1

Currently I am using Amazon Cognito for authentication in an AWS Amplify project, so only signed-in users have access to the api. But I want to have some api calls publicly accessible.

How do I go about this?

simplikios
  • 134
  • 1
  • 10

2 Answers2

3

I just solved this exactly same problem. This is what I did:

  1. Update your API by running amplify update auth and select IAM as your users handler (everything else go with default)

  2. Login to your AWS console -> Appsync and modify access to IAM (instead of Cognito Pool)

  3. Go to the IAM console and create IAM policies for both AUTH and UNAUTH users (search them on the list by typing the name of your Appsync app)

Locate the AUTH user and attach the following policy (update it with your info):

AUTH USER

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "appsync:GraphQL",
            "Resource": [
                "arn:aws:appsync:<AWS region>:<AWS account ID>:apis/<app sync endpoint ID>/*"
            ]
        }
    ]
}

Locate the unauth user and attach the following Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "appsync:GraphQL",
            "Resource": [
                "arn:aws:appsync:<AWS region>:<AWS account ID>:apis/<app sync endpoint ID>/types/Query/fields/<your Query name>",
        "arn:aws:appsync:<AWS region>:<AWS account ID>:apis/<app sync endpoint ID>/types/Query/fields/<your Query name>",
        "arn:aws:appsync:<AWS region>:<AWS account ID>:apis/<app sync endpoint ID>/types/Query/fields/<your Query name>"

            ]
        }
    ]
}
  1. And now the thing that is not documented (people transitioning from Cognito Pools to IAM ) You need to import {AUTH_TYPE}

import AWSAppSyncClient, {AUTH_TYPE} from "aws-appsync";

and use it to load the credentials in the AppSync initialization 

const client = new AWSAppSyncClient(
  {
    disableOffline: true,
    url: aws_config.aws_appsync_graphqlEndpoint,
    region: aws_config.aws_cognito_region,
    auth: {
      // IAM
      type: AUTH_TYPE.AWS_IAM,
      credentials: () => Auth.currentCredentials(),
    });

Hope this helps.

G Cid
  • 80
  • 5
2

For AppSync APIs - API Keys are considered "unauthenticated"

See the below documentation: https://docs.aws.amazon.com/appsync/latest/devguide/security.html#api-key-authorization

Ashwin Devendran
  • 341
  • 1
  • 5
  • But I'm not authorising via an API Key, more so with a *Cognito User Pool* as described in my question. – simplikios Apr 10 '19 at 05:15
  • If you have Cognito User Pools as the Auth Configuration for you API, then you must provide a Cognito JWT Token in the Authorization header for each and every request. The aws_auth directive on the schema is used to enforce more fine grain authorization (i.e. Cognito Groups) but a Cognito token is required for every request. If you are trying to specify certain Queries to be Publicly accessible without a Cognito token, whilst keeping others to require a Cognito token then you are defining a 'Mixed-Auth' use-case. Stay tuned to the AppSync blog posts for updates on Mixed-Auth support. – Ashwin Devendran Apr 10 '19 at 19:58