Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[aws-cdk/appsync] - aws_auth directive ignored #8844

Closed
tombuckley91 opened this issue Jul 1, 2020 · 7 comments
Closed

[aws-cdk/appsync] - aws_auth directive ignored #8844

tombuckley91 opened this issue Jul 1, 2020 · 7 comments
Assignees
@MrArnoldPalmer
Labels
@aws-cdk/aws-appsync Related to AWS AppSync documentation This is a problem with documentation.

Comments

@tombuckley91
Copy link

tombuckley91 commented Jul 1, 2020
edited
Loading 

type Query {
  getCustomers: [Customer] 
  @aws_auth(cognito_groups: ["Admins"])
  getCustomer(id: String): Customer
}

It would be expected that the above code would restrict the getCustomers query to users who exist in the Admins group. This is an example of the starter code made available on the AppSync CDK page.

Reproduction Steps

Copy the demo code from AppSync CDK, add the above directive to the included graphql.schema, deploy your changes, make a query from a user that is not the specified group, expect to have information returned.

Error Log

Environment

  • CLI Version : 1.47.1
  • Framework Version:
  • Node.js Version: 12.18.2
  • OS : Mac OSX
  • Language (Version): TypeScript (3.7.2)

Other

This is 🐛 Bug Report
@tombuckley91 tombuckley91 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 1, 2020
@github-actions github-actions bot added the @aws-cdk/aws-appsync Related to AWS AppSync label Jul 1, 2020
@tombuckley91 tombuckley91 changed the title [Appsync] - aws_auth(cognito_groups: ["foo" [Appsync] - aws_auth directive ignored Jul 1, 2020
@tombuckley91 tombuckley91 changed the title [Appsync] - aws_auth directive ignored [aws-cdk/Appsync] - aws_auth directive ignored Jul 1, 2020
@tombuckley91 tombuckley91 changed the title [aws-cdk/Appsync] - aws_auth directive ignored [aws-cdk/appsync] - aws_auth directive ignored Jul 1, 2020
@MrArnoldPalmer MrArnoldPalmer added p2 and removed needs-triage This issue or PR still needs to be triaged. labels Jul 8, 2020
@BryanPan342
Copy link
Contributor

Hi Tom thanks for submitting an issue!

I reproduced what were showing me and I got mine to work by making the IAM Role policy for the groups Admins to be the admin. Can you clarify more steps to where your bug is? I'm guessing its permissions for the group.

@BryanPan342 BryanPan342 added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jul 14, 2020
@tombuckley91
Copy link
Author

I reproduced what were showing me and I got mine to work by making the IAM Role policy for the groups Admins to be the admin. Can you clarify more steps to where your bug is? I'm guessing its permissions for the group.

Thank you for getting back to me @BryanPan342, I really appreciate it.

I'm not sure I fully understand, I created a group titled "Admins", to match what I specified in my schema, a user not in that group could still query data that was seemingly restricted from doing that (this is my bug). If I understand what you're saying correctly, you have created a new role that grants admin, and attached this to the "Admins" group, at which point you have requested some data and been given it, have you tried requesting from a user who is not in that group?

Thanks Bryan.

@BryanPan342
Copy link
Contributor

Hm this is interesting.

So the policy statement should look something like this.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "appsync:GraphQL"
         ],
         "Resource": [
            "arn:aws:appsync:[REGION]:[ACCOUNT_ID]:apis/[GRAPHQL_ID]/types/Mutation/fields/doMutation"
         ]
      }
   ]
}

where the resource section are the ARNs for the resources you want to allow access to for the policy you are creating. Something to note as well is if you are doing a Mutation, then make sure to also give access to the types in the schema directive:

type superSecret @aws_auth(cognito_groups: ["Admins"]) {
...
}

type Mutation {
  addSuperSecret (...): ...
  @aws_auth(cognito_groups: ["Admins"])
}

I know this works for IAM so assuming its the same use case for auth.

I'm looking into that condition you just said and will respond by tomorrow. If you need an Admins for backend tasks I suggest using IAM.

Also have you looked at this part of the documentation?

You can’t use the @aws_auth directive along with additional authorization modes. @aws_auth works only in the context of AMAZON_COGNITO_USER_POOLS authorization with no additional authorization modes. However, you can use the @aws_cognito_user_pools directive in place of the @aws_auth directive, using the same arguments. The main difference between the two is that you can specify @aws_cognito_user_pools on any field and object type definitions.

@BryanPan342
Copy link
Contributor

From what I can see right now, I think this is more of a documentation problem than a bug so changing the label for now.

@BryanPan342 BryanPan342 added documentation This is a problem with documentation. investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed bug This issue is a bug. p2 labels Jul 14, 2020
@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jul 15, 2020
@BryanPan342 BryanPan342 added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Jul 16, 2020
@tombuckley91
Copy link
Author

Thanks for your investigation @BryanPan342 , did you come to a conclusion? Is the outcome that aws_auth is not supported by schemas deployed via CDK?

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jul 20, 2020
@BryanPan342
Copy link
Contributor

@aws_auth is supported by cdk. However, something to note and follow from the appsync documentation is that @aws_auth only works for cognito if it's the ONLY form of authorization.

If you use additional authorization then you must use the @aws_cognito_user_pool directive. Additionally, there is was an issue before that created an apiKey if additionalAuthorization was not configured (#9054) that was fixed thanks to @warrify

I think what might have happened @tombuckley91 was that the bug from the apiKey was adding an additional configuration that made the @aws_auth directive unusable. Now that it's fixed though, as long as you only have a single configuration for authorization, @aws_auth should work (from my tests I have gotten it to work).

Rule of thumb:

  • If only one authorization configuration, use @aws_auth
  • If using multiple configurations, use @aws_cognito_user_pool

@aws_auth and @aws_cognito_user_pool are specific to ONE and MULTIPLE configurations respectively. You cant use @aws_auth for multiple configurations and you cant use @aws_cognito_user_pool for one configuration.

@BryanPan342
Copy link
Contributor

I'm closing this issue for now but if there is something I missed, please reopen it or continue adding to the discussion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MrArnoldPalmer MrArnoldPalmer

Labels
@aws-cdk/aws-appsync Related to AWS AppSync documentation This is a problem with documentation.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MrArnoldPalmer @tombuckley91 @BryanPan342