My service requires user groups for authorising access to data.
Group authorization examples in AppSync documentation are based on User Pool claims. I'm using IAM authentication so $context.identity doesn't include claims or any similar information.
See, for example, topic "Use Case: Group Can Create New Record" in: https://docs.aws.amazon.com/appsync/latest/devguide/security-authorization-use-cases.html
#set($expression = "")
#set($expressionValues = {})
#foreach($group in $context.identity.claims.get("cognito:groups"))
#set( $expression = "${expression} contains(groupsCanAccess, :var$foreach.count )" )
#set( $val = {})
#set( $test = $val.put("S", $group))
#set( $values = $expressionValues.put(":var$foreach.count", $val))
#if ( $foreach.hasNext )
#set( $expression = "${expression} OR" )
#end
#end
{
"version" : "2017-02-28",
"operation" : "PutItem",
"key" : {
## If your table's hash key is not named 'id', update it here. **
"id" : { "S" : "$context.arguments.id" }
## If your table has a sort key, add it as an item here. **
},
"attributeValues" : {
## Add an item for each field you would like to store to Amazon DynamoDB. **
"title" : { "S" : "${context.arguments.title}" },
"content": { "S" : "${context.arguments.content}" },
"owner": {"S": "${context.identity.username}" }
},
"condition" : {
"expression": "attribute_not_exists(id) OR $expression",
"expressionValues": $utils.toJson($expressionValues)
}
}
I would expect to just check from User table whether the user is in a group that grants this permission. However, DynamoDB conditions don't seem to support querying other tables.
