How to set up public endpoints with AWS AppSync

Setting up an unauthenticated endpoint in AppSync takes a surprising amount of steps, but I'll try to keep it straightforward.

Let's get started! 🏁

Step 1: Update the AppSync API settings ⚙️

Add IAM as an additional authorization type with: amplify api update

Step 2: Update the AppSync schema 🧬

Add the @aws_iam directive to the Query or Mutation

Step 3: Update Amplify API config files 📜

backend/api/<name>/parameters.json

Update parameters.json to pipe the references in from your team-provider-info.json file.

backend/api/<name>/stacks/CustomResources.json

Update parameters to include the references to the IAM roles.

Create a new resource for the IAM policy attached to your Cognito identities.

Step 4: Update the request to use IAM auth 🔏

Update the request to use IAM permissions.

Step 5: Deploy the updates 🚀

Now amplify push all that out (or just git push if you have CI/CD setup).

All done! 🎉

Hope this helped you set up public GraphQL APIs with AppSync.

Still stuck? 😑

Try using the AWS console to check that resources and settings are actually taking effect. Two things to check are that your unauthenticated role has the public-endpoints-policy applied, and that AppSync has IAM set as an additional authorization provider.

Final thoughts 🤔

Authenticated and unauthenticated IAM roles should be easier to work with. The authenticated role is auto-magically imported into many cloudformation stacks, but the unauthenticated one requires explicit code to work with it. To me, this seems like an easy fix for amplify-cli to improve things- by simply wiring the role up to resources by default. The CLI tools make it easy to "turn on" IAM permissions, but beyond that I've always found it to be a bit of a learning curve to actually implement them in an organized way.