CODEWITHSUNDEEP
aws-appsync
hyprstack
hyprstack

Reputation: 4228

aws appsync auth directive not limiting access as expected

In my graphQl schema for the appsync api I am using I want to limit my users actions based on the group they belong to.

According to the docs, adding the line aws_auth(cognito_groups: ["Admins"]) should restrict access to only users belonging to the group of "Admins". This does not happen when I run the mutation from the appsync console or from the app itself.

My mutation is as follows:

type Mutation @aws_iam
@aws_cognito_user_pools {
    createItem(input: CreateItemInput!): Item
    updateItem(input: UpdateItemInput!): Item
    @aws_auth(cognito_groups: ["Admins"])
}

The @aws_iam and @aws_cognito_user_pools directives seem to work fine. But anyone that has authenticated or has an iam role, can still perform an update, even if they do not belong to the "Admins" group.

What is going on here? Is there additional configuration that needs to be done to get this to work?

Upvotes: 4

Views: 2109

Answers (2)

mixja
mixja

Reputation: 7467

Just to clarify further as this is not well documented.

If you are using a single authorization provider and that provider is Cognito, you should always use the @aws_auth directive. Do not use the @aws_cognito_user_pools directive as it does not work if you are using group-based authorization. This is not well documented in the AWS Cognito docs and is a trap as AppSync will allow you to configure this directive.

If you are using multiple authorization providers and you are using Cognito, you must use the @aws_cognito_user_pools directive as documented in the AWS Cognito docs. Strangely group-based authorization works correctly using @aws_cognito_user_pools but ONLY when using multiple authorization providers.

Upvotes: 5

mparis
mparis

Reputation: 3683

In general, you should avoid using @aws_auth at the same time as @aws_cognito_user_pools & aws_iam as they have slightly different behavior (see docs here).

If you want to restrict access to updateItem while still allowing any IAM auth'd user to createItem then you can use:

type Mutation {
    createItem(input: CreateItemInput!): Item
      @aws_iam
    updateItem(input: UpdateItemInput!): Item
      @aws_cognito_user_pools(cognito_groups: ["Admins"])
}

Placing the directive on the type implies that the auth config is valid for all the fields in that type. Placing the directive on the field makes it apply to the field only.

Upvotes: 4

Related Questions