is this the best way to grant unauthenticated users access t Serverless Stack #help

is this the best way to grant unauthenticated user...

Sam Hulick

08/26/2021, 7:01 PM

is this the best way to grant unauthenticated users access to just a couple resolvers in AppSync?

Copy code

props!.cognitoAuth.attachPermissionsForUnauthUsers([
    new iam.PolicyStatement({
      effect: iam.Effect.ALLOW,
      actions: ['appsync:GraphQL'],
      resources: [
        appSyncApi.getResolver('Mutation createSession')!.arn,
        appSyncApi.getResolver('Mutation createEvent')!.arn,
      ],
    }),
  ]);

Sam Hulick

08/26/2021, 7:03 PM

oh, maybe not 😕

Copy code

Error: 'dev-microservices-core' depends on 'dev-microservices-api' (dev-microservices-core -> dev-microservices-api/AppSyncApi/Api/MutationcreateSessionResolver/Resource.ResolverArn, dev-microservices-core -> dev-microservices-api/AppSyncApi/Api/MutationcreateEventResolver/Resource.ResolverArn). Adding this dependency (dev-microservices-api -> dev-microservices-core/UserPool/Resource.Ref) would create a cyclic reference.

Sam Hulick

08/26/2021, 7:05 PM

I’ll probably have to just make those

resources

into plain strings

Frank

08/26/2021, 7:13 PM

Oh, does the stack with AppSyncApi depend on the stack with Auth?

Sam Hulick

08/26/2021, 7:13 PM

yeah, the auth is defined in the Core stack.. and everything else depends on Core. Core shouldn’t depend on anything else

Frank

08/26/2021, 7:14 PM

hmmm yeah.. this implicitly makes Core stack depends on the AppSync stack

Sam Hulick

08/26/2021, 7:15 PM

I can just use a string

Sam Hulick

08/26/2021, 7:15 PM

I shouldn’t make my resolvers magic strings like that though. I’ll put them in an enum

Sam Hulick

08/26/2021, 7:21 PM

there we go! 🙂

Copy code

const resolverArns = [Mutation.CreateSession, Mutation.CreateEvent].map(
    resolver =>
      `arn:aws:appsync:${stack.region}:${
        stack.account
      }:apis/*/types/${resolver.replace(' ', '/fields/')}`
  );
  auth.attachPermissionsForUnauthUsers([
    new PolicyStatement({
      effect: iam.Effect.ALLOW,
      actions: ['appsync:GraphQL'],
      resources: resolverArns,
    }),
  ]);

Alex Price

08/26/2021, 8:24 PM

Not sure if this helps but thought I'd chime in with how we do it as you helped me out earlier! We use the graphql `directive`s to open certain resolvers to "apikey" which all non-authed client calls have. This just works out of the box assuming you have

appsync.AuthorizationType.API_KEY

as an auth-mode 👍

Sam Hulick

08/26/2021, 8:50 PM

thanks! I sorted it out w/ the code above, seems to work fine 🙂

Open in Slack

Previous Next