Home > Mobile >  Appsync Query Returning Null with Cognito Auth
Appsync Query Returning Null with Cognito Auth

Time:12-21

I'm trying to do some appsync in the console using a userpool user who is a part of the group.

However, my query is returning null in the response.

The below PK in my query definitely exists.

I suspect that the issue is related to cognito. I can't pin it down exactly. The user I am testing is in the customers group and I am not receiving an error there due to cognito group permissions.

Logs are not helpful.

If I create a new API in the console (using an API key rather than cognito for auth) and import the dynamodb table (using the same role), the same query returns data.

Do I need to give my cognito group a role that allows them to interact with appsync?

My query:

query MyQuery {
    getTable(PK: "PRODUCT#cb699976-153c-4852-a455-bc9a7bce6a93", SK: "PRODUCT#BLEND") {
        DK1
        PK
        SK
    }
}

The response:

{
  "data": {
    "getTable": null
    }
}

The Schema:

type Query {
    getTable(PK: String!, SK: String!): Table
        @aws_auth(cognito_groups: ["customers"])
    }

type Table @aws_auth(cognito_groups: ["customers"]) {
    DK1: String
    PK: String!
    SK: String!
}

iam role for dynamodb (least permission access is still todo)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "dynamodb:*",
            "Resource": [
                "arn:aws:dynamodb:us-east-1:blah_account:table/blah_table/index/GSI1",
                "arn:aws:dynamodb:us-east-1:blah_account:table/blah_table"
            ]
        }
    ]
}

appsync role trust relationship

{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
            "Service": "appsync.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
        }
    ]
}

appsync config ($ aws appsync get-graphql-api):

{
    "graphqlApi": {
        "name": "blah_dev_appsync",
        "apiId": "blah",
        "authenticationType": "AMAZON_COGNITO_USER_POOLS",
        "userPoolConfig": {
            "userPoolId": "us-east-1_blah",
            "awsRegion": "us-east-1",
            "defaultAction": "DENY"
        },
        "arn": "arn:aws:appsync:us-east-1:blah_id:apis/blah_",
        "xrayEnabled": false
    }
}

CodePudding user response:

Can you check if there is a resolver attached to your (failing) Appsync API ?

If you have access to the web console look for this screen: Appsync Console UI

If there is nothing attached to getTable then that's probably why you are having null answers. Resolvers Docs

CodePudding user response:

Thanks to Ivan Caracamo's response, I learned that I needed to properly configure my resolvers.

I was able to get there with the resolver docs and this post.

Here's my request template

{
  "version": "2017-02-28",
  "operation": "GetItem",
  "key": {
    "PK": $util.dynamodb.toDynamoDBJson($ctx.args.PK),
    "SK": $util.dynamodb.toDynamoDBJson($ctx.args.SK),
  },
}

And here's my response template

$util.toJson($ctx.result)
  • Related