無法使用 IAM 和 AppSyncClient 從 Lambda 驗證到 AppSync GraphQL api

Question

我正在使用放大堆棧，需要對我的 graphql api 執行一些操作，它后面有 dynamodb。 我的 lambda function 中的請求返回未經授權的錯誤：“未授權在 SourceSync 類型上訪問 getSourceSync”，其中 getSourceSync 是 gql 查詢，SourceSync 是 Z20F35E63053988DFA8C3F6 名稱。

我的這個特定 model 的 schema.grapqhl 設置如下。 注意 auth 規則允許私有提供程序 iam：

type SourceSync @model (subscriptions: { level: off }) @auth(rules: [
    {allow: private, provider: iam}
    {allow: groups, groups: ["Admins"], provider: userPools},
    {allow: groups, groups: ["Users"], operations: [create], provider: userPools},
    {allow: groups, groupsField: "readGroups", operations: [create, read], provider: userPools},
    {allow: groups, groupsField: "editGroups", provider: userPools}]) {
    id: ID! @primaryKey
    name: String
    settings_id: ID @index(name: "bySettingsId", queryField: "sourceSyncBySettingsId")
    settings: Settings @hasOne(fields: ["settings_id"])
    childLookup: String
    createdAt: AWSDateTime!
    updatedAt: AWSDateTime!
    _createdBy: String
    _lastChangedBy: String
    _localChanges: AWSJSON
    readGroups: [String]
    editGroups: [String]
}

我的 lambda 函數的角色附加了以下內聯策略。 （出於安全目的，本文省略了實際 ID 值）：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "appsync:GraphQL"
            ],
            "Resource": [
                "arn:aws:appsync:us-east-1:111myaccountID:apis/11mygraphqlapiID/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "appsync:GetType"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

最后我的 lambda function 通過簡單的查詢測試設置如下：

/* stuff */

"use strict";
const axios = require("axios");
const awsAppSync = require("aws-appsync").default;
const gql = require("graphql-tag");
require("cross-fetch/polyfill");
const { PassThrough } = require("stream");
const aws = require("aws-sdk");

aws.config.update({
    region: process.env.AWS_REGION,

});

const appSync = new aws.AppSync();

const graphqlClient = new awsAppSync({
    url: process.env.API_GRAPHQLAPIENDPOINTOUTPUT,
    region: process.env.AWS_REGION,
    auth: {
        type: "AWS_IAM",
        credentials: aws.config.credentials,
    },
    disableOffline: true
});

exports.handler = async (event, context) => {
    
    console.log('context :: '+JSON.stringify(context));
    
    console.log('aws config :: '+JSON.stringify(aws.config));
    
          const sourceSyncTypes = await appSync
          .getType({
            apiId: process.env.API_GRAPHQLAPIIDOUTPUT,
            format: "JSON",
            typeName: "SourceSync",
          })
          .promise();
          console.log('ss = '+JSON.stringify(sourceSyncTypes));
    
    try {
    const qs = gql`query GetSourceSync {
  getSourceSync(id: "ov3") {
    id
    name
  }
}`;
    const res = await graphqlClient.query({query: qs, fetchPolicy: 'no-cache'});
    console.log(JSON.stringify(res));
    
    }
    catch(e) {
        console.log('ERR :: '+e);
        console.log(JSON.stringify(e));
    }
    
};

Answer 1

Found the solution, there seems to be an issue with triggering a rebuild of the resolvers on the api after permitting a function to access the graphql api. 但是有一個區別需要注意：

1. If the graphql api is part of an amplify app stack, then only functions created through the amplify cli for that app (ex: amplify add function ) and that are given access to the api through there will be able to access the api.

   • 此外，在更新期間，當您創建或更新 function 以授予其權限時，您必須確保在放大推送操作期間，api 堆棧也將更新。 您可以通過簡單地在您的放大/后端/api//schema.graphql 文件內的注釋中添加或刪除空格來觸發此操作。

2. If the function was created "adhoc" directly through the aws console, but it is trying to access a graphql api that was created as part of an amplify app stack, then you will need to put that function's role in amplify/backend/api/ <apiname>/custom-roles.json 格式

   { "adminRoleNames": ["<role name>", "<role name 2>", ...] }

文檔參考這里。

3. If neither your api or lambda function were created with the amplify cli as part of an app stack, then just need to give access to the graphql resources for query, mutation and subscription to the lambda's role in IAM, via inline policies or a pre-明確的政策。