Edit on GitHub

Page updated Nov 20, 2023

Use IAM authorization within the AppSync console

IAM-based .authorization() rules are scoped down to only work with Amplify-generated IAM roles from amplify/auth/resource.ts. To access the Amplify Data-generated API with IAM authorization within your AppSync console, you need to explicitly allow list the IAM user's name.

To grant an external AWS Resource or an IAM role access to Amplify Data's API, you will need to explicitly list the IAM roles by adding them to the allowListedRoleNames property.

// amplify/data/resource.ts import { a, defineData, type ClientSchema } from "@aws-amplify/backend"; const schema = a.schema({ Todo: a.model({ name: a.string(), description: a.string(), }), }); export type Schema = ClientSchema<typeof schema>; export const data = defineData({ schema, authorizationModes: { // Pass in the IAM user's role name to grant full read/write access to the API // if their IAM policies permit it. allowListedRoleNames: ["userRole"], }, });
1// amplify/data/resource.ts
2import { a, defineData, type ClientSchema } from "@aws-amplify/backend";
3

4const schema = a.schema({
5  Todo: a.model({
6    name: a.string(),
7    description: a.string(),
8  }),
9});
10

11export type Schema = ClientSchema<typeof schema>;
12

13export const data = defineData({
14  schema,
15  authorizationModes: {
16    // Pass in the IAM user's role name to grant full read/write access to the API
17    // if their IAM policies permit it.
18    allowListedRoleNames: ["userRole"],
19  },
20});

These "Allow-listed Roles" have special access privileges that are scoped based on their IAM policy instead of any particular .authorization() rule.

Amplify open source software, documentation and community are supported by Amazon Web Services.

© 2023, Amazon Web Services, Inc. and its affiliates.

All rights reserved. View the site terms and privacy policy.

Flutter and the related logo are trademarks of Google LLC. We are not endorsed by or affiliated with Google LLC.