Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS AppSync - Unauthorized Exception

Tags:

amazon-web-services

authorization

graphql

amazon-cognito

aws-appsync

I have started using AWS AppSync and am running into a permissions issue.

I used AppSync to create a DynamoDB table for my data, and set up authorization for use with Cognito User Pools, which I've already created.

I set the Default Action to ALLOW which, according to the AWS docs -https://docs.aws.amazon.com/appsync/latest/devguide/security.html#amazon-cognito-user-pools-authorization - should allow public access to run any query/mutation/subscription defined in my schema by default.

The above documentation also says that restricting access is done by adding an @aws_auth to my type definitions. Which I have not added yet.

And so this is what I want: I want my queries to be public - no need to add an @aws_auth directive - and my mutations to be restricted to the Admins group within my Cognito User Pool. So in testing out a query, I should be able to have the data returned to me without being signed in anywhere.

However, when trying to run any test queries inside the AppSync console, I receive the following error message: 

{
  "errors": [
    {
      "errorType": "UnauthorizedException",
      "message": "Unable to parse JWT token."
    }
  ]
}

Obviously, this is related to not being signed in with Cognito.

I've tested these queries before without using the Cognito authorization, and they all worked fine. And since my Default Action is set to ALLOW for my Cognito authorizer, my queries should run just the same now since I didn't modify them.

Looking at the code for my queries, types, and resolvers, I can't spot any difference in how they are written. The IAM role allowing access to my DynamoDB table also remains the same and has no restrictions attached to it.

What is going on? Is there a bug with AppSync, or am I missing something here?

Please let me know. Thank you

like image 380
Z_z_Z Avatar asked Dec 14 '22 14:12

Z_z_Z

1 Answers

I think your API Key expiration date is over.So goto -- APIs -> select your AppSync -> goto setting -> select your API keys -> then Edit -> now you are in "Configure your API key and change expiration date." -> Select Expires Choose when this API Key will expire here you can choose for 1 year from the date you create new API keys.

like image 75
Harsh Bhatnagar Avatar answered Jan 02 '23 03:01

Harsh Bhatnagar
Sign in to Comment

Related questions

Service Role ARN blank in CodeDeploy
Using Load Balancer Instead of Proxy Server
Api Gateway can't invoke Lambda function
Cloudwatch boto3 put_log_events giving incorrect return
Create VPCPeeringConnection across AWS accounts via CloudFormation
cloudfront points to old version of React hosted on s3
Permission denied when calling AWS Lambda function from AWS CodePipeline
Is it possible to directly call docker run from AWS lambda
AWS apt install error = Could not get lock /var/lib/dpkg/lock - open (11: Resource temporarily unavailable)
Why do my ELBs have two IP addresses? How to find them?
Get full path to files in S3 using Boto3 nested keys
Cloud Front : The request could not be satisfied
How to allow only a specific user to access a content on Amazon S3
Creating Thumbnail from video on S3 without downloading
Can AWS Lambda access S3 buckets from other regions?
How to use AWS Glue / Spark to convert CSVs partitioned and split in S3 to partitioned and split Parquet
AWSMobileClient is not found
How to convert terraform.tfstate to config file?
Boto3 kinesis video stream: Error when calling the GetMedia operation
Allowing IAM access to only a specific subdomain on Route 53

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!