Grant lambdas access to other project resources for GraphQL API is either broken or very misleading #4306
Labels
bug
Something isn't working
functions
Issues tied to the functions category
pending-review
Pending review from core-team
platform
Issues tied to the general CLI platform
Projects
Describe the bug
The workflow you go through to "update permissions granted to the Lambda function to perform on other resources in your project" does not work - at least not in the way that this piece of documentation implies that it does: https://docs.amplify.aws/cli/function. If you don't choose the
create
operation, you won't actually be able to access an AppSync api from the lambda.Amplify CLI Version
4.20.0
To Reproduce
Go through the
amplify update function
flow as shown in the above image, being sure to choose an operation other thancreate
-read
for example.Also, follow all the other steps outlined in the amplify docs here: https://docs.amplify.aws/cli/function#signing-a-request-from-lambda - except instead of a create mutation, feel free to switch to one that is implied to be available based on the operation you chose (a list query for example).
Then, run the lambda and note that you get back an unauthorized error.
Expected behavior
Lambda's response contains response of the AppSync query.
Desktop (please complete the following information):
Additional context
When going through the permission grant flow, the outcome is the generation of a CloudFormation template in the lambda's directory. This contains a subtree
AmplifyResourcesPolicy.Properties.PolicyDocument.Statement.Action
, and this is where the problem is. The actions granted by choosing theread
in the permission grant flow areappsync:Get*
andappsync:List*
;update
gets youappsync:Update*
anddelete
gets youappsync:Delete*
.create
on the other hand gives youappsync:Create*
,appsync:StartSchemaCreation
, and criticallyappsync:GraphQL
.An examination of the available Actions under the AppSync category in the IAM Policy Simulator reveals the following:
It looks like all the Create*, Get*, Update*, and Delete* Actions are meta-actions, which would allow your lambda to manipulate AppSync itself - not use it.
I'm not sure if this is technically a bug, because you may well want a lambda to be able to perform meta-actions on your AppSync instance. But that's definitely not the use case advertised in the amplify docs on functions that I've linked twice in here. Those docs technically work because they recommend choosing the
create
option in the workflow, but the way the article is written, that looks like an arbitrary choice that shouldn't affect the outcome, and/or it is implied that because the author was using a mutation that did creation, that's whycreate
was chosen.Workaround
Just choose the
create
option if you want a lambda to be able to access your AppSync API (and optionally go into the cloudformation template and delete the extraneousCreate*
andStartSchemaCreation
Actions).Suggested Fix
Update the CLI to include some more language about how the
create
,read
,update
, anddelete
choices relate to meta actions on the AppSync api itself; add a new category namedaccess
orcall GraphQL endpoint
or something; move the Actionappsync:GraphQL
fromcreate
to this new category; update the docs at https://docs.amplify.aws/cli/functionThe text was updated successfully, but these errors were encountered: