From c5df46d3553c8cb984076e4d24a551135dcb1475 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Tue, 19 Mar 2024 10:49:21 -0400 Subject: [PATCH 01/19] add client side code for public access --- .../public-data-access/index.mdx | 44 ++++++++++++++++++- 1 file changed, 42 insertions(+), 2 deletions(-) diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx index 3ad4d8d7ed3..fc01983e708 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx @@ -17,7 +17,7 @@ The public authorization strategy grants everyone access to the API, which is pr To grant everyone access, use the `.public()` authorization strategy. Behind the scenes, the API will be protected with an API key. -```ts +```ts title="amplify/data/resource.ts" const schema = a.schema({ Todo: a .model({ @@ -27,11 +27,31 @@ const schema = a.schema({ }); ``` +In your application, you can perform CRUD operations against the model using `client.models.` by specifying the `apiKey` auth mode. + +```ts +import { generateClient } from 'aws-amplify/data'; +import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition + +const client = generateClient(); + +const { errors, data: newTodo } = await client.models.Todo.create( + { + content: 'My new todo', + }, + // highlight-start + { + authMode: 'apiKey', + } + // highlight-end +); +``` + ## Add public authorization rule using IAM authentication You can also override the authorization provider. In the example below, `iam` is specified as the provider which allows you to use an "Unauthenticated Role" from the Cognito identity pool for public access instead of an API key. Your Auth resources defined in `amplify/auth/resource.ts` generates scoped down IAM policies for the "Unauthenticated role" in the Cognito identity pool automatically. -```ts +```ts title="amplify/data/resource.ts" const schema = a.schema({ Todo: a .model({ @@ -40,3 +60,23 @@ const schema = a.schema({ .authorization([a.allow.public('iam')]), }); ``` + +In your application, you can perform CRUD operations against the model using `client.models.` with the `iam` auth mode. Note in this instance the user must be unauthenticated for the client to sign the request using the Amplify-generated `UnAuthRole` IAM role. + +```ts +import { generateClient } from 'aws-amplify/data'; +import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition + +const client = generateClient(); + +const { errors, data: newTodo } = await client.models.Todo.create( + { + content: 'My new todo', + }, + // highlight-start + { + authMode: 'iam', + } + // highlight-end +); +``` From 045a30229bb00f93fe01f73446c0f422cfc5f27d Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Tue, 19 Mar 2024 10:49:58 -0400 Subject: [PATCH 02/19] add client side code for signed in user access --- .../signed-in-user-data-access/index.mdx | 45 ++++++++++++++++++- 1 file changed, 43 insertions(+), 2 deletions(-) diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx index cab9607992b..e25f21a3a16 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx @@ -23,7 +23,7 @@ You can use the `private` authorization strategy to restrict a record's access t In the example below, anyone with a valid JWT token from the Cognito user pool is allowed access to all Todos. -```ts +```ts title="amplify/data/resource.ts" const schema = a.schema({ Todo: a .model({ @@ -33,11 +33,32 @@ const schema = a.schema({ }); ``` +In your application, you can perform CRUD operations against the model using `client.models.` with the `userPool` auth mode. + +```ts +import { generateClient } from 'aws-amplify/data'; +import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition + +const client = generateClient(); + +const { errors, data: newTodo } = await client.models.Todo.create( + { + content: 'My new todo', + }, + // highlight-start + { + authMode: 'userPool', + } + // highlight-end +); +``` + ## Override the authentication provider You can also override the authorization provider. In the example below, `iam` is specified as the provider which allows you to use an "Unauthenticated Role" from the Cognito identity pool for public access instead of an API key. Your Auth resources defined in `amplify/auth/resource.ts` generates scoped down IAM policies for the "Unauthenticated role" in the Cognito identity pool automatically. -```ts + +```ts title="amplify/data/resource.ts" const schema = a.schema({ Todo: a .model({ @@ -47,4 +68,24 @@ const schema = a.schema({ }); ``` +In your application, you can perform CRUD operations against the model using `client.models.` with the `iam` auth mode. Note in this instance the user must be authenticated for the client to sign the request using the Amplify-generated `AuthRole` IAM role. + +```ts +import { generateClient } from 'aws-amplify/data'; +import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition + +const client = generateClient(); + +const { errors, data: newTodo } = await client.models.Todo.create( + { + content: 'My new todo', + }, + // highlight-start + { + authMode: 'iam', + } + // highlight-end +); +``` + In addition, you can also use OpenID Connect with `private` authorization. See [OpenID Connect as an authorization provider](/gen2/build-a-backend/data/customize-authz/using-oidc-authorization-provider/). From dc78ce2849b9f68c74a4b7dc4693ab05e3f687e4 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Tue, 19 Mar 2024 10:50:10 -0400 Subject: [PATCH 03/19] add client side code for multi user access --- .../multi-user-data-access/index.mdx | 37 ++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/multi-user-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/multi-user-data-access/index.mdx index 5124f3d60b8..839531de551 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/multi-user-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/multi-user-data-access/index.mdx @@ -18,7 +18,7 @@ The `multipleOwners` rule grants a set of users access to a record by automatica If you want to grant a set of users access to a record, you use the `multipleOwners` rule. This automatically creates a `owner: a.string().array()` field to store the allowed owners. -```ts +```ts title="amplify/data/resource.ts" const schema = a.schema({ Todo: a .model({ @@ -28,6 +28,41 @@ const schema = a.schema({ }); ``` +In your application, you can perform CRUD operations against the model using `client.models.` with the `userPool` auth mode. + +```ts +import { generateClient } from 'aws-amplify/data'; +import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition + +const client = generateClient(); + +// Create a record with current user as first owner +const { errors, data: newTodo } = await client.models.Todo.create( + { + content: 'My new todo', + }, + // highlight-start + { + authMode: 'userPool', + } + // highlight-end +); +``` +```ts +// Add another user as an owner +await client.models.Todo.update( + { + id: newTodo.id, + owner: [...(newTodo.owner as string[]), otherUserId], + }, + // highlight-start + { + authMode: "userPool" + } + // highlight-end +); +``` + ## Override to a list of owners You can override the `inField` to a list of owners. Use this if you want a dynamic set of users to have access to a record. In the example below, the `authors` list is populated with the creator of the record upon record creation. The creator can then update the `authors` field with additional users. Any user listed in the `authors` field can access the record. From f5d9399220ffc3c5766a4266053c488465325abd Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Tue, 19 Mar 2024 10:50:29 -0400 Subject: [PATCH 04/19] add client side code for per user/owner access --- .../per-user-per-owner-data-access/index.mdx | 25 +++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/per-user-per-owner-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/per-user-per-owner-data-access/index.mdx index 857c65cc002..c814e0fc20a 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/per-user-per-owner-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/per-user-per-owner-data-access/index.mdx @@ -18,7 +18,8 @@ The `owner` authorization strategy restricts operations on a record to only the You can use the `owner` authorization strategy to restrict a record's access to a specific user. When `owner` authorization is configured, only the record's `owner` is allowed the specified operations. -```ts + +```ts title="amplify/data/resource.ts" // The "owner" of a Todo is allowed to create, read, update, and delete their own todos const schema = a.schema({ Todo: a @@ -29,7 +30,7 @@ const schema = a.schema({ }); ``` -```ts +```ts title="amplify/data/resource.ts" // The "owner" of a Todo record is only allowed to create, read, and update it. // The "owner" of a Todo record is denied to delete it. const schema = a.schema({ @@ -41,6 +42,26 @@ const schema = a.schema({ }); ``` +In your application, you can perform CRUD operations against the model using `client.models.` with the `userPool` auth mode. + +```ts +import { generateClient } from 'aws-amplify/data'; +import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition + +const client = generateClient(); + +const { errors, data: newTodo } = await client.models.Todo.create( + { + content: 'My new todo', + }, + // highlight-start + { + authMode: 'userPool', + } + // highlight-end +); +``` + Behind the scenes, Amplify will automatically add a `owner: a.string()` field to each record which contains the record owner's identity information upon record creation. By default, the Cognito user pool's user information is populated into the `owner` field. The value saved includes `sub` and `username` in the format `::`. The API will authorize against the full value of `::` or `sub` / `username` separately and return `username`. You can alternatively configure [OpenID Connect as an authorization provider](/gen2/build-a-backend/data/customize-authz/using-oidc-authorization-provider). From 2d067ad8ba14db53bdda00862e32b3ca77f3300d Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Tue, 19 Mar 2024 10:50:51 -0400 