0

I have a lambda function create by amplify to get a list of donors from appsync but it will get UnauthorizedException every time I try to request. Here is my lambda function:

const axios = require('axios');
const gql = require('graphql-tag');
const graphql = require('graphql');
const { print } = graphql;

const listDonors = gql`
    query listDonors {
        listDonors {
            items {
                id
                firstName
                lastName
            }
        }
    }
`

exports.handler = async (event) => {
    console.log("--------------------------------->");
    try {
        const graphqlData = await axios({
            url: process.env.API_DOCBACKEND_GRAPHQLAPIENDPOINTOUTPUT,
            method: 'post',
            headers: {
                'x-api-key': process.env.API_DOCBACKEND_GRAPHQLAPIIDOUTPUT
            },
            data: {
                query: print(listDonors),
            }
        });
        const body = {
            graphqlData: graphqlData.data.data.listTodos
        }
        return {
            statusCode: 200,
            body: JSON.stringify(body),
            headers: {
                "Access-Control-Allow-Origin": "*",
            }
        }
    } catch (err) {
        console.log('error posting to appsync: ', err);
    }
}

Here is my IAM role:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "appsync:Create*",
            "appsync:StartSchemaCreation",
            "appsync:GraphQL",
            "appsync:Get*",
            "appsync:List*",
            "appsync:Update*",
            "appsync:Delete*"
        ],
        "Resource": [
            "arn:aws:appsync:us-east-1:862148551361:apis/2i62fn5z4vhtxbik3jcm33tc6e/types/Query/*",
            "arn:aws:appsync:us-east-1:862148551361:apis/2i62fn5z4vhtxbik3jcm33tc6e/types/Mutation/*",
            "arn:aws:appsync:us-east-1:862148551361:apis/2i62fn5z4vhtxbik3jcm33tc6e/types/Subscription/*"
        ],
        "Effect": "Allow"
    }
]

}

I follow the aws amplify document but it does not help me anything at all.

Improve this question
2
  • post your error message Commented Aug 31, 2021 at 9:14
  • Here is my error message: Error: Request failed with status code 401 Commented Aug 31, 2021 at 9:15

1 Answer 1

Reset to default
1

The doc seems to indicate that you should pass a field or a graphqlapi to the GraphQL permission.

  • field should read arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/types/${TypeName}/fields/${FieldName}
  • graphqlapi should read arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}

It seems to me like arn:aws:appsync:us-east-1:xxx:apis/xxx/types/Query/* does not quite match the rule.

Maybe you should replace it with arn:aws:appsync:us-east-1:xxx:apis/xxx" to use the graphqlapi format

Or use the field format: arn:aws:appsync:us-east-1:xxx:apis/xxx/types/Query/fields/* (and do the same for other types, obviously) ?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.