How can I give a function access to an API that requires Cognito authorization? | AWS Amplify | Page 1

grave viper Nov 2, 2023, 9:09 PM

#

Hello. I've been working on a post-confirmation trigger, following this tutorial where a fetch request is made with a GraphQL mutation to create a user: https://www.youtube.com/watch?v=Ti0Nc_FHZLo. However, I want the Users table to be only modifiable by Admin group and the function itself. Not with an API key as I assume that's not very secure.

Is there a way to somehow give my function an IAM role or something like that, so that it can make the fetch request through AppSync/GraphQL? Or will I have to do something like this tutorial where the DynamoDB table is modified directly: https://www.youtube.com/watch?v=Sk9HMuAaTmQ

YouTube

Amazon Web Services

Automatically Create a Dynamo DB Record from a Cognito User Pool | ...

It's common to want to have your user details in your own database instead of AWS Cognito's User Pool. You might want to have relationship between your users and some other models in your database. This tutorial shows you how to add users to your Dynamo DB database when they sign up through Cognito.

Learn more at: https://go.aws/4774wUa

Subscr...

▶ Play video

YouTube

Nader Dabit

Adding Users to DynamoDB using a Cognito Post-confirmation Lambda T...

In this video I'll walk you through how to create a back end that implements an Amazon Cognito Post-confirmation Lambda Trigger that automatically stores users in Amazon DynamoDB after they have signed up. We'll also look at how to manage access to the API using Cognito and Cognito Groups plus learn how to connect the services to a React app.

I...

▶ Play video

robust cobalt Nov 2, 2023, 10:44 PM

#

If you run amplify update function there should be an option to give the function permissions to access other resources in your amplify stack. Select the API one. You may also need to make sure that IAM auth is added/enabled on the API. Once this is done, your lambda can make sigv4 signed requests (iam auth) to the API.

You can check the pipeline resolver of a graphql method in appsync to see how the code is created for auth that allows the role to access the api

grave viper Nov 3, 2023, 3:29 PM

#

Yeah IAM auth is an option in app sync that I’ve added. And in update function I’ve had the API environment variables generated. But I don’t have API key access turned on for any of my models except the public-facing read-only ones. So there’s still the error message at the moment of can’t access the API from the function. I guess maybe I need to add IAM to the data model, but then it says everyone with IAM access can edit?

robust cobalt Nov 3, 2023, 5:33 PM

#

No you don't need IAM on the model. What it looks like is happening is that the request made to Appsync is an unsigned one where you pass in an API key. If the request is sigv4 signed, then it should not give issues.

I remember reading a document about amplify on this where there was an if statement that caused it to always attempt to use api key even though there were code for it. Could you potentially add the code making the request and redacting sensitive information? (I can have a look)

#

What you want to do is something like this - https://docs.amplify.aws/guides/functions/graphql-from-lambda/q/platform/js/#iam-authorization

Functions - Calling GraphQL API from a Lambda function - JavaScript...

How to interact with a GraphQL API from a Lambda function - JavaScript - AWS Amplify Docs

#How can I give a function access to an API that requires Cognito authorization?