Edit on GitHub

Page updated Nov 20, 2023

Grant Lambda function access to API and Data

The IAM execution role for Lambda functions does not automatically grant access to the Amplify Data API. This is because the API operates on a "deny-by-default" permission model. Access must be explicitly granted.

To grant an external AWS resource or an IAM role access to the Amplify Data API, you need to explicitly list the IAM roles by adding them to allowListedRoleNames property.

// amplify/data/resource.ts import { a, defineData, type ClientSchema } from "@aws-amplify/backend"; const schema = a.schema({ Todo: a.model({ name: a.string(), description: a.string(), }), }); export type Schema = ClientSchema<typeof schema>; export const data = defineData({ schema, authorizationModes: { // Pass in the Lambda Execution Role names to grant full read/write access to the API // if their IAM policies permit it. allowListedRoleNames: ["lambdaRole"], }, });
1// amplify/data/resource.ts
2import { a, defineData, type ClientSchema } from "@aws-amplify/backend";
3

4const schema = a.schema({
5  Todo: a.model({
6    name: a.string(),
7    description: a.string(),
8  }),
9});
10

11export type Schema = ClientSchema<typeof schema>;
12

13export const data = defineData({
14  schema,
15  authorizationModes: {
16    // Pass in the Lambda Execution Role names to grant full read/write access to the API
17    // if their IAM policies permit it.
18    allowListedRoleNames: ["lambdaRole"],
19  },
20});

These "Allow-listed Roles" have special access privileges that are scoped based on their IAM policy instead of any particular .authorization() rule.

Amplify open source software, documentation and community are supported by Amazon Web Services.

© 2023, Amazon Web Services, Inc. and its affiliates.

All rights reserved. View the site terms and privacy policy.

Flutter and the related logo are trademarks of Google LLC. We are not endorsed by or affiliated with Google LLC.