regression on appsync permission assignment from functions #6595
Comments
|
@r0zar thanks for the great job done on these permissions assignment 👍 |
|
Looks like the type mappings are wrong.
For a workaround try setting your CF template to this: {
"Effect": "Allow",
"Action": [
"appsync:GraphQL"
],
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:appsync:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":apis/",
{
"Ref": "apixxxGraphQLAPIIdOutput"
},
"/*"
]
]
}
]
} |
|
Thanks for your quick reply, I will give it a try and let you know. |
|
Thoughts on this issue... Amplify allows for limiting create/read/write/update access to AppSync through a CLI based question-answer workflow. To implement that, the cloudformation policy is split into separate resource inputs which each are responsible for different resolver ARNs wildcard-paths. You can get a better idea of the structure of the resolver ARNs by looking at your Resolver ARNs are being matched against using the implicit pattern that AppSync uses when it generates the resolvers. (Could be improved by exporting resolvers from the API category cloudformation and importing it elsewhere) I'm not sure why the resources in your example are using the old create/read/update/delete language. The goal of the PR was to remove the CRUD verbs with the introduction of graphql-style language (query/mutation/subscription) for graphql-based APIs. This simplified the mapping of actions to relevant resolver ARN paths. Todos
|
|
If it can help, the API has been created a few months ago, so not with the CLI V4.42. |
|
I confirm it works
|
|
Hello @thibaultdalban "appSync": {
"generateGraphQLPermissions": true
} |
SwaySway
added
documentation
|
Yup this feature flag can be assigned in the |
|
After upgrading to 4.43.0, I had this issue as well. I did not originally have the |
|
I'm also experiencing the same issue. For anyone on the amplify team looking into this, this comment on another github issue sums up the problem perfectly: Seems it should be very easy to fix |
|
Closing in favor of #6675 |
|
This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs. Looking for a help forum? We recommend joining the Amplify Community Discord server |
Describe the bug
Since PR #5342 requesting a graphQL API inside a lambda using IAM auth returns a
Permission denied.errors: [{ errorType: 'UnauthorizedException', message: 'Permission denied' }]Manually reverting the appsync policy in the lambda cloudformation template to the one generated before PR #5342 fix the issue.
Amplify CLI Version
4.42.0
Permissions generated in the cloudformation template
{ "Effect": "Allow", "Action": [ "appsync:GraphQL" ], "Resource": [ { "Fn::Join": [ "", [ "arn:aws:appsync:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":apis/", { "Ref": "apixxxGraphQLAPIIdOutput" }, "/types/create/*" ] ] }, { "Fn::Join": [ "", [ "arn:aws:appsync:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":apis/", { "Ref": "apixxxGraphQLAPIIdOutput" }, "/types/read/*" ] ] }, { "Fn::Join": [ "", [ "arn:aws:appsync:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":apis/", { "Ref": "apixxxGraphQLAPIIdOutput" }, "/types/update/*" ] ] }, { "Fn::Join": [ "", [ "arn:aws:appsync:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":apis/", { "Ref": "apixxxGraphQLAPIIdOutput" }, "/types/delete/*" ] ] } ] }Permissions manually updated in the cloudformation template
{ "Effect": "Allow", "Action": [ "appsync:Create*", "appsync:StartSchemaCreation", "appsync:GraphQL", "appsync:Get*", "appsync:List*", "appsync:Update*" ], "Resource": [ { "Fn::Join": [ "", [ "arn:aws:appsync:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":apis/", { "Ref": "apixxxGraphQLAPIIdOutput" }, "/*" ] ] } ] }This is how the request is signed in the lambda function:
The text was updated successfully, but these errors were encountered: