amplify-js: "No current user" Error When Accessing AppSync Query using API.graphql

So basically when using AMAZON_COGNITO_USER_POOLS there cant be any public api? Really? Make zero sense. Having a way to create public api while still using cognito for auth users should be basic core functionality, i dont understand how its not here.

I configured multiple authentication modes on my @model as described here but requests would be authenticated using only the default authentication mode as specified using amplify api configure.

As show below, I had tried specifying the auth mode inside my service class, but this would be overwritten every time I updated my schema.

//MyAppAPI.service.ts 
const response = (await API.graphql(
  {
    query: statement, 
    variables: gqlAPIServiceArguments,
    authMode: GRAPHQL_AUTH_MODE.API_KEY
  });

I eventually found that I could instead change the auth mode programatically by doing the following:

// import { AmplifyService } from 'aws-amplify-angular';
// import Amplify from '@aws-amplify/core';
// ...
// ...
  
this.amplifyService.authStateChange$
  .subscribe(authState => {
      
  this.isLoggedIn = authState.state === 'signedIn';
  this.user = authState.user;

  if(this.isLoggedIn)
  {       
    Amplify.configure({
      "aws_appsync_authenticationType": "AMAZON_COGNITO_USER_POOLS", 
    });
  }
  else
  {
    Amplify.configure({
      "aws_appsync_authenticationType": "API_KEY", 
    });
  }

});
  
  
// ...

I hope this helps someone.

We’re working on making this easier via the CLI, but for now you can use the following steps to allow both Authenticated & Unauthenticated access to your AWS AppSync API:

1. Create an Amplify project

amplify init

1. Add auth with custom security configuration:

amplify add auth

Do you want to use the default authentication and security configuration? NO

Select the authentication/authorization services that you want to use: (Use arrow keys) User Sign-Up, Sign-In, connected with AWS IAM controls (Enables per-user Storage features for images or other content, Analytics, and more)

Please provide a friendly name for your resource that will be used to label this category in the project: YOURAPINAME

Please enter a name for your identity pool. YOURIDPOOLNAME

Allow unauthenticated logins? (Provides scoped down permissions that you can control via AWS IAM) Yes Choose defaults for the rest of the questions

1. Add the api

amplify add api

Choose Amazon Cognito User Pool as the authorization type.

1. Create the API

amplify push

1. In the AppSync API dashboard settings, change the authentication type to AWS Identity and Access Management (IAM)

2. In aws.exports.js on the client app, change aws_appsync_authenticationType to AWS_IAM

3. In the Cognito dashboard, click “Manage Identity Pools” & click on your identity pool.

4. Click “Edit Identity Pool” to see your “Unauthenticated role” & “Authenticated Role”

5. Open the IAM console & find the “Unauthenticated role” from step 8

6. Click “Add inline policy”

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "appsync:GraphQL"
            ],
            "Resource": [
                "arn:aws:appsync:<REGION>:<ACCOUNTID>:apis/<APIID>/types/Mutation/fields/listTodos"
            ]
        }
    ]
}

1. Open the IAM console & find the “Authenticated role” from step 8

2. Click “Add inline policy”

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "appsync:GraphQL"
            ],
            "Resource": [
                "arn:aws:appsync:<REGION>:<ACCOUNTID>:apis/<APIID>/types/Mutation/fields/listTodos",
                "arn:aws:appsync:<REGION>:<ACCOUNTID>:apis/<APIID>/types/Mutation/fields/createTodo"
            ]
        }
    ]
}

1. In index.js, add this code:

import { Auth } from 'aws-amplify'
Auth.currentCredentials()
  .then(d => console.log('data: ', d))
  .catch(e => console.log('error: ', e))

1. You should now be able to query when logged out, & query & create mutations when logged in.

If you’d like to access the unique identity of the logged in user for user authorization & fine grained access control, you can access the $context.identity.cognitoIdentityId) in the resolver.

Any solutions or workarounds to this? I’m getting the same error keeping track of user identities. Tried sending a Bearer Token manually with an Interceptor as well, but didn’t work. Going to try removing all @auth statements from my GraphQL schema next.

Edit: I think my problem is that I’m expecting DynamoDB access without having a logged-in user, which Amplify doesn’t seem to support at this point. So, I’ll have to store data locally in the meantime, and then create a syncing service layer to create rows in my DynamoDB table once the user has registered.

