Wrong Lambda Execution Role

[ernestostifano]

Describe the bug
Hi!

I have a Function with full CRUD access configured to my Auth and API (GraphQL) resources.

My API has Cognito User Pools set as primary/default authentication method and IAM as an additional authentication method.

My API has a UserData model defined as follows:

type UserData
    @model(queries: {get: "getUserData", list: "listUsersData"}, subscriptions: null)
    @auth(rules: [
        {allow: private, provider: iam},
        {allow: owner, ownerField: "id", operations: [read update]}
    ]) {
        id: ID! @auth(rules: [{allow: private, provider: iam}]),
        firstName: String!,
        lastName: String!,
        email: String!,
        phone: String!,
        groups: [String!]! @auth(rules: [{allow: private, provider: iam}]),
        permissions: [String]! @auth(rules: [{allow: private, provider: iam}])
    }

And my Function is implemented as follows:

type Query {
    adminListUsersData(filter: ModelUserDataFilterInput, limit: Int, nextToken: String): ModelUserDataConnection
        @auth(rules: [{allow: groups, groups: ["admins"]}])
        @function(name: "userDataResolvers-${env}")
}

The problem is that when an admin user calls the adminListUsersData query, the AWS SDK inside the function acquires the calling user credentials and not the Lambda execution role credentials. So, when I try interact with my UserData model internally from the Lambda function it is as if the admin user was calling it directly instead of the function.

I've followed GraphQL from NodeJS guide to call the API from the Lambda function.

I've also tried to call AWS.config.update() method or to use AWS.EnvironmentCredentials() or AWS.Credentials() classes to generate new credentials for Signers.V4 with AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN from Lambda Runtime Environment Variables, but I still get unauthorized error.

I can't get my Lambda function to sign the API request using its own IAM credentials instead of the calling user ones. Please help!

Amplify CLI Version
4.24.2

To Reproduce
See bug description.

Expected behavior
I would expect the Lambda function to use its own execution role to authenticate with the AWS SDK or at least to allow me to choose which identity I would like to use.

Screenshots
None.

Desktop (please complete the following information):

• OS: macOS 10.15.5
• Node Version: 14.4.0

Additional context
None.

[ernestostifano]

Any recommendation? This is very frustrating.

[ernestostifano]

@djsmedes @yuth @attilah hi guys! Sorry to bother you and for being too insistent, but I saw that you've been working on similar issues. It has been days and I still can't sort this out. Could you please give me some inputs to be able to continue working with Amplify? I'm ready to provide further details if needed. Thank you very much!

[djsmedes]

The place I'd start is in the chunk of code that does this or similar (this code copy+pasted from the GraphQL from NodeJS you mentioned):

const signer = new AWS.Signers.V4(req, "appsync", true);
signer.addAuthorization(AWS.config.credentials, AWS.util.date.getDate());

Is that code executing? After that, does the req variable contain an Authorization header with a block of info that is semi-human-readable, complicated AWS signature? Or does it still contain the jwt?

Incidentally, are you following those docs closely and creating an entirely new request object, or are you reusing the request that comes in as a subkey somewhere in the object from the lambda's event parameter?

[ernestostifano]

@djsmedes thank you very much for your answer. While logging some data to CloudWatch to verify what you asked, I realized something else, quite interesting:

The unauthorized error I was getting, specifically for id, permissions and groups fields, was only viewable at client side. I mean, the call to the API inside the Lambda function was successful!

The problem was that here:

type Query {
    adminListUsersData(filter: ModelUserDataFilterInput, limit: Int, nextToken: String): ModelUserDataConnection
        @auth(rules: [{allow: groups, groups: ["admins"]}])
        @function(name: "userDataResolvers-${env}")
}

I used ModelUserDataConnection as the return type, which is defined as:

type ModelUserDataConnection {
    items: [UserData],
    nextToken: String,
    scannedCount: Int,
    count: Int
}

It references UserData model and this made all the @auth rules from it to be applied to my custom query, but at response time, after function execution! I don't know if that is the intended behaviour, but could be useful sometimes. This is the reason why I thought the Lambda function was using the requester user credentials, because it was behaving like so.

To solve the problem I just created a new normal type for the query output without any kind of directive.

[attilah]

Duplicate of #4889 that is being fixed by #5342 fixes it.

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels for those types of questions.