Using AWS AppSync (with amplify), how does one allow authenticated users read-only access, but only allow mutations for object owners?

I’m using Cognito User Pools as the default authentication method. I’m also using iam for my lambda backend. I’m using an aws appsync client in the lambda function for some custom resolvers.

let’s assume I have a User object type that fundamentally looks like this:

type User {
  id: ID!
  displayName: String!

What I want to be able to do:

  1. Allow full read/write access for the object owner.
  2. Allow the backend (with iam) full read/write access.
  3. Allow read-only access for users who are authenticated through cognito user pools, but not the owner of the object.

I’ve been picking and prodding with the @auth directive attempting to get the results I’m looking for but nothing has been able to work. I’ve looked at the documentation at AWS GraphQL Transform Docs and I seem to be a bit confused.

Here’s what I’ve tried:

type User
  @auth(rules: [
    { allow: owner, operations: [create, update, delete] }
    { allow: private, provider: iam, operations: [update, delete] }
  ]) {
  id: ID!
  displayName: String!

To my understanding, by removing read from the operations list in the @auth directive removes the check on get and list queries. What am I doing wrong? How do I achieved my desired results?

Leave a Reply

Your email address will not be published. Required fields are marked *