无法让AWS-LAMBDA访问AWS-APPSYNC API
我正在研究一个项目,用户可以将文件上传到S3存储桶中,这些上传的文件被映射到GraphQl键(由Amplify CLI生成),并触发AWS-LAMBDA函数。所有这些都可以正常工作,但是我想要的下一步是为此AWS-LAMBDA函数创建具有相同所有权属性的第二个文件,并将保存第二个文件的位置发布到GraphQL API。
我认为这应该不太困难,但是我遇到了很多困难,无法理解问题所在。
背景/详细信息
我希望数据的所有者(uploader)成为唯一能够访问数据的用户 admin 角色,并能够发布/获取任何所有者的API。
GraphQL模式看起来像这样:
type FileUpload @model
@auth(rules: [
{ allow: owner}]) {
id: ID!
foo: String
bar: String
}
我还发现了这一看似主张的AWS指南,我认为它会提供IAM角色 admin 访问( https://docs.amplify.aws/cli/graphql/authorization-authorization-rules-rules/#configure-custom -Identity-and-group-claims )我之后创建文件amplify/backend/api/< your-api-name>/custom-roles.json我
{
"adminRoleNames": ["<YOUR_IAM_ROLE_NAME>"]
}
替换了“&lt; your_iam_role_name&gt;”我凭借我广泛访问的IAM角色,包括此AppSync访问:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"appsync:*"
],
"Resource": "*"
}
]
}
这是我的AWS-Lambda功能的角色。
当我尝试使用上述设置在我的AWS-LAMBDA函数中运行一个简单的API查询时,我会得到此错误,
response string:
{
"data": {
"getFileUpload": null
},
"errors": [
{
"path": [
"getFileUpload"
],
"data": null,
"errorType": "Unauthorized",
"errorInfo": null,
"locations": [
{
"line": 3,
"column": 11,
"sourceName": null
}
],
"message": "Not Authorized to access getFileUpload on type Query"
}
]
}
我的实际Python lambda脚本是
import http
API_URL = '<MY_API_URL>'
API_KEY = '<>MY_API_KEY'
HOST = API_URL.replace('https://','').replace('/graphql','')
def queryAPI():
conn = http.client.HTTPSConnection(HOST, 443)
headers = {
'Content-type': 'application/graphql',
'x-api-key': API_KEY,
'host': HOST
}
print('conn: ', conn)
query = '''
{
getFileUpload(id: "<ID_HERE>") {
description
createdAt
baseFilePath
}
}
'''
graphql_query = {
'query': query
}
query_data = json.dumps(graphql_query)
print('query data: ', query_data)
conn.request('POST', '/graphql', query_data, headers)
response = conn.getresponse()
response_string = response.read().decode('utf-8')
print('response string: ', response_string)
我通过上面的API键和API url,而除了将AWS-Lambda授予IAM角色。我知道可能只需要一个,但是我正在尝试使过程进行工作,然后将其削减。
问题
据我了解,
- 我根据我的目标为我的GraphQl模式提供了适当的@Auth规则,并且(下面2)
- 为我的AWS-LAMBDA功能提供足够的IAM授权(通过两者, IAM角色和API键)覆盖我的GraphQL模式的任何潜在限制性@Auth规则,
但显然有些事情不起作用。谁能将我指向我忽略的问题?
I am working on a project where users can upload files into a S3 bucket, these uploaded files are mapped to a GraphQL key (which was generated by Amplify CLI), and an aws-lambda function is triggered. All of this is working, but the next step I want is for this aws-lambda function to create a second file with the same ownership attributes and POST the location of the saved second file to the GraphQL API.
I figured that this shouldn't be too difficult but I am having a lot of difficulty and can't understand where the problem lies.
BACKGROUND/DETAILS
I want the owner of the data (the uploader) to be the only user who is able to access the data, with the aws-lambda function operating in an admin role and able to POST/GET to API of any owner.
