Amplify-cli: Functions IAM Account Permissions do not work if only Read is set
Note: If your issue/bug is regarding the AWS Amplify Console service, please log it in the
Amplify Console GitHub Issue Tracker
Describe the bug
A clear and concise description of what the bug is.
Lambda Function cannot execute GraphQL queries (read-only) against the Amplify API - when only the read permission is set in the CLI during amplify function update.
I created an API with Cognito User Pools and secondary IAM for Lambda According to these instructions - as described in the documentation:
https://aws-amplify.github.io/docs/cli-toolchain/quickstart#functions-examples
When running amplify function update I selected api and Read for the permissions.
Result:
However, all calls to the API failed with Permission Denied errors. This was true even when trying to run a query from the online AWS AppSync Console (with IAM permission set).
Note: In the online AWS AppSync Console, using an Cognito User Pool account worked fine.
Workaround:
I found that running amplify function update, selecting api and Create, Read, Update, Delete (all permissions) solved the problem. After changing to all permissions and running amplify push, everything worked as expected.
It seems the CLI may not be setting all permissions required to execute Read operations (I wonder if logging or something requires create or update, etc.?).
Amplify CLI Version
To Reproduce
- Create an amplify project with api and functions
- Create a simple graphQL model (or use the default one)
- Create a function with permissions to the API with Read access
- Try to execute a graphql query in the lambda function
- Check the lambda function logs to see the Permission Denied error message
Also:
- Open AWS AppSync Console
- Navigate to Queries Tab
- Select the authorization
AWS Identity and Access Management (IAM) - Try to execute any GraphQL query
Expected behavior
The lambda function should be able to execute the query.
Other Info
With Only Read selected (via amplify function update):
{
"errors": [
{
"errorType": "UnauthorizedException",
"message": "Permission denied"
}
]
}
With all permissions CRUD selected (via amplify function update):
{
"data": {
"getUserByEmail": {
"items": [
{
"id": "176...",
"email": "rick@to....",
"activeAccountToken": "0be...",
"owner": "48b..."
}
],
"nextToken": null
}
}
}
ricklove
All 5 comments
@ricklove Actually the CRUD operations on amplify function update controls both data-plane and control-plan operations on the GraphQL API. Just selecting the "Create" operation gives access to the Lambda function to perform queries/mutations/subscriptions from the Lambda functions. Perhaps we should document this better. I'm adding a documentation task for this.
kaustavghosh06
on 10 Dec 2019
Well, what would read even allow by itself? I couldn't even execute a query, so I'm not sure what the purpose is for even prompting the user if only read is not functional.
ricklove
on 10 Dec 2019
@ricklove "read" implies granting permissions to get/list the GraphQL API's in your account and to get the configurations/settings for your GraphQL API.
kaustavghosh06
on 10 Dec 2019
Ok. I think it would be good to specify a few common scenarios in the documentation and mention something in the prompt to refer to the documentation for specific scenarios.
I would think my scenario is pretty common (using a lambda function to call graphQL server side), but I overlooked any information about how to set that up properly.
Thanks!
ricklove
on 11 Dec 2019
Thank you @ricklove! I just ran into this exact thing.
@kaustavghosh06 has a documentation task been added for this? The documentation is still quite opaque about this: https://aws-amplify.github.io/docs/cli-toolchain/quickstart#graphql-from-lambda
AryanJ-NYC
on 25 Jan 2020
Related issues
kstro21
路
3Comments
nicksmithr
路
3Comments
kangks
路
3Comments
zjullion
路
3Comments
jexh
路
3Comments
Most helpful comment
Ok. I think it would be good to specify a few common scenarios in the documentation and mention something in the prompt to refer to the documentation for specific scenarios.
I would think my scenario is pretty common (using a lambda function to call graphQL server side), but I overlooked any information about how to set that up properly.
Thanks!