Signed-in user data access
The authenticated
authorization strategy restricts record access to only signed-in users authenticated through IAM, Cognito, or OpenID Connect, applying the authorization rule to all users. It provides a simple way to make data private to all authenticated users.
Add signed-in user authorization rule
You can use the authenticated
authorization strategy to restrict a record's access to every signed-in user.
In the example below, anyone with a valid JWT token from the Cognito user pool is allowed access to all Todos.
const schema = a.schema({ Todo: a .model({ content: a.string(), }) .authorization(allow => [allow.authenticated()]),});
In your application, you can perform CRUD operations against the model with the amazonCognitoUserPools
auth mode.
do { let todo = Todo(content: "My new todo") let createdTodo = try await Amplify.API.mutate(request: .create( todo, authMode: .amazonCognitoUserPools)).get()} catch { print("Failed to create todo", error) }
Use identity pool for signed-in user authentication
You can also override the authorization provider. In the example below, identityPool
is specified as the provider which allows you to use an "Unauthenticated Role" from the Cognito identity pool for public access instead of an API key. Your Auth resources defined in amplify/auth/resource.ts
generates scoped down IAM policies for the "Unauthenticated role" in the Cognito identity pool automatically.
const schema = a.schema({ Todo: a .model({ content: a.string(), }) .authorization(allow => [allow.authenticated('identityPool')]),});
In your application, you can perform CRUD operations against the model with the awsIAM
auth mode.
do { let todo = Todo(content: "My new todo") let createdTodo = try await Amplify.API.mutate(request: .create( todo, authMode: .awsIAM)).get()} catch { print("Failed to create todo", error)}
In addition, you can also use OpenID Connect with authenticated
authorization. See OpenID Connect as an authorization provider.