diff --git a/src/pages/cli/graphql/authorization-rules.mdx b/src/pages/cli/graphql/authorization-rules.mdx
index f2fb27f1f4f..bfcc6160cc5 100644
--- a/src/pages/cli/graphql/authorization-rules.mdx
+++ b/src/pages/cli/graphql/authorization-rules.mdx
@@ -43,11 +43,7 @@ input AMPLIFY { globalAuthRule: AuthRule = { allow: public } }
-```graphql
-input AMPLIFY { globalAuthRule: AuthRule = { allow: public } }
-```
-
-In your CDK construct, you'll need to enable this "sandbox mode" via an input parameter, rather than as part of the Graphql schema definition:
+In the CDK construct, we call this the "sandbox mode" that you need to explicitly enable via an input parameter.
```ts
new AmplifyGraphqlApi(this, "MyNewApi", {
@@ -108,7 +104,18 @@ When you run `amplify add auth`, the Amplify CLI generates scoped down IAM poli
Designate an IAM role for unauthenticated identities by setting the `iamConfig` property:
```ts
-const amplifyApi = new AmplifyGraphqlApi(this, "MyNewApi", {
+// Note: this sample uses the alpha Cognito Identity Pool construct, but is not required, CfnIdentityPool can be used as well
+import cognito_identitypool from '@aws-cdk/aws-cognito-identitypool-alpha';
+
+const identityPool = new cognito_identitypool.IdentityPool(stack, 'MyNewIdentityPool', {
+ allowUnauthenticatedIdentities: true,
+ authenticationProviders: { userPools: [new cognito_identitypool.UserPoolAuthenticationProvider({
+ userPool: ,
+ userPoolClient: ,
+ })] },
+});
+
+new AmplifyGraphqlApi(this, "MyNewApi", {
definition: AmplifyGraphqlDefinition.fromFiles(path.join(__dirname, "schema.graphql")),
authorizationModes: {
defaultAuthorizationMode: 'API_KEY',
@@ -116,20 +123,14 @@ const amplifyApi = new AmplifyGraphqlApi(this, "MyNewApi", {
expires: cdk.Duration.days(30)
},
iamConfig: {
- identityPoolId: ":", // <-- pass in your identity pool ID
- unauthenticatedUserRole: ..., // <-- pass in your unauthenticatedUserRole here
- authenticatedUserRole: ... // <-- pass in your authenticatedUserRole here
+ identityPoolId: identityPool.identityPoolId,
+ authenticatedUserRole: identityPool.authenticatedRole,
+ unauthenticatedUserRole: identityPool.unauthenticatedRole,
}
},
})
```
-
-
-**Note:** You must pass the identity pool ID as a string in the format above. Using a reference through a CDK token is currently not supported.
-
-
-
@@ -230,7 +231,18 @@ When you run `amplify add auth`, the Amplify CLI generates scoped down IAM poli
Designate an IAM role for authenticated identities by setting the `iamConfig` property:
```ts
-const amplifyApi = new AmplifyGraphqlApi(this, "MyNewApi", {
+// Note: this sample uses the alpha Cognito Identity Pool construct, but is not required, CfnIdentityPool can be used as well
+import cognito_identitypool from '@aws-cdk/aws-cognito-identitypool-alpha';
+
+const identityPool = new cognito_identitypool.IdentityPool(stack, 'MyNewIdentityPool', {
+ allowUnauthenticatedIdentities: true,
+ authenticationProviders: { userPools: [new cognito_identitypool.UserPoolAuthenticationProvider({
+ userPool: ,
+ userPoolClient: ,
+ })] },
+});
+
+new AmplifyGraphqlApi(this, "MyNewApi", {
definition: AmplifyGraphqlDefinition.fromFiles(path.join(__dirname, "schema.graphql")),
authorizationModes: {
defaultAuthorizationMode: 'API_KEY',
@@ -238,20 +250,14 @@ const amplifyApi = new AmplifyGraphqlApi(this, "MyNewApi", {
expires: cdk.Duration.days(30)
},
iamConfig: {
- identityPoolId: ":", // <-- pass in your identity pool ID
- unauthenticatedUserRole: ..., // <-- pass in your unauthenticatedUserRole here
- authenticatedUserRole: ... // <-- pass in your authenticatedUserRole here
+ identityPoolId: identityPool.identityPoolId,
+ authenticatedUserRole: identityPool.authenticatedRole,
+ unauthenticatedUserRole: identityPool.unauthenticatedRole,
}
},
})
```
-
-
-**Note:** You must pass the identity pool ID as a string in the format above. Using a reference through a CDK token is currently not supported.
-
-
-