Setting up an unauthenticated endpoint in AppSync takes a surprising amount of steps, but I'll try to keep it straightforward.
Let's get started! 🏁
Step 1: Update the AppSync API settings ⚙️
Add IAM as an additional authorization type with:
amplify api update
Step 2: Update the AppSync schema 🧬
@aws_iam directive to the Query or Mutation
Step 3: Update Amplify API config files 📜
parameters.json to pipe the references in from your
Update parameters to include the references to the IAM roles.
Create a new resource for the IAM policy attached to your Cognito identities.
Step 4: Update the request to use IAM auth 🔏
Update the request to use IAM permissions.
Step 5: Deploy the updates 🚀
amplify push all that out (or just
git push if you have CI/CD setup).
All done! 🎉
Hope this helped you set up public GraphQL APIs with AppSync.
Still stuck? 😑
Try using the AWS console to check that resources and settings are actually taking effect. Two things to check are that your unauthenticated role has the
public-endpoints-policy applied, and that AppSync has
IAM set as an additional authorization provider.
Final thoughts 🤔
Authenticated and unauthenticated IAM roles should be easier to work with. The authenticated role is auto-magically imported into many cloudformation stacks, but the unauthenticated one requires explicit code to work with it. To me, this seems like an easy fix for amplify-cli to improve things- by simply wiring the role up to resources by default. The CLI tools make it easy to "turn on" IAM permissions, but beyond that I've always found it to be a bit of a learning curve to actually implement them in an organized way.