AWS AppSync - Unauthorized Exception

Question

I have started using AWS AppSync and am running into a permissions issue.

I used AppSync to create a DynamoDB table for my data, and set up authorization for use with Cognito User Pools, which I've already created.

I set the Default Action to ALLOW which, according to the AWS docs -https://docs.aws.amazon.com/appsync/latest/devguide/security.html#amazon-cognito-user-pools-authorization - should allow public access to run any query/mutation/subscription defined in my schema by default.

The above documentation also says that restricting access is done by adding an @aws_auth to my type definitions. Which I have not added yet.

And so this is what I want: I want my queries to be public - no need to add an @aws_auth directive - and my mutations to be restricted to the Admins group within my Cognito User Pool. So in testing out a query, I should be able to have the data returned to me without being signed in anywhere.

However, when trying to run any test queries inside the AppSync console, I receive the following error message:

{
  "errors": [
    {
      "errorType": "UnauthorizedException",
      "message": "Unable to parse JWT token."
    }
  ]
}

Obviously, this is related to not being signed in with Cognito.

I've tested these queries before without using the Cognito authorization, and they all worked fine. And since my Default Action is set to ALLOW for my Cognito authorizer, my queries should run just the same now since I didn't modify them.

Looking at the code for my queries, types, and resolvers, I can't spot any difference in how they are written. The IAM role allowing access to my DynamoDB table also remains the same and has no restrictions attached to it.

What is going on? Is there a bug with AppSync, or am I missing something here?

Please let me know. Thank you

@Aldarund As of now, it seems that AppSync doesn't support public access when using Cognito for auth. So I made two AppSync projects, one for public access using an API key, and one for admins using Cognito. But it is possible to allow a mix of public and private access using AWS IAM, but I haven't tried experimenting with that just yet. — Z_z_Z, Oct 31 '18 at 07:34

score 10 · Answer 1 · answered Nov 02 '18 at 09:40

10

I think your API Key expiration date is over.So goto -- APIs -> select your AppSync -> goto setting -> select your API keys -> then Edit -> now you are in "Configure your API key and change expiration date." -> Select Expires Choose when this API Key will expire here you can choose for 1 year from the date you create new API keys.

answered Nov 02 '18 at 09:40

Harsh Bhatnagar

125
5

1

Setting authorization type to Amazon Cognito User Pool, API key is set to none by default. The answer is misleading. – Cris69 Jan 12 '19 at 15:47
2

Unauthorized Exception comes either the key is expired or some parameter is missing in the query which is used in DynamoDB table. there for the above answer is not misleading.@Cris69 – Harsh Bhatnagar Mar 19 '19 at 21:58
Thanks. (go to Appsync -> API ...) – bhizmi Mar 08 '21 at 15:47
Answer is misleading. What does cognito have to do with api key? – user1354825 Dec 22 '21 at 20:52

DaveCode · Answer 2 · 2018-12-13T02:57:55.270

5

Are you talking about in the "Queries" console? Even if you are logged in to your AWS account and you go to the AWS AppSync Queries console, you will still need to log in separately as a cognito user. Click the "Login with User Pools" button.

From there, just enter the info of a cognito user you already created, and that will simulate being logged in for testing purposes. You can find your clientId in your aws-exports.js file in your project on the line: "aws_user_pools_web_client_id".

Hope that helps!

edited Dec 13 '18 at 02:57

answered Dec 12 '18 at 20:56

DaveCode

117
1
9

can you send the x-api-key value from the Queries console? – Diego Ponciano Dec 16 '21 at 19:27

AWS AppSync - Unauthorized Exception

2 Answers2