@vparpoil regarding the way aws_appsync_authenticationType is overridden you can do this to preserve your change outside editting the aws-exports.js directly.

const aws_exports_override = {...aws_exports, aws_appsync_authenticationType: "AWS_IAM",}
Amplify.configure(aws_exports_override);

@reggie3 @GroveDev @selipso @aldarund @etwillbefine @rayhaanq to clarify, it sounds like you want to allow public access to your AppSync GraphQL API for all or part of your schema. Currently AppSync supports one auth mode at a time though supporting multiple auth modes simultaneously is something that is being evaluated for the 2019 roadmap. In the meantime if this is something you’re looking to do let me provide some options:

First, the most common solution is to use Cognito Identity and set your AppSync Authorization mode to AWS_IAM. You can then enable “unauthenticated access” in the Cognito Identity Pool which will allow the client to assume a role without logging in. You can set IAM permissions on that role for whatever parts of your GraphQL types you want to execute as outlined here: https://docs.aws.amazon.com/appsync/latest/devguide/security.html#aws-iam-authorization

Enabling UnAuthenticated access can be done with the amplify CLI when you run amplify add auth or amplify update auth and do not select the default configuration (it’s disabled by default for least privilege). Alternatively you can perform this in the Cognito Identity console.

Another alternative that some customers have done is to create two GraphQL APIs, one for unauthenticated/anonymous access and one for when the user is authenticated. The unauthenticated one uses a strict subset of the schema (for example, queries only) for the other API and is configured with API key for authorization. They both use the same data sources. Your client then uses the appropriate endpoint with authentication configuration as appropriate when you call amplify.configure at which point your API.graphql calls will respect this configuration.

Hope this is helpful for the time being.

We’re looking at putting an example together for this. As outlined above if you want to allow multiple types of access permissions on the same API, at this point you will need to use IAM as AppSync doesn’t yet support multi-auth.

This statement by @chriszirkel “enabling unauth access means that possibly everyone on the frontend could call my APIs” needs clarification. Enabling unauthenticated roles in Identity Pools means the client can receive AWS credentials which are separate from the authenticated role. This allows you to assign different IAM permissions to those roles, per the link I pointed to earlier: https://docs.aws.amazon.com/appsync/latest/devguide/security.html#aws-iam-authorization

To be crystal clear, this means that you can have unauthenticated access which the IAM policy for that role can just do one thing - like run queries only. Then the other authenticated role (which could be when users log in or from a Lambda function) can do more like perform mutations. In the link I posted above note that the Resource in the policy is set on a type in your schema like so:

   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "appsync:GraphQL"
         ],
         "Resource": [
            "arn:aws:appsync:us-west-2:123456789012:apis/YourGraphQLApiId/types/Query/fields/<Field-1>",
            "arn:aws:appsync:us-west-2:123456789012:apis/YourGraphQLApiId/types/Query/fields/<Field-2>",
            "arn:aws:appsync:us-west-2:123456789012:apis/YourGraphQLApiId/types/Mutation/fields/<Field-1>",
            "arn:aws:appsync:us-west-2:123456789012:apis/YourGraphQLApiId/types/Subscription/fields/<Field-1>"
         ]
     }
   ]
}

So you can use this to set appropriate values in the ../types/XXXXXX definition.

@aireater I would suggest you open up a new issue with details on the CLI repo as your question seems to be related to something else with your API deployment.

I went with exactly this approach (IAM) and gave this whole lib up.

https://github.com/aws-amplify/amplify-js/issues/2363#issuecomment-449011422

Can I recommend that there be some way to call specific queries without requiring a token then? User Pool groups seem like a perfect way to authenticate. They are simple to reason about, analogous to non AWS techniques for grouping users, and powerful. Additionally, I think group permissions will become the “happy path” once you guys integrate Facebook, Google, and other logins into user pools without requiring using the Hosted UI.

I couldn’t get the IAM method to work even when I gave the unauthenticated role full permissions as specified by this example taken from the documentation you linked:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "appsync:GraphQL"
         ],
         "Resource": [
            "arn:aws:appsync:us-west-2:123456789012:apis/YourGraphQLApiId/*"
         ]
      }
   ]
}

I don’t think learning IAM should be a requirement for what I’m trying to do so for now I’ll go with the API_KEY method, and see where you guys take the library in the future.