The GraphQL schema looks like this:
type FileUpload @model
@auth(rules: [
{ allow: owner}]) {
id: ID!
foo: String
bar: String
}
And I also found this seemingly-promising AWS guide which I thought would give an IAM role admin access (https://docs.amplify.aws/cli/graphql/authorization-rules/#configure-custom-identity-and-group-claims) which I followed by creating the file amplify/backend/api/<your-api-name>/custom-roles.json and saved it with
{
"adminRoleNames": ["<YOUR_IAM_ROLE_NAME>"]
}
I replaced "<YOUR_IAM_ROLE_NAME>" with an IAM Role which I have given broad access to, including this appsync access:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"appsync:*"
],
"Resource": "*"
}
]
}
Which is the role given to my aws-lambda function.
When I attempt to run a simple API query in my aws-lambda function with the above settings I get this error
response string:
{
"data": {
"getFileUpload": null
},
"errors": [
{
"path": [
"getFileUpload"
],
"data": null,
"errorType": "Unauthorized",
"errorInfo": null,
"locations": [
{
"line": 3,
"column": 11,
"sourceName": null
}
],
"message": "Not Authorized to access getFileUpload on type Query"
}
]
}
my actual python lambda script is
import http
API_URL = '<MY_API_URL>'
API_KEY = '<>MY_API_KEY'
HOST = API_URL.replace('https://','').replace('/graphql','')
def queryAPI():
conn = http.client.HTTPSConnection(HOST, 443)
headers = {
'Content-type': 'application/graphql',
'x-api-key': API_KEY,
'host': HOST
}
print('conn: ', conn)
query = '''
{
getFileUpload(id: "<ID_HERE>") {
description
createdAt
baseFilePath
}
}
'''
graphql_query = {
'query': query
}
query_data = json.dumps(graphql_query)
print('query data: ', query_data)
conn.request('POST', '/graphql', query_data, headers)
response = conn.getresponse()
response_string = response.read().decode('utf-8')
print('response string: ', response_string)
I pass in the API key and API URL above in addition to giving AWS-lambda the IAM role. I understand that only one is probably needed, but I am trying to get the process to work then pare it back.
QUESTION(s)
As far as I understand, I am
- providing the appropriate @auth rules to my GraphQL schema based on my goals and (2 below)
- giving my aws-lambda function sufficient IAM authorization (via both IAM role and API key) to override any potential restrictive @auth rules of my GraphQL schema
But clearly something is not working. Can anyone point me towards a problem that I am overlooking?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
昨天我遇到了类似的问题。
这不是1:1您要做的事情,但也许仍然有帮助。
因此,我试图为LAMBDA功能权限提供基于GraphQL模式访问数据的权限。该模式有不同的@Auth指令,这导致Lambda函数无法访问数据。即使我通过CLI和IAM角色给了他们权限。尽管文档说这应该有效,但事实并非如此:
因此,我最终添加了
@Auth(规则:[{允许:自定义}])>我想要通过lambda函数访问的所有架构的所有部分。执行此操作时,请确保通过
Amplify Update Update API将“ Lambda”作为auth模式添加为AUT模式。在身份验证lambda函数中,您可以检查调用该函数的用户是否可以访问请求的查询/S3数据。
I had similar problem just yesterday.
It was not 1:1 what you're trying to do, but maybe it's still helpful.
So I was trying to give lambda functions permissions to access the data based on my graphql schema. The schema had different @auth directives, which caused the lambda functions to not have access to the data anymore. Even though I gave them permissions via the cli and IAM roles. Although the documentation says this should work, it didn't:
So I ended up adding
@auth(rules: [{ allow: custom }])to all parts of my schema that I want to access via lambda functions.When doing this, make sure to add "lambda" as auth mode to your api via
amplify update api.In the authentication lambda function, you could then check if the user, who is invoking the function, has access to the requested query/S3 Data.