I'm trying to do some appsync in the console using a userpool user who is a part of the group.
However, my query is returning null
in the response.
The below PK in my query
definitely exists.
I suspect that the issue is related to cognito. I can't pin it down exactly. The user I am testing is in the customers
group and I am not receiving an error there due to cognito group permissions.
Logs are not helpful.
If I create a new API in the console (using an API key rather than cognito for auth) and import the dynamodb table (using the same role), the same query returns data.
Do I need to give my cognito group a role that allows them to interact with appsync?
My query:
query MyQuery {
getTable(PK: "PRODUCT#cb699976-153c-4852-a455-bc9a7bce6a93", SK: "PRODUCT#BLEND") {
DK1
PK
SK
}
}
The response:
{
"data": {
"getTable": null
}
}
The Schema:
type Query {
getTable(PK: String!, SK: String!): Table
@aws_auth(cognito_groups: ["customers"])
}
type Table @aws_auth(cognito_groups: ["customers"]) {
DK1: String
PK: String!
SK: String!
}
iam role for dynamodb (least permission access is still todo)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": [
"arn:aws:dynamodb:us-east-1:blah_account:table/blah_table/index/GSI1",
"arn:aws:dynamodb:us-east-1:blah_account:table/blah_table"
]
}
]
}
appsync role trust relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
appsync config ($ aws appsync get-graphql-api
):
{
"graphqlApi": {
"name": "blah_dev_appsync",
"apiId": "blah",
"authenticationType": "AMAZON_COGNITO_USER_POOLS",
"userPoolConfig": {
"userPoolId": "us-east-1_blah",
"awsRegion": "us-east-1",
"defaultAction": "DENY"
},
"arn": "arn:aws:appsync:us-east-1:blah_id:apis/blah_",
"xrayEnabled": false
}
}
CodePudding user response:
Can you check if there is a resolver attached to your (failing) Appsync API ?
If you have access to the web console look for this screen:
If there is nothing attached to getTable
then that's probably why you are having null answers.
Resolvers Docs
CodePudding user response:
Thanks to Ivan Caracamo's response, I learned that I needed to properly configure my resolvers.
I was able to get there with the resolver docs and this post.
Here's my request template
{
"version": "2017-02-28",
"operation": "GetItem",
"key": {
"PK": $util.dynamodb.toDynamoDBJson($ctx.args.PK),
"SK": $util.dynamodb.toDynamoDBJson($ctx.args.SK),
},
}
And here's my response template
$util.toJson($ctx.result)