How to set up public endpoints with AWS AppSync
Learn how to make a public GraphQL endpoint in AWS AppSync in 5 minutes.
Setting up an unauthenticated endpoint in AppSync takes a surprising amount of steps, but I'll try to keep it straightforward.
Let's get started! 🏁
Step 1: Update the AppSync API settings ⚙️
Add IAM as an additional authorization type with: amplify api update

Step 2: Update the AppSync schema 🧬
Add the @aws_iam
directive to the Query or Mutation
Step 3: Update Amplify API config files 📜
backend/api/<name>/parameters.json
Update parameters.json
to pipe the references in from your team-provider-info.json
file.
backend/api/<name>/stacks/CustomResources.json
Update parameters to include the references to the IAM roles.
Create a new resource for the IAM policy attached to your Cognito identities.
Step 4: Update the request to use IAM auth 🔏
Update the request to use IAM permissions.
Step 5: Deploy the updates 🚀
Now amplify push
all that out (or just git push
if you have CI/CD setup).
All done! 🎉
Hope this helped you set up public GraphQL APIs with AppSync.
Still stuck? 😑
Try using the AWS console to check that resources and settings are actually taking effect. Two things to check are that your unauthenticated role has the public-endpoints-policy
applied, and that AppSync has IAM
set as an additional authorization provider.
Final thoughts 🤔
Authenticated and unauthenticated IAM roles should be easier to work with. The authenticated role is auto-magically imported into many cloudformation stacks, but the unauthenticated one requires explicit code to work with it. To me, this seems like an easy fix for amplify-cli to improve things- by simply wiring the role up to resources by default. The CLI tools make it easy to "turn on" IAM permissions, but beyond that I've always found it to be a bit of a learning curve to actually implement them in an organized way.