User Pools or IAM to send requests and have it respond appropriately. This doesn't work. It always defaults to the method specified by aws_appsync_authenticationType. And as such, my requests never use IAM, unless I switch the aws_appsync_authenticationType to AWS_IAM and then the User Pool ones do not work.

However, after digging around and ending up in totally different area of the AWS Appsync Multi-Auth it appears you can tell which authentication method to use when making a GraphQL request:

const { data } = await API.graphql({ query: queries.listCategoryGroups, variables: {}, authMode: "AWS_IAM" });

This looks to enforce using IAM for the query, so that Multi-Auth works! Omitting authMode will let this query use Cognito User Pools (and groups!) effectively accomplishing my use-case. Albeit I'll need to add some checks on the front-end to determine if I need to use IAM or Cognito

Additionally on my nested object, the IAM queries would fail to return back the nested CategoryItem giving an unauthorized error. This was strange since the request worked, except part of it didn't. To mitigate this issue, I applied the @aws_iam @aws_cognito_user_pools to my CategoryItem referenced from the AppSync Docs docs and now that data returns as expected.

Alternatively, there is a secondary AWS AppSync Multi-Auth 2 section of the docs which go over using an alternatively configured AppSync client to use. However, this appears intended more for SDK when directly configuring a client, and I don't really want to restructure my App at this point to leverage this. But, could be useful.

Hopefully a couple of these gotcha's and my solutions will help someone out.

i have similar issue, i got:

@auth directive with 'iam' provider found, but the project has no IAM authentication provider configured.

In my case i have already cognito user pool as auth provider, how did you ensured that the API uses both Cognito User Pools and IAM for authentication using the CLI?
thanks

ok, my bad, was actually quite easy, just do :

amplify update api

and add a auth provider, in my case was IAM

I just want to allow any user even those not signed in to create Feedback in my database

having serious annoying time figuring this one out @ericclemmons please reopen and fix docs

our user pool allows unauthenticated identities ... i cannot run amplify push with a public auth directive because the auth "doesn't have api key" or "iam" providers... and "amplify auth update" doesn't let me add them ... how do you add a public graphql type to your schema ...

also, api keys expire ...

how do you use @auth public?

@bionicles AppSync allows multiple authorization types and you can now configure the authorization types for your AppSync API with the help of the latest version of the Amplify CLI.
You can go through the amplify update api to add these additional authorization types.

For public access, you can use API-Key or IAM.

With API-Key, you can have an key expiry TTL set to a max of 365 days using the CLI and have a Lambda to auto-rotate it periodically.

With the IAM provider, the CLI will set the appropriate policies to the unauth and auth roles (tied to the Cognito Identity Pool) based on the rule: public or private, you set as a part of the @auth directive for your model.

Using both the above mentioned methods your Guest users would be able to create feedback in your database .

You can read more about the public authorization types out here - https://aws-amplify.github.io/docs/cli-toolchain/graphql#public-authorization

Thank you @kaustavghosh06 for clarification. It really helps. Let me ask one more question. In this example from docs

type Post @model @auth(rules: [{allow: private, provider: iam}]) {
  id: ID!
  title: String!
}

This part provider: iam is there just to show how to override the default auth method, correct? So for instance, if my default auth method is "Amazon Cognito User Pool" and I do not want to override it I can just leave that part out? Something like the following:

type Post @model @auth(rules: [{allow: private}]) {
  id: ID!
  title: String!
}

Keep getting this error even though I have set up User pool and iam with amplify update auth when I amplify codegen models:

InvalidDirectiveError: @auth directive with 'iam' provider found, but the project has no IAM authentication provider configured.

Also a previous version of the cli generated owner fields for @model Buylink, latest cli doesn't - go figure!!

schema.graphql:
type Video @model {
id: ID!
video: String!
links: [BuyLink] @connection(keyName: "buyLinks", fields: ["id"])
}

type BuyLink @model( subscriptions: { level: public }), @auth (rules: [
{allow: owner, ownerField: "owner", operations: [create, update, delete, read]},
{allow: private, provider: iam, operations: [read]}]),
@key(name: "buyLinks", fields: ["videoId", "link", "second"]) {
id: ID!
videoId: ID!
link: String!
second: Int!
votes: [Vote] @connection(keyName: "votes", fields: ["id"])
show: Boolean!
}

type Vote @model
@key(name: "votes", fields: ["BuyLinkId", "vote"]) {
id: ID!
BuyLinkId: ID!
vote: Int!
}

I fixed the InvalidDirectiveError error and have pushed the above schema but there are no owner fields generated in the appsync schema. When I used a previous version of amplify cli owner fields were generated, now with latest cli there are none. Am I missing something here?

[EDIT]
I did not realize that the list of options for adding another auth type is a multi-select list and was not selecting API Key as an additional auth by pressing the spacebar. I'd hit assuming that it was meant to select only one option at a time, which resulted in not selecting any options from the list. My bad. I was able to add both API Key and User Pools. Will check for the problem with owner field shortly.

@tomrum I can confirm that I have observed similar behavior (I am using API Key for public auth and Cognito User Pools for group auth) and been receiving

@auth directive with 'userPools' provider found, but the project has no Cognito User Pools authentication provider configured. if I set default auth to API Key and add User Pools as an additional auth type with amplify update api

And

@auth directive with 'apiKey' provider found, but the project has no API Key authentication provider configured. if I set default auth to User Pools and add API Key as an additional auth type.

Could you share how you were able to resolve InvalidDirectiveError in your case please?
I'm guessing even I will hit the problem with owner fields once this was resolved.

Sorry I have been away for a few days and have forgotten. Will try to remember. It may of been that I didn't accept defaults for some of the names the cli generates.

Guys, please give an advice:

1. i have api with default AWS_IAM authorization.
2. then i added additional authorization type AWS_API_KEY (using "amplify update api")
3. but now i am trying to remove it (AWS_API_KEY) from amplify (using CLI) and i don't see applicable way to do it

question: how it is possible to delete it?

thanks!

[EDIT]
I did not realize that the list of options for adding another auth type is a multi-select list and was not selecting API Key as an additional auth by pressing the spacebar. I'd hit assuming that it was meant to select only one option at a time, which resulted in not selecting any options from the list. My bad. I was able to add both API Key and User Pools. Will check for the problem with owner field shortly.

@mavenik AH! thank you! That was my issue as well, I did not realise the second step of auth selection was a list where pressing enter would end up with _no selection_, and spacebar is required. That was doing my head in!

I think that's quite confusing and should be changed because on the first auth selection step enter = select, but on the second enter = cancel. A simple "You have selected no options. Are you sure? Y/n" prompt in these lists would be a big improvement I think. Or an option at the end of the list to not select anything, or enter = selection and q = quit in lists.

I have amplify push issue now.
An error occured during the push operation: ENOENT: no such file or directory, open ...\team-provider-info.json'
How can I fix it?

@springer12 There should be an amplify/team-provider-info.json file in your project. Did it get removed by accident?

I am also experiencing the same issue, not sure why it got closed. My versions are:

    "@aws-amplify/api": "^3.1.12",
    "aws-amplify": "^3.0.13",
    "aws-amplify-angular": "^5.0.13",

In fact, everything worked with previous versions, but as soon as I did the upgrade I got the bug described above. The previous versions, which did not have this bug, FYI, were:

    "@aws-amplify/api": "^3.1.10",
    "aws-amplify": "^3.0.11",
    "aws-amplify-angular": "^5.0.11",

Just tried previous versions again (.10 / *.11) and: no bug. Upgrading to (.12 / *.13) produces the above-described bug again.

@Weetbix Thank you very much! I had the same error for two days! I don't understand, that i must pressed "space" for select, i everytime pressed enter))

I also had the same issue as @Weetbix, @worteepz and @mavenik 🙈. I spent hours on this

ok, my bad, was actually quite easy, just do :

amplify update api

and add a auth provider, in my case was IAM

Thanks so much!!!!!!!!!