AWS Amplify GraphQL Static Group Authorization

happy devSecOps

Background

In my previous post I have discussed detailed information about AWS Amplify GraphQL API. It used Cognito User Pool Owner authorization where allows any signed in user to create, update, delete, read Document records. In this post I’m gonna use other type of authorization Static Group Authorization. It allows to protect @model types by restricting access to a known set of groups. For example, we can give permissions to the users in the Admin group to create, update, delete, read Document objects. By using the combination of Owner Authorization and Static Group Authorization we can build the AWS Amplify multi-tenant applications. All the source codes which related to this post available in gitlab. Please clone the repo and continue the post.

Static Group Authorization Permissions

Static Group Authorization rules can be defined with allow: groups directive as below. This change has been done into the GraphQL schema of the Document model in the amplify/backend/api/rahasakgraphqlapi/schema.graphql file. It gives Document object create, update, delete, read permissions for the users in the group named Admin. So all the users in Admin group will be able to create, read, update, delete Document objects(they don’t need to be the owner of the objects).

Update GraphQL API

I can deploy the the changes that has been done to GraphQL API with the amplify push. When deploying it will create GraphQL queries, mutations and subscriptions related to the updated Document model. The generated queries, mutations, subscriptions and full schema of the GraphQL API can be found in the /src/graphql directory.

Create Users and Groups

To test the Static Group Authorization permissions I have created a group named Admin and added a user to that group. I have created two user, 1) rahasaklabs, 2) bassalabs. The rahasaklabs user added into the Admin group, so that user has permissions to access all the Document objects in the system. The bassalabs user only have permissions to access his/her own Document objects. Users and Groups can be managed with Cognito Manage User Pools section in the AWS admin console.

In the corresponding User Pool(rahasakapp in my scenario), there is a section to manage User and Groups. I have added two users(rahasaklabs, bassalabs) and Admin group here. Then added the rahasaklabs user to the Admin group.

Test Permissions

Once User and Groups are created, I can test GraphQL API and it’s permissions in the AWS AppSync dashboard. Different queries and mutations can be executed in the window. First I have logged in with bassalabs users’ credentials and created a Document object.

When querying the Document objects, it will only returns the Document objects belongs to the bassalabs. If we tried to access object belongs to different user(e.g rahasaklabs) it will return Unauthorized(HTTP 401) error.

Next I have logged in with rahasaklabs users’ credentials and created another Document object.

rahasaklabs user can reads the Documents which owned by all users. So when querying the Document objects, it will returns the objects belongs to the both rahasaklans and bassalabs users.

Reference

1. https://docs.amplify.aws/cli-legacy/graphql-transformer/auth/#owner-authorization
2. https://medium.com/geekculture/how-to-use-auth-directive-with-amplify-graphql-schema-for-beginners-a66fb7ccb953
3. https://docs.amplify.aws/cli/auth/groups/#group-access-controls
4. https://medium.com/rahasak/serverless-graphql-api-with-aws-amplify-appsync-and-cognito-auth-c84ad3bafa43
5. https://dev.to/codebeast/an-in-depth-guide-on-amplify-graphql-api-authorization-14ng
6. https://iamondemand.com/blog/6-graphql-authorization-schemas-for-aws-amplify/
7. https://medium.com/@dantasfiles/multi-tenant-aws-amplify-cc3252c4def4