Subject: [PATCH 05/19] add client side code for custom id & group claims --- .../index.mdx | 23 ++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/configure-custom-identity-and-group-claim/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/configure-custom-identity-and-group-claim/index.mdx index 7d412062548..f4ab2718b49 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/configure-custom-identity-and-group-claim/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/configure-custom-identity-and-group-claim/index.mdx @@ -15,7 +15,7 @@ Amplify Data supports using custom identity and group claims if you do not wish To use custom claims specify `identityClaim` or `groupClaim` as appropriate. In the example below, the `identityClaim` is specified and the record owner will check against this `user_id` claim. Similarly, if the `user_groups` claim contains a "Moderator" string then access will be granted. -```ts +```ts title="amplify/data/resource.ts" import { a, defineData, type ClientSchema } from '@aws-amplify/backend'; const schema = a.schema({ @@ -37,3 +37,24 @@ export type Schema = ClientSchema; export const data = defineData({ schema }); ``` + +In your application, you can perform CRUD operations against the model using `client.models.` with the `userPool` auth mode. + +```ts +import { generateClient } from 'aws-amplify/data'; +import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition + +const client = generateClient(); + +const { errors, data: newTodo } = await client.models.Todo.create( + { + postname: 'My New Post' + content: 'My post content', + }, + // highlight-start + { + authMode: 'userPool', + } + // highlight-end +); +``` From 76e54374ca434ee28157d1d3131362d95c071203 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Tue, 19 Mar 2024 10:51:05 -0400 Subject: [PATCH 06/19] add client side code for custom access --- .../custom-data-access-patterns/index.mdx | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/custom-data-access-patterns/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/custom-data-access-patterns/index.mdx index 0fa50967900..c8ae34691c7 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/custom-data-access-patterns/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/custom-data-access-patterns/index.mdx @@ -13,7 +13,7 @@ export function getStaticProps(context) { You can define your own custom authorization rule with a Lambda function. -```ts +```ts title="amplify/data/resource.ts" import { type ClientSchema, a, @@ -51,6 +51,26 @@ export const data = defineData({ }); ``` +In your application, you can perform CRUD operations against the model using `client.models.` with the `lambda` auth mode. + +```ts +import { generateClient } from 'aws-amplify/data'; +import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition + +const client = generateClient(); + +const { errors, data: newTodo } = await client.models.Todo.create( + { + content: 'My new todo', + }, + // highlight-start + { + authMode: 'lambda', + } + // highlight-end +); +``` + The Lambda function of choice will receive an authorization token from the client and execute the desired authorization logic. The AppSync GraphQL API will receive a payload from Lambda after invocation to allow or deny the API call accordingly. To configure a Lambda function as the authorization mode, create a new file `amplify/data/custom-authorizer.ts`. You can use this Lambda function code template as a starting point for your authorization handler code: From 82e94712a92199b1d6c0f40e50fe8da9693152ca Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Tue, 19 Mar 2024 10:51:23 -0400 Subject: [PATCH 07/19] add client side code for user pool group access --- .../user-group-based-data-access/index.mdx | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/user-group-based-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/user-group-based-data-access/index.mdx index 1f427cbe2c5..7e4cdf6bab3 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/user-group-based-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/user-group-based-data-access/index.mdx @@ -17,7 +17,7 @@ You can use the `group` authorization strategy to restrict access based on user When you want to restrict access to a specific set of user groups, provide the group names in the `groups` parameter. In the example below, only users that are part of the "Admin" user group are granted access to the Salary model. -```ts +```ts title="amplify/data/resource.ts" // allow one specific group const schema = a.schema({ Salary: a @@ -29,6 +29,28 @@ const schema = a.schema({ }); ``` +In your application, you can perform CRUD operations against the model using `client.models.