Skip to content

Unnecessary AppSync resources not included in the operation specified by @auth directive are included in authRole and unauthRole #2111

New issue
New issue
Open
#2117
Open
Unnecessary AppSync resources not included in the operation specified by @auth directive are included in authRole and unauthRole#2111
#2117
Assignees
AnilMaktalaphani-srikar
Labels
@authbugSomething isn't working
@fossamagna

Description

@fossamagna
fossamagna
opened on Dec 4, 2023

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

v18.18.1

Amplify CLI Version

12.8.2

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

N/A

Describe the bug

Grant public access read operation to the Todo model. Also, allow read, create, and update operations for private access.

type Todo @model @auth(rules: [
  { allow: public, provider: iam, operations: [read] },
  { allow: private, provider: iam, operations: [read, create, update] }
]) {
  id: ID!
  name: String!
  description: String
}

The policy of unauthRole generated by amplify:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "appsync:GraphQL",
            "Resource": [
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Todo/*",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Query/fields/getTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Query/fields/listTodos",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/createTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/updateTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/deleteTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Subscription/fields/onCreateTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Subscription/fields/onUpdateTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Subscription/fields/onDeleteTodo"
            ],
            "Effect": "Allow"
        }
    ]
}

The following three resource definitions are not necessary because only read operations are allowed for public access.

                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/createTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/updateTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/deleteTodo",

The policy of authRole generated by amplify:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "appsync:GraphQL",
            "Resource": [
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Todo/*",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Query/fields/getTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Query/fields/listTodos",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/createTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/updateTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/deleteTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Subscription/fields/onCreateTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Subscription/fields/onUpdateTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Subscription/fields/onDeleteTodo"
            ],
            "Effect": "Allow"
        }
    ]
}

The following a resource definition is not necessary because only read, create, and update operations are allowed for private access.

                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/deleteTodo",

Expected behavior

Resource definitions described above as unnecessary should not be included in the generated policy.

Reproduction steps

  1. Run git clone [email protected]:fossamagna/amplify-unnecessary-iam-role-resources.git
  2. Run amplify push
  3. Check the policy of the IAM roles (authRole, unauthRole) created by amplify in the AWS Web Console

Project Identifier

No response

Log output

# Put your logs below this line

Additional information

#308 (comment) may have the same issue.

Before submitting, please confirm:

  • I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
  • I have removed any sensitive information from my code snippets and submission.

Metadata

Metadata

Assignees

Labels

@authbugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions