Customize your auth rules
Using Amplify GraphQL client
Each AppSync API is set with a default authorization mode.
AWS AppSync also supports multiple authorization modes on a single API enabling you to add additional authorization modes.
In order to use this feature with the Amplify GraphQL Client the API.graphql({...}) function accepts an optional parameter called authMode, its value will be one of the supported auth modes:
API_KEYAWS_IAMOPENID_CONNECTAMAZON_COGNITO_USER_POOLSAWS_LAMBDA
This is an example of using AWS_IAM as an authorization mode:
1import { API, GraphQLQuery, GRAPHQL_AUTH_MODE } from '@aws-amplify/api';2import * as mutations from './graphql/mutations';3import { CreateTodoMutation } from './API';4
5// Creating a post is restricted to IAM 6const createdTodo = await API.graphql<GraphQLQuery<CreateTodoMutation>>({7 query: mutations.createTodo,8 variables: { input: todoDetails },9 authMode: GRAPHQL_AUTH_MODE.AWS_IAM10});1import { API, GRAPHQL_AUTH_MODE } from '@aws-amplify/api';2import * as mutations from './graphql/mutations';3
4// Creating a post is restricted to IAM 5const createdTodo = await API.graphql({6 query: mutations.createTodo,7 variables: {input: todoDetails},8 authMode: GRAPHQL_AUTH_MODE.AWS_IAM9});Previous examples uses graphqlOperation function. That function only creates an object with two attributes query and variables. In order to use authMode you need to pass this object as is mentioned on the previous example.
AWS Lambda
You can implement your own custom API authorization logic using an AWS Lambda function. To add a Lambda as an authorization mode for your AppSync API, go to the Settings section of the AppSync console.
If you are using a Lambda function as an authorization mode with your AppSync API, you will need to pass an authentication token with each API request and will need to manage token refresh in your application.
The following example assumes AWS_LAMBDA is configured as the default authentication type for your API:
1// ...2
3const getAuthToken = () => 'myAuthToken';4const lambdaAuthToken = getAuthToken();5
6const createdTodo = await API.graphql<GraphQLQuery<CreateTodoMutation>>({7 query: mutations.createTodo,8 variables: {input: todoDetails},9 authToken: lambdaAuthToken10});1// ...2
3const getAuthToken = () => 'myAuthToken';4const lambdaAuthToken = getAuthToken();5
6const createdTodo = await API.graphql({7 query: mutations.createTodo,8 variables: {input: todoDetails},9 authToken: lambdaAuthToken10});If you have a different default authentication type and would like to use AWS_LAMBDA with a request:
1// ...2import { GRAPHQL_AUTH_MODE } from '@aws-amplify/api';3import { CreateTodoMutation } from './API';4
5const getAuthToken = () => 'myAuthToken';6const lambdaAuthToken = getAuthToken();7
8const createdTodo = await API.graphql<GraphQLQuery<CreateTodoMutation>>({9 query: mutations.createTodo,10 variables: {input: todoDetails},11 authMode: GRAPHQL_AUTH_MODE.AWS_LAMBDA,12 authToken: lambdaAuthToken13});1// ...2import { GRAPHQL_AUTH_MODE } from '@aws-amplify/api';3
4const getAuthToken = () => 'myAuthToken';5const lambdaAuthToken = getAuthToken();6
7const createdTodo = await API.graphql({8 query: mutations.createTodo,9 variables: {input: todoDetails},10 authMode: GRAPHQL_AUTH_MODE.AWS_LAMBDA,11 authToken: lambdaAuthToken12});