AWS Amplify GraphQL Static Group Authorization
happy devSecOps
Background
In my previous post I have discussed detailed information about AWS Amplify GraphQL API. It used Cognito User Pool Owner authorization
where allows any signed in user to create, update, delete, read Document
records. In this post I’m gonna use other type of authorization Static Group Authorization
. It allows to protect @model
types by restricting access to a known set of groups. For example, we can give permissions to the users in the Admin
group to create, update, delete, read Document
objects. By using the combination of Owner Authorization
and Static Group Authorization
we can build the AWS Amplify multi-tenant applications
. All the source codes which related to this post available in gitlab. Please clone the repo and continue the post.
Static Group Authorization Permissions
Static Group Authorization
rules can be defined with allow: groups
directive as below. This change has been done into the GraphQL schema of the Document
model in the amplify/backend/api/rahasakgraphqlapi/schema.graphql
file. It gives Document object create
, update
, delete
, read
permissions for the users in the group named Admin
. So all the users in Admin group will be able to create, read, update, delete Document objects(they don’t need to be the owner of the objects).
Update GraphQL API
I can deploy the the changes that has been done to GraphQL API with the amplify push
. When deploying it will create GraphQL queries
, mutations
and subscriptions
related to the updated Document model. The generated queries, mutations, subscriptions and full schema of the GraphQL API can be found in the /src/graphql
directory.
Create Users and Groups
To test the Static Group Authorization permissions I have created a group named Admin
and added a user to that group. I have created two user, 1) rahasaklabs, 2) bassalabs
. The rahasaklabs
user added into the Admin
group, so that user has permissions to access all the Document
objects in the system. The bassalabs
user only have permissions to access his/her own Document objects. Users and Groups can be managed with Cognito Manage User Pools
section in the AWS admin console.
In the corresponding User Pool(rahasakapp
in my scenario), there is a section to manage User and Groups. I have added two users(rahasaklabs
, bassalabs
) and Admin
group here. Then added the rahasaklabs
user to the Admin
group.
Test Permissions
Once User and Groups are created, I can test GraphQL API and it’s permissions in the AWS AppSync dashboard. Different queries
and mutations
can be executed in the window. First I have logged in with bassalabs
users’ credentials and created a Document
object.
When querying the Document objects, it will only returns the Document objects belongs to the bassalabs
. If we tried to access object belongs to different user(e.g rahasaklabs
) it will return Unauthorized(HTTP 401)
error.
Next I have logged in with rahasaklabs
users’ credentials and created another Document
object.
rahasaklabs
user can reads the Documents which owned by all users. So when querying the Document objects, it will returns the objects belongs to the both rahasaklans
and bassalabs
users.
Reference
- https://docs.amplify.aws/cli-legacy/graphql-transformer/auth/#owner-authorization
- https://medium.com/geekculture/how-to-use-auth-directive-with-amplify-graphql-schema-for-beginners-a66fb7ccb953
- https://docs.amplify.aws/cli/auth/groups/#group-access-controls
- https://medium.com/rahasak/serverless-graphql-api-with-aws-amplify-appsync-and-cognito-auth-c84ad3bafa43
- https://dev.to/codebeast/an-in-depth-guide-on-amplify-graphql-api-authorization-14ng
- https://iamondemand.com/blog/6-graphql-authorization-schemas-for-aws-amplify/
- https://medium.com/@dantasfiles/multi-tenant-aws-amplify-cc3252c4def4