When calling an Admin Queries using amplify, it gives an error
`User does not have permissions to perform administrative tasks`
There are two type groups, admins and subAdmins.
When I tried to update the permission for AdminQueries Auth, I can select only one group.
I need to access this AdminQueries using both groups.
Is it possible in Amplify?
Unfortunately, it does not look like there is a way to do this via the CLI; however, you should be able to manually implement this functionality by editing the AdminAPI source in ./amplify/backend/function/AdminQueries<SOME_ID>.
In the src directory, you’ll see an app.js file, which is where the checkGroup functionality lives. On line 45 of that file, the allowed group that you specified via the CLI is pulled in from the environment. Thereafter, starting on line 47, the service runs through a series of checks to determine whether it should authorize the request. You will want to change the default implementation starting at line 57 (copied below)
// Only perform tasks if the user is in a specific group
const allowedGroup = process.env.GROUP;
const checkGroup = function(req, res, next) {
if (req.path == '/signUserOut') {
return next();
}
if (typeof allowedGroup === 'undefined' || allowedGroup === 'NONE') {
return next();
}
// Fail if group enforcement is being used
if (req.apiGateway.event.requestContext.authorizer.claims['cognito:groups']) {
const groups = req.apiGateway.event.requestContext.authorizer.claims['cognito:groups'].split(',');
if (!(allowedGroup && groups.indexOf(allowedGroup) > -1)) {
const err = new Error(`User does not have permissions to perform administrative tasks`);
next(err);
}
} else {
const err = new Error(`User does not have permissions to perform administrative tasks`);
err.statusCode = 403;
next(err);
}
next();
};
