AWS AppSync - Public & Private Queries

Question

I want to give "guest / public" access to some queries in AppSync. But only let fully signed up users run mutations or other queries.

I have installed Amplify and configured the auth module to generate an identity pool and a user pool. I can see on the dashboard for identity pools that I have one unauthorized access (myself testing).

But I cannot execute any queries if I am not registered. My AppSync settings are set to "Cognito User Pool" with "default action" allow.

Has anybody solved this kind of problem yet?

Answer 1

AppSync now supports different authentication permission types for different queries. See Using multiple authorization types with AWS AppSync GraphQL APIs .

Therefore, with this in mind, you could use @aws_cognito_user_pools on your protected queries, and @aws_api_key on your public queries, defining an API key in your AppSync settings to be used by your application when in "guest/public" mode.

Any queries/mutations you want accessible to both public/private will need both @aws_cognito_user_pools @aws_api_key added to the query.

However, a complication to this is that AWS sets an expiration time on AppSync API keys, defaulting to 7 days. Hardly practical for a public route. Using the AWS API, you can extend this expiration to 365 days from the current date.

I have created this Lambda Function to traverse through any AppSync API keys that you have defined in your account and extend the expiration date to 365 days from now. Therefore, if you added this to your account, and created a Cloudwatch Event to schedule the call to this lambda function on an interval less than 365 days, your API key would never expire.