Cannot give aws-lambda access to aws-appsync API

Question

I am working on a project where users can upload files into a S3 bucket, these uploaded files are mapped to a GraphQL key (which was generated by Amplify CLI), and an aws-lambda function is triggered. All of this is working, but the next step I want is for this aws-lambda function to create a second file with the same ownership attributes and POST the location of the saved second file to the GraphQL API.

I figured that this shouldn't be too difficult but I am having a lot of difficulty and can't understand where the problem lies.

BACKGROUND/DETAILS

I want the owner of the data (the uploader) to be the only user who is able to access the data, with the aws-lambda function operating in an admin role and able to POST/GET to API of any owner.

The GraphQL schema looks like this:

type FileUpload @model 
@auth(rules: [
  { allow: owner}]) {
  id: ID!
  foo: String
  bar: String
}

And I also found this seemingly-promising AWS guide which I thought would give an IAM role admin access (https://docs.amplify.aws/cli/graphql/authorization-rules/#configure-custom-identity-and-group-claims) which I followed by creating the file amplify/backend/api/<your-api-name>/custom-roles.json and saved it with

{
  "adminRoleNames": ["<YOUR_IAM_ROLE_NAME>"]
}

I replaced "<YOUR_IAM_ROLE_NAME>" with an IAM Role which I have given broad access to, including this appsync access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "appsync:*"
            ],
            "Resource": "*"
        }
    ]
}

Which is the role given to my aws-lambda function.

When I attempt to run a simple API query in my aws-lambda function with the above settings I get this error

response string:  
{
    "data": {
        "getFileUpload": null
    },
    "errors": [
        {
            "path": [
                "getFileUpload"
            ],
            "data": null,
            "errorType": "Unauthorized",
            "errorInfo": null,
            "locations": [
                {
                    "line": 3,
                    "column": 11,
                    "sourceName": null
                }
            ],
            "message": "Not Authorized to access getFileUpload on type Query"
        }
    ]
}

my actual python lambda script is

import http
API_URL = '<MY_API_URL>'
API_KEY = '<>MY_API_KEY'
HOST = API_URL.replace('https://','').replace('/graphql','')

def queryAPI():
    conn = http.client.HTTPSConnection(HOST, 443)
    headers = {
        'Content-type': 'application/graphql', 
        'x-api-key': API_KEY,
        'host': HOST
    }

    print('conn: ', conn)
    
    query = '''
            {
          getFileUpload(id: "<ID_HERE>") {
            description
            createdAt
            baseFilePath
          }
        }
    '''
    graphql_query = {
        'query': query
    }
    query_data = json.dumps(graphql_query)
    print('query data: ', query_data)
    conn.request('POST', '/graphql', query_data, headers)
    response = conn.getresponse()
    response_string = response.read().decode('utf-8')
    print('response string: ', response_string)

I pass in the API key and API URL above in addition to giving AWS-lambda the IAM role. I understand that only one is probably needed, but I am trying to get the process to work then pare it back.

QUESTION(s)

As far as I understand, I am

1. providing the appropriate @auth rules to my GraphQL schema based on my goals and (2 below)
2. giving my aws-lambda function sufficient IAM authorization (via both IAM role and API key) to override any potential restrictive @auth rules of my GraphQL schema

But clearly something is not working. Can anyone point me towards a problem that I am overlooking?

Answer 1

I had similar problem just yesterday. It was not 1:1 what you're trying to do, but maybe it's still helpful.

So I was trying to give lambda functions permissions to access the data based on my graphql schema. The schema had different @auth directives, which caused the lambda functions to not have access to the data anymore. Even though I gave them permissions via the cli and IAM roles. Although the documentation says this should work, it didn't:

if you grant a Lambda function in your Amplify project access to the GraphQL API via amplify update function, then the Lambda function's IAM execution role is allow-listed to honor the permissions granted on the Query, Mutation, and Subscription types. Therefore, these functions have special access privileges that are scoped based on their IAM policy instead of any particular @auth rule.

So I ended up adding @auth(rules: [{ allow: custom }]) to all parts of my schema that I want to access via lambda functions.

When doing this, make sure to add "lambda" as auth mode to your api via amplify update api.

In the authentication lambda function, you could then check if the user, who is invoking the function, has access to the requested query/S3 Data.