Automatically allow amplify generated Lambda IAM roles to perform operations on Appsync.

[meghsv09]

Describe the feature you'd like to request

Steps to reproduce

• Create simple react application
• amplify init
• Add auth and api category with below schema
• amplify push

Appsync Schema

type Todo
  @model
  @auth(
    rules: [
      { allow: private, provider: userPools }
      { allow: private, provider: iam }
    ]
  ) {
  id: ID!
  name: String!
  description: String
}

• Configure Lambda function as below to perform Appsync operations.

$ amplify add function
? Select which capability you want to add: Lambda function (serverless function)
? Provide an AWS Lambda function name: appsyncsubnodejs
? Choose the runtime that you want to use: NodeJS
? Choose the function template that you want to use: AppSync - GraphQL API request (with IAM)

✅ Available advanced settings:

• Resource access permissions
• Scheduled recurring invocation
• Lambda layers configuration
• Environment variables configuration
• Secret values configuration

? Do you want to configure advanced settings? Yes
? Do you want to access other resources in this project from your Lambda function? Yes
? Select the categories you want this function to have access to. api
? Select the operations you want to permit on appsyncauth Query, Mutation, Subscription

$ amplify push

This would create a Lambda function role with the following permissions

  {
            "Action": [
                "appsync:GraphQL"
            ],
            "Resource": [
                "arn:aws:appsync:us-east-1:<account-id>:apis/<api-id>/types/Query/*",
                "arn:aws:appsync:us-east-1:<account-id>:apis/<api-id>/types/Mutation/*",
                "arn:aws:appsync:us-east-1:<account-id>:apis/<api-id>/types/Subscription/*"
            ],
            "Effect": "Allow"
   }

However, this Lambda function role cannot perform appsync operations(unauthorised error) unless the role is specified in the custom-roles.json file as below.

{
  "adminRoleNames": ["<YOUR_IAM_USER_OR_ROLE_NAME>"]
}

Notice we have already selected that we would like to perform actions such as query/mutation/subscription via this role.

https://docs.amplify.aws/gen1/javascript/build-a-backend/graphqlapi/customize-authorization-rules/#use-iam-authorization-within-the-appsync-console

This is similar to: https://repost.aws/questions/QU288xFKkVSSSwQH5Wqrru7w/appsync-unauthorized-error-when-called-from-presignup-lambda-trigger

Describe the solution you'd like

Feature request would be to allow this Lambda execution role to perform actions on schema. Currently the below step adds required policy to Lambda execution role. In addition to this we may give permissions such that this role can perform appsync query/mutation/subscription operations without needing to allowlist in custom-roles.json

? Select the operations you want to permit on appsyncauth Query, Mutation, Subscription

Describe alternatives you've considered

NA

Additional context

No response

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request

Would this feature include a breaking change?

• ⚠️ This feature might incur a breaking change

[AnilMaktala]

Hey @meghsv09, Thank you for bringing this to our attention. We have noted it as a feature request for the team to review in more detail.