Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom mutation not accessible with IAM #2837

Closed
VincentvdE opened this issue Sep 4, 2024 · 6 comments · Fixed by #2921
Closed

Custom mutation not accessible with IAM #2837

VincentvdE opened this issue Sep 4, 2024 · 6 comments · Fixed by #2921
Assignees
@palpatim
Labels
bug Something isn't working Gen 2 pending-community-response Issue is pending a response from the author or community.

Comments

@VincentvdE
Copy link

VincentvdE commented Sep 4, 2024
edited
Loading

Environment information

System:
  OS: macOS 14.6.1
  CPU: (24) arm64 Apple M2 Ultra
  Memory: 117.35 GB / 192.00 GB
  Shell: /bin/zsh
Binaries:
  Node: 18.20.4 - ~/.nvm/versions/node/v18.20.4/bin/node
  Yarn: 1.22.22 - /opt/homebrew/bin/yarn
  npm: 10.7.0 - ~/.nvm/versions/node/v18.20.4/bin/npm
  pnpm: undefined - undefined
NPM Packages:
  @aws-amplify/auth-construct: 1.3.0
  @aws-amplify/backend: 1.1.1
  @aws-amplify/backend-auth: 1.1.3
  @aws-amplify/backend-cli: 1.2.4
  @aws-amplify/backend-data: 1.1.2
  @aws-amplify/backend-deployer: 1.0.6
  @aws-amplify/backend-function: 1.3.3
  @aws-amplify/backend-output-schemas: 1.2.0
  @aws-amplify/backend-output-storage: 1.1.1
  @aws-amplify/backend-secret: 1.0.1
  @aws-amplify/backend-storage: 1.1.2
  @aws-amplify/cli-core: 1.1.2
  @aws-amplify/client-config: 1.2.1
  @aws-amplify/deployed-backend-client: 1.4.0
  @aws-amplify/form-generator: 1.0.1
  @aws-amplify/model-generator: 1.0.5
  @aws-amplify/platform-core: 1.0.6
  @aws-amplify/plugin-types: 1.2.1
  @aws-amplify/sandbox: 1.1.3
  @aws-amplify/schema-generator: 1.2.1
  aws-amplify: 6.5.1
  aws-cdk: 2.153.0
  aws-cdk-lib: 2.153.0
  typescript: 5.5.4
AWS environment variables:
  AWS_STS_REGIONAL_ENDPOINTS = regional
  AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
  AWS_SDK_LOAD_CONFIG = 1
No CDK environment variables

Describe the bug

A custom mutation ("increment") is not accessible by a Lambda function. Upon checking the generated schema in AppSync, the mutation is missing the @aws_iam directive, which is likely causing the access issue.

Reproduction steps

amplify/data/resource.ts:

import { type ClientSchema, a, defineData } from "@aws-amplify/backend";
  import { postConfirmation } from "../auth/post-confirmation/resource";
  const schema = a
    .schema({
      UserProfile: a
        .model({
          email: a.string(),
          profileOwner: a.string(),
          kdnr: a.integer(),
        })
        .authorization((allow) => [
          allow.ownerDefinedIn("profileOwner"),
        ]),
      AtomicCounter: a
        .model({
          id: a.id(),
          value: a.integer()
        })
        .authorization((allow)=> [
          allow.authenticated()
        ]),
      increment: a
        .mutation()
        .arguments({
          id: a.string().required()
        })
        // return type of the query
        .returns(a.integer())
        .handler(a.handler.custom({
          dataSource: a.ref('AtomicCounter'),
          entry: './increment.js',
        }))
        .authorization((allow)=> [
          allow.authenticated()
        ])
      })
    .authorization((allow) => [allow.resource(postConfirmation)]);

  export type Schema = ClientSchema<typeof schema>

  export const data = defineData({
    schema: schema,
    authorizationModes: {
      defaultAuthorizationMode: "userPool",
      apiKeyAuthorizationMode: {
        expiresInDays: 365,
      },
    },
  });

amplify/data/increment.js

export function request(ctx) {
    return {
      operation: 'UpdateItem',
      key: {
          id: { S: ctx.args.id }
      },
      update: {
        expression: 'ADD #value :one',
        expressionValues: { ':one': { N: 1 } },
        expressionNames: { '#value': 'value' },
      }
    }
  }

  export function response(ctx) {
      return ctx.result.value;
  }

The generated schema looks like this:

  type Mutation {
    increment(id: String!): Int
      @aws_cognito_user_pools
    createUserProfile(input: CreateUserProfileInput!, condition: ModelUserProfileConditionInput): UserProfile
      @aws_iam
  @aws_cognito_user_pools
    updateUserProfile(input: UpdateUserProfileInput!, condition: ModelUserProfileConditionInput): UserProfile
      @aws_iam
  @aws_cognito_user_pools
    deleteUserProfile(input: DeleteUserProfileInput!, condition: ModelUserProfileConditionInput): UserProfile
      @aws_iam
  @aws_cognito_user_pools
    createAtomicCounter(input: CreateAtomicCounterInput!, condition: ModelAtomicCounterConditionInput): AtomicCounter
      @aws_iam
  @aws_cognito_user_pools
    updateAtomicCounter(input: UpdateAtomicCounterInput!, condition: ModelAtomicCounterConditionInput): AtomicCounter
      @aws_iam
  @aws_cognito_user_pools
    deleteAtomicCounter(input: DeleteAtomicCounterInput!, condition: ModelAtomicCounterConditionInput): AtomicCounter
      @aws_iam
  @aws_cognito_user_pools
  }

The increment is missing the "@aws_iam". After manually adding it, it works. Shouldn't the .authorization((allow) => [allow.resource(postConfirmation)]); add that?
@ykethan
Copy link
Member

ykethan commented Sep 4, 2024

Hey,👋 thanks for raising this! I'm going to transfer this over to our API repository for better assistance 🙂

@ykethan ykethan transferred this issue from aws-amplify/amplify-backend Sep 4, 2024
@ykethan ykethan added the Gen 2 label Sep 4, 2024
@AnilMaktala AnilMaktala self-assigned this Sep 4, 2024
@AnilMaktala
Copy link
Member

AnilMaktala commented Sep 26, 2024
edited
Loading

Hi @VincentvdE, Apologies for the delay. Thanks for bringing this up. We’re able to reproduce the issue by following the steps outlined in the description, so we’re marking it as a bug for the team to investigate further.
image

@AnilMaktala AnilMaktala added bug Something isn't working and removed pending-triage labels Sep 26, 2024
@palpatim palpatim assigned palpatim and unassigned AnilMaktala Sep 26, 2024
This was referenced Oct 3, 2024
Merged
Open
@github-actions GitHub Actions
Copy link

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

@palpatim
Copy link
Member

Reopening pending release of fix

@palpatim palpatim reopened this Oct 10, 2024
@palpatim
Copy link
Member

We have released this in @aws-amplify/[email protected], @aws-amplify/[email protected]. Update your project dependencies with an npm update to consume the fix.

@palpatim palpatim added pending-community-response Issue is pending a response from the author or community. and removed pending-release labels Oct 11, 2024
@github-actions GitHub Actions
Copy link

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@palpatim palpatim

Labels
bug Something isn't working Gen 2 pending-community-response Issue is pending a response from the author or community.
Projects
None yet
Milestone
No milestone
5 participants
@palpatim @AnilMaktala @VincentvdE @chrisbonifacio @ykethan