amplify-cli: @auth not working for custom Query and resolvers

I have implemented multi asuthentication systems into my amploify project, with Cognito pools are the default and IAM as the secondary.

All works fine for the authentication on amplify generated queries and mutation, however my custom queries always return the following when called:

GraphQL Error: message: “Request failed with status code 401”

My queries:

type Query {
  searchElasticEvents(input: SearchEventsInput): EventConnection @aws_iam @aws_cognito_user_pools
  searchElasticPlaces(input: SearchPlacesInput): EntityConnection
}

I have tried with adding the ’ @aws_iam @aws_cognito_user_pools’ directives, and without and both error.

I can’t add the auth directive as that requires the @model directive to be present.

The custom resolvers contain no authentication checks as I wish them to be public, so why is it giving me an authentication error:

Front end call:

` const { data } = await this.amplify.api().graphql({
        query: searchElasticPlaces, 
        variables: { input },
        authMode: 'AWS_IAM'
       });`

About this issue

Original URL
State: closed
Created 5 years ago
Reactions: 2
Comments: 38 (6 by maintainers)

Most upvoted comments

Related to #2711 and #3590 contains support for this functionality for custom queries backed by functions or custom resolvers.

Given the following schema:

input SearchEventsInput {
  text: String!
}

type EventConnection @aws_iam {
  result: [String!]!
}

type Query {
  searchElasticEvents(input: SearchEventsInput): EventConnection
    @auth(rules: [
      { allow: public, provider: iam }
    ])
}

This will be the output schema the CLI will generate:

input SearchEventsInput {
  text: String!
}

type EventConnection @aws_iam {
  result: [String!]!
}

type Query {
  searchElasticEvents(input: SearchEventsInput): EventConnection @aws_iam
}

It will add the @aws_iam directive to the query with the @auth rule and also generate the appropriate entry in AuthRolePolicynn or UnauthRolePolicynn:

{
    "Effect": "Allow",
    "Action": [
        "appsync:GraphQL"
    ],
    "Resource": [
        {
            "Fn::Sub": [
                "arn:aws:appsync:${AWS::Region}:${AWS::AccountId}:apis/${apiId}/types/${typeName}/fields/${fieldName}",
                {
                    "apiId": {
                        "Fn::GetAtt": [
                            "GraphQLAPI",
                            "ApiId"
                        ]
                    },
                    "typeName": "Query",
                    "fieldName": "searchElasticEvents"
                }
            ]
        }
    ]
}

Notice that since EventConnection has no @model directive - for now - it requires the @aws_iam directive to be in place and also the policy entry for that type.

attilah on Mar 5, 2020

Same problem with a mutation method, I have tried @auth @aws_iam @aws_api_key, both without success. It works just with group User with Cognito.

type Mutation {
  startProposal(input: StartProposalInput): String
    @function(name: "func-${env}")
    @auth(
      rules: [
        { allow: groups, groups: ["User"] }
        { allow: private, provider: iam, operations: [read, create, update] },
      ]
    )
    @aws_iam @aws_api_key
}

dtelaroli on Jan 6, 2020

@oliverandersencox I looked at your schema again, and I see that you were using an IAM provider for Event which worked but didn’t work when you tried to run the custom queries which you used @aws_iam. One thing to note is that when using the @auth rules with provider: iam Amplify will automatically update the IAM role which you are using in Cognito for that type, however if you’re just using the schema directives for AppSync (like @aws_iam and @aws_cognito_user_pools) these are simply passed through to the schema and you must update the policy yourself since it’s a custom query. That’s possibly why you’re getting a 401.

So to clarify:

Management of policies is done automatically with @auth only on @model types
You can use the AppSync schema directives @aws_iam and @aws_cognito_user_pools on a custom type either annotated with @function or using a custom resolver, however Amplify will not update policies in this case as it’s your own custom stack

@houmark We can mark this as a feature enhancement for @auth to add IAM policies for non @model types.

undefobj on Nov 18, 2019

@undefobj and this updating of the policies is done through the IAM console right, and not the amplify part?

If this is the case, then why is this not documented anywhere and the error gives absolutely no information.

oliverandersencox on Nov 19, 2019

I’m traveling today so on my phone but it should be possible to create a REST end point and select your pipeline function as the function for the REST endpoint. Then you’d tweak the handler to both accept a typeName and fieldName for pipeline usage and if not set then pass the request on to app.js which would be just like a normal amplify REST function. This way you can actually have the same function handle both pipeline calls and API gateway / REST calls as long as you of course send a compatible payload for both of them.

houmark on Nov 15, 2019

interestingly if I run a query to any of the custom resolvers from the appsync console with AWS_IAM as the auth type, they work just fine

oliverandersencox on Nov 15, 2019

I’m sitting right now fighting something similar. I have a few custom queries and mutations that resolves to a Lambda function but no matter what I do, I cannot get a connection through. 401 constantly. The only one that works is one where I have a field on a @model which maps to the query which is calling the Lambda.

I have added @aws_iam and @aws_cognito_user_pools in every possible place but I just cannot get a request through. I’ve tried figuring out where it happens but debugging is hard because not all parts of the request are logged. It would be great with more real-life examples for these new features, but I honestly doubt if my case is supported. I’ve read both that it is and that it is not in various Github issues, so I’m more confused than ever.

houmark on Nov 9, 2019