In my graphQl schema for the appsync api I am using I want to limit my users actions based on the group they belong to.
According to the docs, adding the line aws_auth(cognito_groups: ["Admins"]) should restrict access to only users belonging to the group of "Admins". This does not happen when I run the mutation from the appsync console or from the app itself.
My mutation is as follows:
type Mutation @aws_iam
@aws_cognito_user_pools {
createItem(input: CreateItemInput!): Item
updateItem(input: UpdateItemInput!): Item
@aws_auth(cognito_groups: ["Admins"])
}
The @aws_iam and @aws_cognito_user_pools directives seem to work fine. But anyone that has authenticated or has an iam role, can still perform an update, even if they do not belong to the "Admins" group.
What is going on here? Is there additional configuration that needs to be done to get this to work?
In general, you should avoid using @aws_auth at the same time as @aws_cognito_user_pools & aws_iam as they have slightly different behavior (see docs here).
If you want to restrict access to updateItem while still allowing any IAM auth'd user to createItem then you can use:
type Mutation {
createItem(input: CreateItemInput!): Item
@aws_iam
updateItem(input: UpdateItemInput!): Item
@aws_cognito_user_pools(cognito_groups: ["Admins"])
}
Placing the directive on the type implies that the auth config is valid for all the fields in that type. Placing the directive on the field makes it apply to the field only.