CODEWITHSUNDEEP
amazon-web-servicesamazon-iamaws-amplifyaws-appsync
simplikios
simplikios

Reputation: 381

How do I make an AWS AppSync GraphQL API publicly accessible while using Amazon Cognito for authentication?

Currently I am using Amazon Cognito for authentication in an AWS Amplify project, so only signed-in users have access to the api. But I want to have some api calls publicly accessible.

How do I go about this?

Upvotes: 5

Views: 3970

Answers (2)

G Cid
G Cid

Reputation: 80

I just solved this exactly same problem. This is what I did:

  1. Update your API by running amplify update auth and select IAM as your users handler (everything else go with default)

  2. Login to your AWS console -> Appsync and modify access to IAM (instead of Cognito Pool)

  3. Go to the IAM console and create IAM policies for both AUTH and UNAUTH users (search them on the list by typing the name of your Appsync app)

Locate the AUTH user and attach the following policy (update it with your info):

AUTH USER

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "appsync:GraphQL",
            "Resource": [
                "arn:aws:appsync:<AWS region>:<AWS account ID>:apis/<app sync endpoint ID>/*"
            ]
        }
    ]
}

Locate the unauth user and attach the following Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "appsync:GraphQL",
            "Resource": [
                "arn:aws:appsync:<AWS region>:<AWS account ID>:apis/<app sync endpoint ID>/types/Query/fields/<your Query name>",
        "arn:aws:appsync:<AWS region>:<AWS account ID>:apis/<app sync endpoint ID>/types/Query/fields/<your Query name>",
        "arn:aws:appsync:<AWS region>:<AWS account ID>:apis/<app sync endpoint ID>/types/Query/fields/<your Query name>"

            ]
        }
    ]
}
  1. And now the thing that is not documented (people transitioning from Cognito Pools to IAM ) You need to import {AUTH_TYPE}

import AWSAppSyncClient, {AUTH_TYPE} from "aws-appsync";

and use it to load the credentials in the AppSync initialization 

const client = new AWSAppSyncClient(
  {
    disableOffline: true,
    url: aws_config.aws_appsync_graphqlEndpoint,
    region: aws_config.aws_cognito_region,
    auth: {
      // IAM
      type: AUTH_TYPE.AWS_IAM,
      credentials: () => Auth.currentCredentials(),
    });

Hope this helps.

Upvotes: 3

Ashwin Devendran
Ashwin Devendran

Reputation: 421

For AppSync APIs - API Keys are considered "unauthenticated"

See the below documentation: https://docs.aws.amazon.com/appsync/latest/devguide/security.html#api-key-authorization

Upvotes: 3

Related Questions