7

I have started using AWS AppSync and am running into a permissions issue.

I used AppSync to create a DynamoDB table for my data, and set up authorization for use with Cognito User Pools, which I've already created.

I set the Default Action to ALLOW which, according to the AWS docs -https://docs.aws.amazon.com/appsync/latest/devguide/security.html#amazon-cognito-user-pools-authorization - should allow public access to run any query/mutation/subscription defined in my schema by default.

The above documentation also says that restricting access is done by adding an @aws_auth to my type definitions. Which I have not added yet.

And so this is what I want: I want my queries to be public - no need to add an @aws_auth directive - and my mutations to be restricted to the Admins group within my Cognito User Pool. So in testing out a query, I should be able to have the data returned to me without being signed in anywhere.

However, when trying to run any test queries inside the AppSync console, I receive the following error message: 

{
  "errors": [
    {
      "errorType": "UnauthorizedException",
      "message": "Unable to parse JWT token."
    }
  ]
}

Obviously, this is related to not being signed in with Cognito.

I've tested these queries before without using the Cognito authorization, and they all worked fine. And since my Default Action is set to ALLOW for my Cognito authorizer, my queries should run just the same now since I didn't modify them.

Looking at the code for my queries, types, and resolvers, I can't spot any difference in how they are written. The IAM role allowing access to my DynamoDB table also remains the same and has no restrictions attached to it.

What is going on? Is there a bug with AppSync, or am I missing something here?

Please let me know. Thank you

Improve this question
3
  • Did u found a solution to this? Commented Oct 29, 2018 at 0:07
  • 2
    @Aldarund As of now, it seems that AppSync doesn't support public access when using Cognito for auth. So I made two AppSync projects, one for public access using an API key, and one for admins using Cognito. But it is possible to allow a mix of public and private access using AWS IAM, but I haven't tried experimenting with that just yet. Commented Oct 31, 2018 at 7:34
  • github.com/aws-amplify/amplify-js/issues/1252 Commented Nov 2, 2018 at 21:39

2 Answers 2

Reset to default
11

I think your API Key expiration date is over.So goto -- APIs -> select your AppSync -> goto setting -> select your API keys -> then Edit -> now you are in "Configure your API key and change expiration date." -> Select Expires Choose when this API Key will expire here you can choose for 1 year from the date you create new API keys.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Setting authorization type to Amazon Cognito User Pool, API key is set to none by default. The answer is misleading.
Unauthorized Exception comes either the key is expired or some parameter is missing in the query which is used in DynamoDB table. there for the above answer is not misleading.@Cris69
Answer is misleading. What does cognito have to do with api key?
6

Are you talking about in the "Queries" console? Even if you are logged in to your AWS account and you go to the AWS AppSync Queries console, you will still need to log in separately as a cognito user. Click the "Login with User Pools" button.

enter image description here

From there, just enter the info of a cognito user you already created, and that will simulate being logged in for testing purposes. You can find your clientId in your aws-exports.js file in your project on the line: "aws_user_pools_web_client_id".

Hope that helps!

Improve this answer

1 Comment

can you send the x-api-key value from the Queries console?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.