Amplify-js: Unable to use authMode: "AWS_IAM" when logged in through cognito with API.graphql

@grigull This should be possible with your schema, passing it over to the Amplify JS team to help you out with the client side implementation for multi-auth.

Thank kaustav, for more information the error i get is
Request failed with status code 401, also my completed schema for the category object is
type Category @model (subscriptions: { level: off })
@key(fields: ["id"])
@auth (rules: [
{allow: private, provider: iam, operations: [read, update, create, delete]},
{allow: private, provider: userPools, operations: [read]},
{allow: public, provider: iam, operations: [read]}])
{
id: ID!
name: String!
count: Int!
idExt: String!
nameExt: String!
tags: [Tag] @connection(keyName: "byCategory", fields: ["id"])
catChildren: [RelatedCategory] @connection(keyName: "byCatChild", fields: ["id"])
catParents: [RelatedCategory] @connection(keyName: "byCatParent", fields: ["id"])
}
but the more simplistic @auth in my original question stills fails in the same way.

Removed all my node_modules and recompiled with all the latest Amplify versions, including the new Amplify CLI 4.8. Same issue even when deploying a brand new environment.

@grigull I had the same problem. How I solved it:

1. Run amplify console auth in the terminal.
2. Choose Identity Pool
3. Click Edit Identity Pool at the top right of the webpage that opened in the browser.
4. Check Enable access to unauthenticated identities:

Hope that helps.

@AryanJ-NYC unfortunately that is not the problem, unauthenticated identities are already enabled, it is problem with using authMode: AWS_IAM when the user is already logged in. When the user is not logged in authMode: AWS_IAM works fine.

Got it. I have had success using authMode: 'AWS_IAM' when the user is logged in. My schema is as follows:

type BlogPost
  @model
  @auth(
    rules: [
      { allow: public, operations: [read], provider: iam }
      { allow: private, operations: [read, create] }
      { allow: owner, operations: [delete, update] }
    ]
  ) {
  id: ID!
  title: String!
  stringifiedBlogJson: String!
  creationDate: AWSDateTime
}

Perhaps there's some weirdness with adding providers: userPools (though, the documentation _does_ provide that as an option). 🤷‍♂

My suspicion is that it has something to do with the cognito user groups feature that was added, as only to recently did i switch from my personal to solution to the official cognito user groups functionality.

Looks like my suspicion was right, did a fresh install of both amplify and my entire application. The moment i switched from my manual set up of user groups to the amplify solution with dedicated IAM roles for each user group the query with a logged in user will fail for authMode: AW_IAM. Adding {allow: groups, groups: ["admin", "student"], operations: [read]} to @auth didn't help.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

I recently tried to figure out the problem, I am pretty sure it is coming from the fact that i am using cognito user groups. I get the following error No current User when i attempt to query with authMode: AWS_IAM when not logged in. I now have it working for logged in users but not for unauthenticated users, even though they have been set up for access in amplify.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

This issue has been automatically closed because of inactivity. Please open a new issue if are still encountering problems.

Any updates on this?

Still same problems with CLI 4.16.1

Still does not work with CLI 4.18.0. This scenario is so common.
Now I will use cognito only and autologin a visitor role user.

how are you handling the dummy account for a visitor role in terms of storing the dummy email and password in your website/app for anyone to be able to access?

No need to access it for the users, it will autologin and stored in the client.
But anybody can see it, it is intendedly dummy, like username: 'PublicUser' password: 'PublicUser'.
still waiting for the fix though...

I can confirm having the same problem

  @auth(
    rules: [
      { allow: public, provider: iam, operations: [read] }
      { allow: groups, groups: ["Admin"] }
    ]
  )

Would fail with code 401 if using IAM and user logs in and won't fail if not logged in.
I am trying to just observe the log in status and swap authMode but that seems like so unnecessary and if this is not a bug amplify should still handle the switching.

Same here...

One way to overcome the problem is by dynamically switching authMode like this:

await API.graphql({
        query: `query NAME(...) {
          name(...) {
            ...
            ...
          }
        }`,
        variables: {
          ...: ...,
          ...: ....
        },
        authMode: isAuthenticated ? "AMAZON_COGNITO_USER_POOLS" : "AWS_IAM"
});

Where isAuthenticated is the state of the current user.

And have rules like that

@auth(rules: [{allow: public, provider: iam}, {allow: private, provider: userPools}])

This works... But I can't figure out why groups-based rules aren't working with @auth(rules: [{ allow: groups, groups: [some_cognito_group"] }])

P.S. The issue is not solved, I just don't know how to re-open...

Related:

• https://github.com/aws-amplify/amplify-cli/issues/4159
• https://github.com/aws-amplify/amplify-cli/issues/2701
• https://github.com/aws-amplify/amplify-cli/issues/2776

Some maybe helpful docs:

• https://aws.amazon.com/blogs/mobile/using-multiple-authorization-types-with-aws-appsync-graphql-apis/

I had similar issue. When a user is part of a Cognito group, AWS_IAM doesn't work.

I had the same problem, the solution i found is to replace @aws_iam by @auth(rules: [{ allow: public, provider: iam}])
This works.

Btw, @aws_iam works for me only with the mock.