When I created my first IAM account on AWS console, I put it in a group with a policy to create AppSync schemas. I could create a table in dynamodb using my IAM account. However, when I tried to create a schema on AWS console using this IAM account, it gave me the following error:
User: arn:aws:iam::XXXX:user/XXXX is not authorized to perform: appsync:CreateGraphqlApi on resource: arn:aws:appsync:us-west-2:XXXX:/creategraphqlapi
Any idea why this is happening? Thanks.
Update: I tried creating using the sample Event App and it works for me. This error comes up with I tried to create a blank schema.
AWS consoles are pretty separate from the roles which the current user has assumed, so it's expected behavior for it to just fail and say you're not authorized if the signed in user tries to overstep that role.
As far as APIs and schemas, an API is defined by the schema document. You must create an API first, then set the schema for that API. StartSchemaCreation is an AppSync API that 'upserts' the schema (save it no matter what does or doesn't exist already) for a GraphQL API, however that requires it to already exist.
Creating an API is done via CreateGraphQLApi, the API that error message says is missing in your permissions. As Gabe said in a comment, you could just add that permission to the policy you're using. Alternatively, the AWSAppSyncAdministrator managed policy has "appsync:*" allowed, so that should allow you to create an API and set the schema. It's worth noting that that's intended as more of a CLI administrator, and is missing some permissions needed to fully use the AppSync console.
Most of the samples on the AppSync console are done via CloudFormation instead of individual calls to the AppSync service, so the permissions required are different. With the blank schema, however, you're calling the CreateGraphQLApi API directly. That would be why the sample worked but blank schema did not.
Edit:
You might be able to get the console piece working with these additional permissions:
...
"iam:ListRoles",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"lambda:AddPermission2*",
"lambda:ListFunctions2*",
"es:DescribeElasticsearchDomain",
"es:ListDomainNames",
"dynamodb:CreateTable",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"cognito-idp:ListUserPools"
...
Specifically, those are the operations the AppSync console can do, I'd bet you're running into the iam ones though. AppSync uses them to give the service permission to access those data sources (e.g. if you have a DynamoDB table as a datasource, it'll create a role that the service can assume to read from and write to that table).
You can filter out the es (ElasticSearch), DynamoDB, and Lambda permissions if you are not trying to create a data source of those types, and the Cognito if you don't use Cognito auth.
As a security best practice, please do make sure you lock down the resources these can apply to and/or remove these permissions when you no longer need them, as those iam permissions are very powerful.