[edited] - found the answer

I ran into the same issue, which is really blocking in a real use of amplify to build an app. It make me really question the choice we made of using amplify… I just tried the proposal given above in order to allow unauthenticated users to run a mutation with the following : update: worth to mention that the MutationName bellow can be found in the aws console > AppSync > schema > find the mutation type and look at the keys of the object.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "appsync:GraphQL"
            ],
            "Resource": [
                "arn:aws:appsync:<REGION>:<CLIENTID>:apis/<APIID>/types/Mutation/fields/MutationName"
            ]
        }
    ]
} 

Here is my JS - I had an error here when calling graphqlOperation, I had updated the code with the correction :

Auth.currentCredentials().then(response => {
            API.graphql(graphqlOperation(MutationName, {input: input})).then(response => console.log(`response: ${response}`))
                .catch(error => console.log(error));
        })

And I always get a GraphQLError : “Request failed with status code 401”. => now this is ok

@undefobj Hey man, again, thanks for taking the time to respond to my questions. I’m not sure if we’re on the same page here (i hope i’m not missing something) 😃

Basically, i got that working (allowing access to unauthenticated and authenticated users by using AWS_IAM auth mode). However, i need to have different permissions for the authenticated users e.g. admin, author, user etc. and i’m trying to do that by putting them in a group, based on which i’ll allow or deny access to specific queries and mutations.

The thing is (like you said here) that user pool groups are not available when using AWS_IAM auth mode (i can’t access them in the resolver).

So my question is, how should i go about solving this issue?

Hi @reggie3 thanks for your feedback. When you specify Amazon Cognito User Pool as the authorization type on your AppSync API, when you try to call the API it always need a jwt to authenticate. When you don’t have directives on your query like you mention, it means that any user of the User Pool has access to the query, it doesn’t mean that the API is open to everyone.

For the use case you have I can suggest you to create an Amazon Cognito Identity Pool. Identity pools can have configured an unauth an auth roles like the case you mention unauth role (No signed in user).

To configure IAM permissions you can take a look here.

Please let me know how it goes

@dabit3 what’s the process for adding another auth type to an existing graphql api (cognito). Can be done using the latest Amplify CLI or only the AppSync console?

Another issue with this setup that happens to me : when running amplify push, the aws-exports.js file is overwritten and the aws_appsync_authenticationType switch back to AMAZON_COGNITO_USER_POOLS, resulting in 403 errors. It’s quite annoying, but is it a bug or a feature ?

@mkaschke It’s working now. I can get a unauthenticated user to run a graphql mutation using this setup

All - Please see @dabit3 instructions above or the sample we posted here: https://github.com/dabit3/appsync-auth-and-unauth

As mentioned before we are looking to make this easier with CLI tooling in the following RFC: https://github.com/aws-amplify/amplify-cli/issues/766 For the short term hopefully this helps you get up and running.

We’re looking at putting an example together for this.

@undefobj An example of setting up two separate APIs would be very helpful. 🙂

I’m running into the same trouble and the workaround I’m currently using is to have 2 APIs, one using API_KEY and the other using AMAZON_COGNITO_USER_POOLS. The first one is mostly used on the server side and the later is on the client side, where a pre-created guest account is used and logged in to enable public features.

@mkaschke As far as i know, there isn’t. You’ll have to either use AWS_IAM auth mode (check this comment) or have two API’s (one public, one private). But even then, there are far too many issues e.g. there’s no docs on how to configure two different apollo profiles based on the user’s state (see this comment), you can’t access user pool groups (see this comment) which is very important etc. My conclusion at this point is that AppSync paired with Cognito is garbage. Yes, you can build very simple apps, quickly. But, if your intention is to build complex, real world application, run away.

@joebernard

I haven’t tested it, but something like this might work and help you https://codesandbox.io/s/25l7or15r

The idea is to wrap the <ApolloProvider> in a component that passes a different client depending on the auth state. Note that you might need to cleat the apollo client cache when swapping clients.

@dimitarrusev unfortunately the Cognito User Pool groups are not available when using IAM.

@undefobj How can i get access to the user’s groups when using AWS_IAM auth mode?

@undefobj If I am using this method like you described with Cognito Identity and IAM permissions would I be able to use the user context within the resolvers to have fine grained access control?

Right now, I’m leaning towards creating a separate table in DynamoDB to track user specific information using the user pool users’ “sub” attribute or Cognito IAM ID as an ID for each user in that table, and keeping track of each user’s groups there.

Unfortunately, that would still mean that I couldn’t take advantage of the group directive in the AppSync schema. I’d work around that by using Lambdas to do the authorization and resolving on the queries that I’d want to restrict.