Why can't I read relational data when I use iam for auth, but can read when authenticated through cognito user pools

Question

My project uses cognito user pools as the default authentication method and also uses iam for my custom graphql lambda resolver.

I've been using the AppSync console to run tests on my queries/mutations.

I have a many-to-many relationship between User and Group types which I've implemented in this schema.graphql file.

type User
  @model
  @auth(
    rules: [
      { allow: owner, ownerField: "id", operations: [create, update, delete] }
      { allow: private, provider: iam, operations: [read, update, delete] }
      { allow: private, provider: userPools, operations: [read] }
    ]
  ) {
  id: ID!
  displayName: String!
  groups: [GroupMemberLink] @connection(keyName: "byMember", fields: ["id"])
}

type Group
  @model
  @auth(
    rules: [
      { allow: owner, ownerField: "members", operations: [create, update, delete] }
      { allow: private, provider: iam, operations: [read, update, delete] }
      { allow: private, provider: userPools, operations: [read] }
    ]
  ) {
  id: ID!
  name: String!
  members: [String]!
  associated: [GroupMemberLink] @connection(keyName: "byGroup", fields: ["id"])
}

type GroupMemberLink
  @model(queries: null, subscriptions: null)
  @key(name: "byGroup", fields: ["groupID", "memberID"])
  @key(name: "byMember", fields: ["memberID", "groupID"])
  @auth(
    rules: [
      { allow: private, provider: userPools, operations: [read] }
      # what am I doing wrong below?
      { allow: private, provider: iam, operations: [create, read, update, delete] }
    ]
  ) {
  id: ID!
  groupID: ID!
  memberID: ID!
  group: Group! @connection(fields: ["groupID"])
  member: User! @connection(fields: ["memberID"])
}

My Intentions:

1. To only allow my lambda function (using iam) to both read and do mutations (create/update/delete)
2. To allow users authenticated with cognito user pools to only read.

My Problem:

My lambda function is not able to read this relational type/field when I query either from the User or Group type. It also seems like users are able to create this type of object which is something I absolutely do not want.

What am I doing wrong? I understand that multi-auth was recently added so this might be tricky.

Reading the documentation hasn't helped me much so I've been trying many different combinations of rules and hoping one would work.

Update: I get this error whenever I try to access the connected field on either the User or Group type: Not Authorized to access items on type ModelGroupMemberLinkConnection" from the appsync console using iam as the auth type.

To clarify: users authenticated with cognito user pools have both read/write access (Shouldn't have write access), but my lambda function using iam doesn't have read or write access.

Things I've tried that still result in not being to access the related field while being authenticated with iam:

1. Remove the auth directive altogether.
2. Changed the auth rule in GroupMemberLink to @auth(rules: [{ allow: private, provider: iam, operations: [read, update, delete] }])

Update:

These are the queries I've been testing in the AppSync console:

query GetUser {
  getUser(id: "funksouldev") {
    id
    displayName
    groups {
      items {
        group {
          id
          name
        }
      }
    }
  }
}

query GetGroup($groupID: ID!) {
  getGroup(id: $groupID) {
    id
    associated {
      items {
        id
        member {
          id
          displayName
        }
      }
    }
  }
}

Answer 1

Okay, Finally I think this would solve the problem.

type ModelGroupMemberLinkConnection @aws_iam
@aws_cognito_user_pools
   {
    items: [GroupMemberLink]
    nextToken: String
   }