` with the `userPool` auth mode. + +```ts +import { generateClient } from 'aws-amplify/data'; +import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition + +const client = generateClient(); + +// As a signed-in user that belongs to the 'Admin' User Pool Group +const { errors, data: newSalary } = await client.models.Salary.create( + { + wage: 50.25, + currency: 'USD' + }, + // highlight-start + { + authMode: 'userPool', + } + // highlight-end +); +``` + This can then be updated to allow access to multiple defined groups; in this example below we added access for "Leadership". ```ts From 5d00b1b75b9ce9abe0b6a5a606f6c63203f04e84 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Tue, 19 Mar 2024 10:51:36 -0400 Subject: [PATCH 08/19] add client side code for oidc access --- .../using-oidc-authorization-provider/index.mdx | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/using-oidc-authorization-provider/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/using-oidc-authorization-provider/index.mdx index e1f3fecb21d..a57c2377408 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/using-oidc-authorization-provider/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/using-oidc-authorization-provider/index.mdx @@ -49,3 +49,18 @@ export const data = defineData({ }, }); ``` + +In your application, you can perform CRUD operations against the model using `client.models.` by specifying the `oidc` auth mode. + +```ts +import { generateClient } from 'aws-amplify/data'; +import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition + +const client = generateClient(); + +const { errors, data: todos } = await client.models.Todo.list({ + // highlight-start + authMode: "oidc", + // highlight-end +}); +``` From d452b893a8dba514784c0fe0519d61bf268d0c43 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Wed, 27 Mar 2024 15:57:24 -0400 Subject: [PATCH 09/19] Update src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx Co-authored-by: Rene Brandel <4989523+renebrandel@users.noreply.github.com> --- .../data/customize-authz/signed-in-user-data-access/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx index e25f21a3a16..1fa74a11f6f 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx @@ -53,7 +53,7 @@ const { errors, data: newTodo } = await client.models.Todo.create( ); ``` -## Override the authentication provider +## Use identity pool for signed-in user authentication You can also override the authorization provider. In the example below, `iam` is specified as the provider which allows you to use an "Unauthenticated Role" from the Cognito identity pool for public access instead of an API key. Your Auth resources defined in `amplify/auth/resource.ts` generates scoped down IAM policies for the "Unauthenticated role" in the Cognito identity pool automatically. From 5db56fa9d8b9526f7d162a373f4ebd58b6290661 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Mon, 8 Apr 2024 11:36:08 -0400 Subject: [PATCH 10/19] add info callout and configuration code to public/private iam examples --- .../public-data-access/index.mdx | 29 ++++++++++++++++++- .../signed-in-user-data-access/index.mdx | 28 +++++++++++++++++- 2 files changed, 55 insertions(+), 2 deletions(-) diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx index fc01983e708..1e3c9f6537f 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx @@ -61,7 +61,34 @@ const schema = a.schema({ }); ``` -In your application, you can perform CRUD operations against the model using `client.models.` with the `iam` auth mode. Note in this instance the user must be unauthenticated for the client to sign the request using the Amplify-generated `UnAuthRole` IAM role. +In your application, you can perform CRUD operations against the model using `client.models.` with the `iam` auth mode. + + +**Note** +In the Amplify Library's client configuration file (`amplifyconfiguration.json`) set `allowGuestAccess` to `true`. This lets the Amplify Library use the unauthenticated role from your Cognito identity pool when your user isn't logged in. + + +```json +{ + "Auth": { + "Cognito": { + "userPoolId": "YOUR_USER_POOL_ID", + "userPoolClientId": "YOUR_USER_POOL_CLIENT_ID", + "identityPoolId": "YOUR_IDENTITY_POOL_ID", + "allowGuestAccess": true + }, + }, + "API": { + "GraphQL": { + "endpoint": "YOUR_API_ENDPOINT", + "region": "YOUR_API_REGION", + "defaultAuthMode": "YOUR_DEFAULT_AUTHORIZATION_MODE", + }, + }, +} +``` + + ```ts import { generateClient } from 'aws-amplify/data'; diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx index 1fa74a11f6f..c3f18b232a7 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx @@ -68,7 +68,7 @@ const schema = a.schema({ }); ``` -In your application, you can perform CRUD operations against the model using `client.models.` with the `iam` auth mode. Note in this instance the user must be authenticated for the client to sign the request using the Amplify-generated `AuthRole` IAM role. +In your application, you can perform CRUD operations against the model using `client.models.