I have setup an AppSync GraphQL API which uses two authorization modes, default being Cognito and other being IAM. Now I want to run this query even before the user is logged in for which I will be using the IAM authorization mode. This Api will access the dynamodb table through a lambda function.

Based on my understanding I guess the user can perform a read operation even if they are not logged in by using the IAM users permission that is attached to the Amplify project. Here I have the below policy/permission attached to the IAM user. Please let me know if I am thinking right.

Here is the policy that I created for executing a query operation on my API

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "appsync:GraphQL",
            "Resource": "arn:aws:appsync:<REGION>:<ACCOUNT>:apis/<APIID>/types/Query/fields/getUserById"
        }
    ]
}

Now when I run using the IAM authorized mode inside the AppSync console, I still get the unauthorized error. Here is the snip of the console -

CodePudding user response：

You must add schema directives for AppSync additional authorization modes to apply. Only the default authorization mode is automatically applied to the entire API.

type Query {
    getPost(id: ID): Post
    getAllPosts(): [Post]
    @aws_iam
}

aws_iam auth mode requires IAM access key and secret key credentials, which of course you do not want to provide to clients. If you need a pre-login public route, api_key auth is the better option.

AWS blogpost: Private data requires authenticated access using authorization mechanisms such as IAM, Amazon Cognito User Pools, and OIDC. Public data does not require authenticated access and is delivered through authorization mechanisms such as API Keys.