Amplify-console: `amplify publish` url works, but CI/CD url fails authentication with AppSync

Created on 11 Dec 2019 · 7Comments · Source: aws-amplify/amplify-console

I've set up an app with the Amplify CLI, I added auth (cognito user pools), an API (graphql) and hosting.

It all actually went quite smoothly for the first try, and then I went into the Amplify Console and connected the frontend to my github repo. Everything there seems to work too, my app deploys at a new URL (still the default amplifyapp.com one). I can visit the page, it requires me to log in, which works, but then when I need to request a resource that queries graphql, it fails.

I've looked into the network tab and I get the following error:

{
  "errors" : [ {
    "errorType" : "UnauthorizedException",
    "message" : "Unable to parse JWT token."
  } ]
}

That only happens on my the version launched from the CD section of the Amplify Console. The URL from amplify publish works.

I looked into the request headers, and I presume this is where something is wrong because it sends the request with a x-amz-security-token: IQoJb3JpZ2luX2VjEKf//////////wEaCXVzLWVhc..., instead of the other version which sends a JWT like this in the header: authorization: eyJraWQiOiJ5QkxnVTAxOWpo...

I (think) I've scoured the documentation to figure out what's going on, but I might just not know the right terms to describe my issue to find other posts about it. Did my miss something in the automated setup? Is this a manual tweak I need to make after the fact? A bug? Any help is appreciated.

Cheers.

backend bug pending-customer-response

Source

mcbergsma

All 7 comments

Do you have access to aws-exports.js file that is generated from the console and pasted by commenting the endpoints.

elorzafe on 14 Dec 2019

I do, does this help?

const awsmobile = {
    "aws_project_region": "us-east-1",
    "aws_content_delivery_bucket": "xxxx-dev-local",
    "aws_content_delivery_bucket_region": "us-east-1",
    "aws_content_delivery_url": "http://xxxx-dev-local.s3-website-us-east-1.amazonaws.com",
    "aws_cognito_identity_pool_id": "us-east-1:xxxx",
    "aws_cognito_region": "us-east-1",
    "aws_user_pools_id": "us-east-1_xxxx",
    "aws_user_pools_web_client_id": "xxxx",
    "oauth": {},
    "aws_appsync_graphqlEndpoint": "https://xxxx.appsync-api.us-east-1.amazonaws.com/graphql",
    "aws_appsync_region": "us-east-1",
    "aws_appsync_authenticationType": "AMAZON_COGNITO_USER_POOLS"
};


export default awsmobile;

mcbergsma on 16 Dec 2019

That configuration should be using Authorization header with JWT, I will transfer this to console team. so they can take a closer look to this. Maybe on the deployed app is not using that config.

elorzafe on 16 Dec 2019

👍1

It's auto-generated correct? I just noticed it is in .gitignore, so it doesn't go into the repo the CI/CD monitors. I thought I was just failing to understand the difference between amplify publish and what gets build by the CI/CD pipeline (I guess I still don't understand the difference!) - thanks for looking into it though.

mcbergsma on 16 Dec 2019

@mcbergsma can you try this: https://github.com/aws-amplify/amplify-console/issues/163#issuecomment-536236794

swaminator on 17 Dec 2019

👍1

@swaminator That did it! Thanks very much!

mcbergsma on 17 Dec 2019

I've encountered an issue that's very similar - in deployment there was an error updating the cloudformation stack because it couldn't find the right API key for AppSync. It was clearly an old api key.

After following the steps to override the Amplify CLI version, setup live updates, the build passed. Hopefully this helps anyone later.