AWS AppSync - Public & Private Queries

2
votes

I want to give "guest / public" access to some queries in AppSync. But only let fully signed up users run mutations or other queries.

I have installed Amplify and configured the auth module to generate an identity pool and a user pool. I can see on the dashboard for identity pools that I have one unauthorized access (myself testing).

But I cannot execute any queries if I am not registered. My AppSync settings are set to "Cognito User Pool" with "default action" allow.

Has anybody solved this kind of problem yet?

1
amazon-web-servicesaws-appsyncaws-amplify
cognito has two set of rules one is for authenticated users and one is for unauthenticated users did you set appsync permissions to unauthenticated user ? - varnit
No, where can I enable this option? - nixn
in cognito console - varnit
I cannot find any option regarding appsync permission from cognito console. Can you explain where you set this? - nixn
I think there's a bit of confusion because you're discussing about 2 different things. @niksn is talking about Cognito User Pools which is a user directory that you can use in your application to provide authentication capabilities. varnit is talking about Cognito Federated Identities which you can use to obtain temporary AWS credentials. Both can be used as authorization options with AppSync. Here's a more detailed post that explains how the public/private API use case can be achieved with AppSync forums.aws.amazon.com/thread.jspa?threadID=276886 - Ionut Trestian

1 Answers

4
votes

AppSync now supports different authentication permission types for different queries. See Using multiple authorization types with AWS AppSync GraphQL APIs .

Therefore, with this in mind, you could use @aws_cognito_user_pools on your protected queries, and @aws_api_key on your public queries, defining an API key in your AppSync settings to be used by your application when in "guest/public" mode.

Any queries/mutations you want accessible to both public/private will need both @aws_cognito_user_pools @aws_api_key added to the query.

However, a complication to this is that AWS sets an expiration time on AppSync API keys, defaulting to 7 days. Hardly practical for a public route. Using the AWS API, you can extend this expiration to 365 days from the current date.

I have created this Lambda Function to traverse through any AppSync API keys that you have defined in your account and extend the expiration date to 365 days from now. Therefore, if you added this to your account, and created a Cloudwatch Event to schedule the call to this lambda function on an interval less than 365 days, your API key would never expire.