CODEWITHSUNDEEP
aws-amplifyaws-appsync
ataravati
ataravati

Reputation: 9165

AppSync query returns Unauthorized when using an IAM account

I'm using AWS Amplify. I have two models like below in my GraphQL schema.

type Class 
  @model 
  @auth(rules: [{ 
    allow: owner, 
    identityClaim: "sub" 
  }      
  {
    allow: owner
    identityClaim: "sub" 
    ownerField: "studentUserIds"
    operations: [read]
  }
  { 
    allow: private, 
    provider: iam 
    operations: [read]
  }
]) {
  id: ID!
  name: String!
  studentUserIds: [String!]
  students: [Student!] @connection(keyName: "ClassStudent", fields: ["id"])
}


type Student
  @model(queries: null)
  @auth(
    rules: [
      { allow: owner, identityClaim: "sub", operations: [create, update, delete, read] }
      { allow: private, provider: iam, operations: [create, update, delete, read] }
      { allow: owner, ownerField: "studentUserId", operations: [update, delete] }
      { allow: private, operations: [read] }
    ]
  )
  @key(name: "ClassStudent", fields: ["classId", "id"]) 
  @key(name: "ClassesByStudent", fields: ["studentUserId"], queryField: "classesByStudent") {
  id: ID!
  classId: ID!
  class: Class @connection(fields: ["classId"])
  studentUserId: ID!
  user: User! @connection(fields: ["studentUserId"])
  owner: String
}

When I run the classesByStudent using an IAM account, I get an Unauthorized response, even though the IAM provider has read access to both Student and Class tables. What am I doing wrong?

Upvotes: 4

Views: 2201

Answers (1)

leszek.hanusz
leszek.hanusz

Reputation: 5337

I add the following error:

{"errorType":"Unauthorized","message":"Not Authorized to access onCreateMessage on type Message"}

This was solved for me by creating the amplify/backend/api//custom-roles.json file as described here

Upvotes: 3

Related Questions