- Newest
- Most votes
- Most comments
Hi NareshKumar,
To answer your question and best assist you, we require details that are non-public information. Please open a support case with AWS using the following link.
Thank you.
The error you're encountering, "Not Authorized to access listTestAppUsers on type Query", is likely due to a mismatch between your IAM authentication setup and the permissions defined in your GraphQL schema. Let's analyze the potential causes and solutions:
-
Schema Configuration: Your schema allows public read access using IAM authentication. This is correct for allowing unauthenticated (guest) users to read data.
-
IAM Role Configuration: The UnauthRole (for guest users) in your Identity Pool needs to have the correct permissions to access AppSync and perform the read operation. Based on the screenshot of the UnauthRole policy, it appears that the role has the necessary permissions for AppSync, including "appsync:GraphQL".
-
AppSync Configuration: Ensure that your AppSync API is configured to use IAM authentication. In the AppSync console, check the "Settings" tab and confirm that "AWS IAM" is selected as an additional authorization mode.
-
Identity Pool Configuration: Verify that your Identity Pool is correctly set up to provide temporary AWS credentials to unauthenticated users. Make sure the "Enable access to unauthenticated identities" option is enabled in your Identity Pool settings.
-
Client-side Implementation: Ensure that your client application is correctly obtaining temporary AWS credentials from the Identity Pool for guest users and using these credentials when making requests to AppSync.
-
AppSync API Association: Confirm that the AppSync API is correctly associated with the IAM role. In the AppSync console, under the "Settings" tab, check if the correct IAM role ARN is listed for unauthenticated access.
-
IAM Role Trust Relationship: Verify that the IAM role's trust relationship allows the Cognito Identity service to assume the role. The trust policy should include "cognito-identity.amazonaws.com" as a trusted entity.
To resolve this issue:
- Double-check all the above points to ensure everything is correctly configured.
- If the issue persists, try creating a new IAM role specifically for unauthenticated access to your AppSync API, with the minimum required permissions.
- Update your Identity Pool to use this new role for unauthenticated users.
- If you're using AWS Amplify, ensure that you're calling Auth.currentCredentials() to get the correct IAM credentials before making API calls.
Remember, when working with IAM authentication in Cognito User Pools, certain API operations like RespondToAuthChallenge, AssociateSoftwareToken, and VerifyUserAttribute don't evaluate IAM policies. However, for your use case of querying the table, IAM authentication should work as expected once properly configured.
Sources
IAM roles - Amazon Cognito
Troubleshooting Amazon Cognito identity and access - Amazon Cognito
RespondToAuthChallenge - Amazon Cognito User Pools
AssociateSoftwareToken - Amazon Cognito User Pools
VerifyUserAttribute - Amazon Cognito User Pools
Relevant content
- asked 7 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 5 months ago