AWS Amplify AppSync IAM 401

Question

I'm getting GraphQLError: Request failed with status code 401

I followed the automatic configuration instructions from:

https://aws.github.io/aws-amplify/media/api_guide#automated-configuration-with-cli

I tried looking, but there are a lack of resources for IAM. It looks like everything should be setup automatically, and done with the Amplify CLI after I put in the IAM access key and secret.

Is further setup required? Here is my code:

import Amplify, { API, graphqlOperation, Hub } from "aws-amplify";
import aws_config from "../../aws-exports";

Amplify.configure(aws_config);

const ListKeywords = `query ListKeywords {
  listKeyword {
    keyword {
      id
      name
    }
  }
}`;

const loop = async () => {
  const allKeywords = await API.graphql(graphqlOperation(ListKeywords));
}

Could it also be because my GraphQL resolvers are not setup yet for ListKeywords?

score 4 · Answer 1 · answered May 17 '18 at 18:33

If you're using IAM as the Authorization type on your AppSync API then the issue is the Cognito Role being used with the Auth category when invoking Amplify.configure() isn't granted permissions for GraphQL operations. It needs something like this attached:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "appsync:GraphQL"
         ],
         "Resource": [
            "arn:aws:appsync:us-west-2:123456789012:apis/YourGraphQLApiId/*"
         ]
      }
   ]
}

More details here: https://docs.aws.amazon.com/appsync/latest/devguide/security.html

It should have AWSAppSyncAdministrator permissions. Is this the same IAM user that's setup with awsmobile configure? https://aws.github.io/aws-amplify/media/quick_start#install-aws-mobile-cli — stampede76, May 17 '18 at 23:07

score 1 · Answer 2 · answered May 27 '20 at 19:56

Not sure if this helps but I've been struggling with this for a while and found that if I add the API and use IAM as the auth method I need to add 'auth' to the schema too.

See below:

type TimeLapseCamera @model 
@auth(rules: [
  { allow: private, provider: iam }
])
{
...
}

I just tested this and my web page is successfully adding a record.

Note to other comment; I do not have AWS at all in this - its a simple VUE app with Amplify.

score 0 · Accepted Answer · answered May 18 '18 at 03:05

0

I just changed ~/.aws/credentials and now it's working.

Looks like even if you have project specific configuration via Amplify's command line tools or ~/.awsmobile/aws-config.js, it still relies on ~/.aws

answered May 18 '18 at 03:05

stampede76

1,521
2
20
36

1

Is there anyway to avoid ~/.aws from overriding your Amplify config? This is breking my app on people's systems who have a ~/.aws directory configured – Drew Oct 28 '18 at 21:27

AWS Amplify AppSync IAM 401

3 Answers3

Linked