Grant Lambda function access to API and Data

Function access to defineData can be configured using an authorization rule on the schema object.

amplify/data/resource.ts

1import {
2  a,
3  defineData,
4  defineFunction,
5  type ClientSchema
6} from '@aws-amplify/backend';
7
8const functionWithDataAccess = defineFunction({
9  entry: '../functions/data-access.ts'
10});
11
12const schema = a
13  .schema({
14    Todo: a.model({
15      name: a.string(),
16      description: a.string()
17    })
18  })
20
21export type Schema = ClientSchema<typeof schema>;
22
23export const data = defineData({
24  schema
25});

The object returned from defineFunction can be passed directly to allow.resource() in the schema authorization rules. This will grant the function the ability to execute Query, Mutation, and Subscription operations against the GraphQL API. Use the .to() method to narrow down access to one or more operations.

1const schema = a
2  .schema({
3    Todo: a.model({
4      name: a.string(),
5      description: a.string()
6    })
7  })

When configuring function access, the function will be provided the API endpoint as an environment variable named <defineDataName>_GRAPHQL_ENDPOINT. The default name is amplifyData_GRAPHQL_ENDPOINT unless you have specified a different name in defineData.

Function access can only be configured on the schema object. It cannot be configured on individual models or fields.

Access the API using `aws-amplify`

In the handler file for your function, configure the Amplify data client

amplify/functions/data-access.ts

1import { Amplify } from 'aws-amplify';
2import { generateClient } from 'aws-amplify/data';
3import { Schema } from '../data/resource';
4import { env } from '$amplify/env/<function-name>'; // replace with your function name
5
6
7Amplify.configure(
8  {
9    API: {
10      GraphQL: {
11        endpoint: env.<amplifyData>_GRAPHQL_ENDPOINT, // replace with your defineData name
12        region: env.AWS_REGION,
13        defaultAuthMode: 'identityPool'
14      }
15    }
16  },
17  {
18    Auth: {
19      credentialsProvider: {
20        getCredentialsAndIdentityId: async () => ({
21          credentials: {
22            accessKeyId: env.AWS_ACCESS_KEY_ID,
23            secretAccessKey: env.AWS_SECRET_ACCESS_KEY,
24            sessionToken: env.AWS_SESSION_TOKEN,
25          },
26        }),
27        clearCredentialsAndIdentityId: () => {
28          /* noop */
29        },
30      },
31    },
32  }
33);
34
35const dataClient = generateClient<Schema>();
36
37export const handler = async (event) => {
38  // your function code goes here
39}

Use the command below to generate GraphQL client code to call your data backend.

Note: We are working on bringing the end-to-end typed experience to connect to your data from within function resources without needing this step. If you'd like to provide feedback the experience or have early access, join our Discord community.

Terminal

npx ampx generate graphql-client-code --out <path-function-handler-dir>/graphql

Note: Whenever you update your data model, you will need to run the command above again.

Once you have generated the client code, update the function to access the data. The following code creates a todo and then lists all todos.

amplify/functions/data-access.ts

1const client = generateClient<Schema>();
2
3export const handler = async (event) => {
4  await client.graphql({
5    query: createTodo,
6    variables: {
7      input: {
8        name: "My first todo",
9        description: "This is my first todo",
10      },
11    },
12  });
13
14
15  await client.graphql({
16    query: listTodos,
17  });
18
19  return event;
20};

Configure custom identity and group claims

Grant Lambda function access to API and Data

Access the API using aws-amplify

Access the API using `aws-amplify`