aws appsync auth directive not limiting access as expected

Question

In my graphQl schema for the appsync api I am using I want to limit my users actions based on the group they belong to.

According to the docs, adding the line aws_auth(cognito_groups: ["Admins"]) should restrict access to only users belonging to the group of "Admins". This does not happen when I run the mutation from the appsync console or from the app itself.

My mutation is as follows:

type Mutation @aws_iam
@aws_cognito_user_pools {
    createItem(input: CreateItemInput!): Item
    updateItem(input: UpdateItemInput!): Item
    @aws_auth(cognito_groups: ["Admins"])
}

The @aws_iam and @aws_cognito_user_pools directives seem to work fine. But anyone that has authenticated or has an iam role, can still perform an update, even if they do not belong to the "Admins" group.

What is going on here? Is there additional configuration that needs to be done to get this to work?

Answer 1

Just to clarify further as this is not well documented.

If you are using a single authorization provider and that provider is Cognito, you should always use the @aws_auth directive. Do not use the @aws_cognito_user_pools directive as it does not work if you are using group-based authorization. This is not well documented in the AWS Cognito docs and is a trap as AppSync will allow you to configure this directive.

If you are using multiple authorization providers and you are using Cognito, you must use the @aws_cognito_user_pools directive as documented in the AWS Cognito docs. Strangely group-based authorization works correctly using @aws_cognito_user_pools but ONLY when using multiple authorization providers.