#✅ - Lambda gets denied by Graphql API (Amplify Studio, DynamoDB)

I get this error: "Not Authorized to access listLogins on type Query"
My Schema permissions (Login table).
type Login @model @auth(rules: [{allow: private, provider: iam}]) {

I followed the guides inside and out multiple times.https://docs.amplify.aws/guides/functions/graphql-from-lambda/q/platform/js/#iam-authorization
I setup API with IAM access, then I added my function using the PostAuthentication Trigger (Cognito), updated my function
but it still seems like Lambda is not authorised to use GraphQL API.
**My understanding is Amplify cli should have taken care of this...
or do I have to provision the policies separately (seems counter to the whole amplify vibe)
**
The command > amplify update function only offer these:
(*) api
( ) auth
( ) function
( ) storage

Here is my code:
exports.handler = async (event) => {
const query = /* GraphQL */ query LIST_LOGINS { listLogins { items { id Type Status Message }}};
const endpoint = new URL(GRAPHQL_ENDPOINT);
const signer = new SignatureV4({
credentials: defaultProvider(),
region: AWS_REGION,
service: 'appsync',
sha256: Sha256
});
const requestToBeSigned = new HttpRequest({
method: 'POST',
headers: {
'Content-Type': 'application/json',
host: endpoint.host
},
hostname: endpoint.host,
body: JSON.stringify({ query }),
path: endpoint.pathname
});
const signed = await signer.sign(requestToBeSigned);
const request = new Request(GRAPHQL_ENDPOINT, signed);
let statusCode = 200;
let body;
let response;

try {
response = await fetch(request);
body = await response.json();
if (body.errors) {
statusCode = 400;
console.log("body.errors: ", body.errors);
}else{ console.log("response: ", response); }
} catch (error) {
statusCode = 500;
body = {
errors: [
{
message: error.message
}]};
}
return { statusCode, body: JSON.stringify(body) };
};

did you add permission to access your API in your function ?

amplify update function

choose your function
choose Resource access permissions
activate "api"
activate query / mutation / subscription (activate what you need)

It should work

No that does not work by itself.
I had done everything that the docs say to do, especially made sure of that infact ensured I deployed the function last too, like the docs say.

Seemingly the issue is VTLs, I do not know what they are.

This is what I did to fix and had tried this multiple times prior, it just so happened to work as tech support called:

A change to the Schema.Graphql file and then an "> amplify push --force api", fixed it.

But yes you are right those other steps in the** > amplify update api** &** > amplify update** function are important.

As a note I was running the Cognito trigger "PostAuth...", and so it was created during > amplify update auth

@uneven wren sounds like you ran into a bug where sometimes the resolver does not get updated until an arbitrary change is made and force pushed.

Is your lambda now authorized correctly to perform queries?

you'll note I said it was fixed with the process above, so yes it is authorised correctly, with private IAM. as per the docs.
yes it was/is a fault in the amplify-cli and the docs(which advise the wrong order of doing things), my suggested fix is above, and it may only be prevalent with >amplify auth created functions (Cognito triggers (Post Confirm Post Auth etc)

✅ - Lambda gets denied by Graphql API (Amplify Studio, DynamoDB)