From e6b898985db5d1ffbfc551358b7323f78aec8499 Mon Sep 17 00:00:00 2001 From: Tim Schmelter Date: Tue, 5 Nov 2024 08:43:44 -0800 Subject: [PATCH 1/3] feat: add discussions on IAM authz; authz on custom operations --- .../data/customize-authz/index.mdx | 42 ++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/src/pages/[platform]/build-a-backend/data/customize-authz/index.mdx b/src/pages/[platform]/build-a-backend/data/customize-authz/index.mdx index 0d844331604..dbea6f65a74 100644 --- a/src/pages/[platform]/build-a-backend/data/customize-authz/index.mdx +++ b/src/pages/[platform]/build-a-backend/data/customize-authz/index.mdx @@ -256,9 +256,49 @@ do { +## IAM authorization + +All Amplify Gen 2 projects enable IAM authorization for data access. This ensures that the Amplify console's [data manager](/[platform]/build-a-backend/data/manage-with-amplify-console/) will be able to access your API. It also allows you to authorize other administrative or machine-to-machine access using your own IAM policies. See the [AWS AppSync Developer Guide](https://docs.aws.amazon.com/appsync/latest/devguide/security_iam_service-with-iam.html) for details on how AWS AppSync works with IAM. + +## Authorization on custom types + +Authorization rules are only supported on data models (model-level and field-level) and custom operations (queries, mutations and subscriptions). They are not fully supported on custom types. In particular, this means custom operations that return a custom type won't always be authorized the way you expect. For example, consider a custom query that returns a custom type: + +```ts +const schema = a.schema({ + Counter: a.customType({ + value: a.integer(), + }) + .authorization(...), // <-- not supported + getCounter: a + .mutation() + .arguments({ + id: a.string().required(), + }) + .returns(a.ref("Counter")) + .handler( + a.handler.custom({ + entry: "./getCounter.js", + }) + ) + .authorization((allow) => [allow.authenticated()]), +}); + +export type Schema = ClientSchema; + +export const data = defineData({ + schema: schema, + authorizationModes: { + defaultAuthorizationMode: "userPool", + }, +}); +``` + +As you can see, the custom `Counter` type does not support the `.authorization()` modifier. Instead, behind the scenes, Amplify will add appropriate authorization rules to `Counter` to allow authenticated users to access it. That means that any signed-in user will be able to access the custom operation and all fields of the custom type. + -**Note**: Authorization rules are only supported on data models (model-level and field-level) and custom operations (queries, mutations and subscriptions). They are not fully supported on custom types. +**Note**: IAM authorization is not currently supported for custom operations that return custom types if `defaultAuthorizationMode` is not `iam`. See [GitHub issue #2929](https://github.com/aws-amplify/amplify-category-api/issues/2929) for details and suggested workarounds. From 6abd25d52db885716b7784a2821bc62d8d6ef22a Mon Sep 17 00:00:00 2001 From: Tim Schmelter Date: Tue, 5 Nov 2024 09:13:59 -0800 Subject: [PATCH 2/3] reword custom types intro --- .../[platform]/build-a-backend/data/customize-authz/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/[platform]/build-a-backend/data/customize-authz/index.mdx b/src/pages/[platform]/build-a-backend/data/customize-authz/index.mdx index dbea6f65a74..0397600e899 100644 --- a/src/pages/[platform]/build-a-backend/data/customize-authz/index.mdx +++ b/src/pages/[platform]/build-a-backend/data/customize-authz/index.mdx @@ -262,7 +262,7 @@ All Amplify Gen 2 projects enable IAM authorization for data access. This ensure ## Authorization on custom types -Authorization rules are only supported on data models (model-level and field-level) and custom operations (queries, mutations and subscriptions). They are not fully supported on custom types. In particular, this means custom operations that return a custom type won't always be authorized the way you expect. For example, consider a custom query that returns a custom type: +Authorization rules are only supported on data models (model-level and field-level) and custom operations (queries, mutations and subscriptions). They are not fully supported on custom types. In particular, this means custom operations that return a custom type won't always support the authorization modes you expect. For example, consider a custom query that returns a custom type: ```ts const schema = a.schema({ From 1628b2366a46a491d0afacd64f737fd9f69b02e7 Mon Sep 17 00:00:00 2001 From: Tim Schmelter Date: Tue, 5 Nov 2024 09:35:49 -0800 Subject: [PATCH 3/3] reword custom types intro --- .../[platform]/build-a-backend/data/customize-authz/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/[platform]/build-a-backend/data/customize-authz/index.mdx b/src/pages/[platform]/build-a-backend/data/customize-authz/index.mdx index 0397600e899..9b35bcfc9eb 100644 --- a/src/pages/[platform]/build-a-backend/data/customize-authz/index.mdx +++ b/src/pages/[platform]/build-a-backend/data/customize-authz/index.mdx @@ -262,7 +262,7 @@ All Amplify Gen 2 projects enable IAM authorization for data access. This ensure ## Authorization on custom types -Authorization rules are only supported on data models (model-level and field-level) and custom operations (queries, mutations and subscriptions). They are not fully supported on custom types. In particular, this means custom operations that return a custom type won't always support the authorization modes you expect. For example, consider a custom query that returns a custom type: +Authorization rules are only supported on data models (model-level and field-level) and custom operations (queries, mutations and subscriptions). They are not fully supported on custom types, including custom types returned by custom operations. For example, consider a custom query that returns a custom type: ```ts const schema = a.schema({