Amplify-cli: Allow public IAM @auth on `@function` outside of `@model`
Describe the bug
Allow public IAM @auth on @function outside of @model
Amplify CLI Version
3.17.0
To Reproduce
- Use IAM as default auth provider for GraphQL
- Attempt to make a
@functionpublic outside of a@model, eg.
type Query {
getStripeClientSecret: String
@function(name: "foo-${env}")
@auth(rules: [{ allow: public, provider: iam }])
}
- Try to query:
query {
getStripeClientSecret
}
Gives error:
{
"data": {
"getStripeClientSecret": null
},
"errors": [
{
"path": [
"getStripeClientSecret"
],
"data": null,
"errorType": "Unauthorized",
"errorInfo": null,
"locations": [
{
"line": 2,
"column": 3,
"sourceName": null
}
],
"message": "Not Authorized to access getStripeClientSecret on type Query"
}
]
}
If I edit the resolver, I see this stanza:
## [Start] Throw if unauthorized **
#if( !($getStripeClientSecret_isStaticGroupAuthorized == true || $isDynamicGroupAuthorized == true || $isOwnerAuthorized == true) )
$util.unauthorized()
#end
## [End] Throw if unauthorized **
Commenting out $util.unauthorized() causes the query to succeed.
Expected behavior
Query succeeds.
Additional context
- I have been using API_KEY during development, but now want to lock down access to my API (I'm a week away from launch).
- An unrelated Amplify CLI bug is preventing me from switching to Cognito (#2076) - that bug hasn't moved since August so I'm trying to find a way to get unblocked in time for launch (hence IAM)
patspam
All 6 comments
@patspam, https://github.com/aws-amplify/amplify-cli/pull/2607 enabled this scenario, but it seems to lack the support for multiple authorization types, we'll take a look, thanks for reporting!
attilah
on 11 Nov 2019
I may be mistaken, but could you add to your API's CustomResources.json like so:
"Parameters": {
"authRoleName": {
"Type": "String"
},
"unauthRoleName": {
"Type": "String"
},
....
},
....
"Resources": {
"AuthRolePolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "appsync-authrole-policy-custom",
"Roles": [
{
"Ref": "authRoleName"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["appsync:GraphQL"],
"Resource": [
{
"Fn::Sub": [
"arn:aws:appsync:${AWS::Region}:${AWS::AccountId}:apis/${apiId}/types/${typeName}/fields/${fieldName}",
{
"apiId": {
"Ref": "AppSyncApiId"
},
"typeName": "Query",
"fieldName": "getStripeClientSecret"
}
]
},
...
and
"Resources": {
"UnauthRolePolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "appsync-unauthrole-policy-custom",
"Roles": [
{
"Ref": "unauthRoleName"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["appsync:GraphQL"],
"Resource": [
{
"Fn::Sub": [
"arn:aws:appsync:${AWS::Region}:${AWS::AccountId}:apis/${apiId}/types/${typeName}/fields/${fieldName}",
{
"apiId": {
"Ref": "AppSyncApiId"
},
"typeName": "Query",
"fieldName": "getStripeClientSecret"
}
]
},
...
warrenmcquinn
on 11 Nov 2019
I鈥檝e hit more or less the exact same scenario and I鈥檓 also hoping to see improvements to this soon. I did try adding the configuration in CustomResources.json but I did not add it for both unAuthRole and authRole as it was not described in that issue comment, so it didn鈥檛 work.
houmark
on 12 Nov 2019
I have the same problem, any news about this?
jorge-riberi
on 2 Dec 2019
+1
same for private IAM and API Key.
dtelaroli
on 15 Feb 2020
any news?
MontoyaAndres
on 24 Jun 2020
Related issues
kstro21
路
3Comments
jexh
路
3Comments
adriatikgashi
路
3Comments
darrentarrant
路
3Comments
nicksmithr
路
3Comments
Most helpful comment
I have the same problem, any news about this?