Amplify-cli: GraphQLError request failed with status code 401
Which Category is your question related to?
Auth / GraphQL
What AWS Services are you utilizing?
AWS AppSync
Provide additional details e.g. code snippets
In our schema.graphql, we added @function directive to the field inside the Query type, in order to invoke our recoverUsername lambda function:
type Query {
recoverUsername(email: String): String
@function(name: "recoverUsername-${env}")
@aws_iam
}
It works when I execute this query in the AWS AppSync console by selecting IAM auth provider, but when I try to call it from the app with:
API.graphql({
query: recoverUsername,
variables: {
email,
},
authMode: 'AWS_IAM',
});
aws-exports.js
const awsmobile = {
aws_appsync_authenticationType: 'AWS_IAM',
...
}
I get GraphQLError request failed with status code 401
We are using older version of aws-amplify (1.2.4), but I also tried with latest version, same error.
cc-bojan
All 4 comments
@cc-bojan What does your amplify/backend/backend-config.json look like? Have you set IAM as an auth type?
kaustavghosh06
on 22 Feb 2020
@cc-bojan What does your
amplify/backend/backend-config.jsonlook like? Have you set IAM as an auth type?
"api": {
"fooApi": {
"service": "AppSync",
"providerPlugin": "awscloudformation",
"output": {
"authConfig": {
"additionalAuthenticationProviders": [
{
"authenticationType": "AWS_IAM"
}
],
"defaultAuthentication": {
"authenticationType": "AMAZON_COGNITO_USER_POOLS",
"userPoolConfig": {
"userPoolId": "authFoo"
}
}
}
}
},
...
@cc-bojan when you're logged into the AWS Console you're probably using an administrator role credentials that does not need to have a specific policy to invoke AppSync mutations, that's the probable reason why it works.
If you use the AppSync service supported native directives like @aws_iam the Amplify CLI will not generate any policies for you for the Auth and Unauth roles, so when from the client application you call the Amplify service and specifying IAM as authentication mode, it will use the AWS credentials of the currently logged in user, and that user's role (Auth or Unauth) has no attached policies defined that would grant access for AppSync service to invoke that Lambda function.
Could you please confirm that the above is correct? And if it is correct create a policy and verify that it is working?
attilah
on 26 Feb 2020
@attilah You were right. I attached: arn:aws:appsync:eu-central-1:<account-id>:apis/<api-id>/types/Query/fields/recoverUsername - Resource to the existing UnauthRolePolicy, and now it's working. Thanks.
cc-bojan
on 29 Feb 2020
Related issues
kangks
路
3Comments
ReidWeb
路
3Comments
amlcodes
路
3Comments
onlybakam
路
3Comments
nicksmithr
路
3Comments
Most helpful comment
@cc-bojan when you're logged into the AWS Console you're probably using an administrator role credentials that does not need to have a specific policy to invoke AppSync mutations, that's the probable reason why it works.
If you use the AppSync service supported native directives like
@aws_iamthe Amplify CLI will not generate any policies for you for the Auth and Unauth roles, so when from the client application you call the Amplify service and specifying IAM as authentication mode, it will use the AWS credentials of the currently logged in user, and that user's role (Auth or Unauth) has no attached policies defined that would grant access for AppSync service to invoke that Lambda function.Could you please confirm that the above is correct? And if it is correct create a policy and verify that it is working?