` with the `iam` auth mode. ```ts import { generateClient } from 'aws-amplify/data'; @@ -87,5 +87,31 @@ const { errors, data: newTodo } = await client.models.Todo.create( // highlight-end ); ``` + +**Note** +In the Amplify Library's client configuration file (`amplifyconfiguration.json`) set `allowGuestAccess` to `true`. This lets the Amplify Library use the authenticated role from your Cognito identity pool when your user is logged in. + + +```json +{ + "Auth": { + "Cognito": { + "userPoolId": "YOUR_USER_POOL_ID", + "userPoolClientId": "YOUR_USER_POOL_CLIENT_ID", + "identityPoolId": "YOUR_IDENTITY_POOL_ID", + "allowGuestAccess": true + }, + }, + "API": { + "GraphQL": { + "endpoint": "YOUR_API_ENDPOINT", + "region": "YOUR_API_REGION", + "defaultAuthMode": "YOUR_DEFAULT_AUTHORIZATION_MODE", + }, + }, +} +``` + + In addition, you can also use OpenID Connect with `private` authorization. See [OpenID Connect as an authorization provider](/gen2/build-a-backend/data/customize-authz/using-oidc-authorization-provider/). From 2ca526ac7fae6436560c385b1150a1d108438583 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Mon, 8 Apr 2024 11:37:43 -0400 Subject: [PATCH 11/19] move callout up --- .../signed-in-user-data-access/index.mdx | 35 ++++++++++--------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx index c3f18b232a7..a6e8a1bee32 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx @@ -70,23 +70,6 @@ const schema = a.schema({ In your application, you can perform CRUD operations against the model using `client.models.` with the `iam` auth mode. -```ts -import { generateClient } from 'aws-amplify/data'; -import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition - -const client = generateClient(); - -const { errors, data: newTodo } = await client.models.Todo.create( - { - content: 'My new todo', - }, - // highlight-start - { - authMode: 'iam', - } - // highlight-end -); -``` **Note** In the Amplify Library's client configuration file (`amplifyconfiguration.json`) set `allowGuestAccess` to `true`. This lets the Amplify Library use the authenticated role from your Cognito identity pool when your user is logged in. @@ -114,4 +97,22 @@ In the Amplify Library's client configuration file (`amplifyconfiguration.json`) +```ts +import { generateClient } from 'aws-amplify/data'; +import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition + +const client = generateClient(); + +const { errors, data: newTodo } = await client.models.Todo.create( + { + content: 'My new todo', + }, + // highlight-start + { + authMode: 'iam', + } + // highlight-end +); +``` + In addition, you can also use OpenID Connect with `private` authorization. See [OpenID Connect as an authorization provider](/gen2/build-a-backend/data/customize-authz/using-oidc-authorization-provider/). From 78371c435a9fd8550dfbd56b530ff1e4c77d6cca Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Mon, 8 Apr 2024 11:39:12 -0400 Subject: [PATCH 12/19] remove "**note**" from callouts --- .../data/customize-authz/public-data-access/index.mdx | 1 - .../data/customize-authz/signed-in-user-data-access/index.mdx | 1 - 2 files changed, 2 deletions(-) diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx index 1e3c9f6537f..8b6e6e11200 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx @@ -64,7 +64,6 @@ const schema = a.schema({ In your application, you can perform CRUD operations against the model using `client.models.` with the `iam` auth mode. -**Note** In the Amplify Library's client configuration file (`amplifyconfiguration.json`) set `allowGuestAccess` to `true`. This lets the Amplify Library use the unauthenticated role from your Cognito identity pool when your user isn't logged in. diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx index a6e8a1bee32..5b2c0809f16 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx @@ -71,7 +71,6 @@ const schema = a.schema({ In your application, you can perform CRUD operations against the model using `client.models.` with the `iam` auth mode. -**Note** In the Amplify Library's client configuration file (`amplifyconfiguration.json`) set `allowGuestAccess` to `true`. This lets the Amplify Library use the authenticated role from your Cognito identity pool when your user is logged in. From 2d5be52f6077e2ea7abcf55c1273ddaf200136df Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Thu, 11 Apr 2024 15:22:15 -0400 Subject: [PATCH 13/19] remove allowGuestAccess info from private iam example --- .../signed-in-user-data-access/index.mdx | 24 +------------------ 1 file changed, 1 insertion(+), 23 deletions(-) diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx index 5b2c0809f16..3d911b85b8f 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx @@ -71,29 +71,7 @@ const schema = a.schema({ In your application, you can perform CRUD operations against the model using `client.models.` with the `iam` auth mode. -In the Amplify Library's client configuration file (`amplifyconfiguration.json`) set `allowGuestAccess` to `true`. This lets the Amplify Library use the authenticated role from your Cognito identity pool when your user is logged in. - - -```json -{ - "Auth": { - "Cognito": { - "userPoolId": "YOUR_USER_POOL_ID", - "userPoolClientId": "YOUR_USER_POOL_CLIENT_ID", - "identityPoolId": "YOUR_IDENTITY_POOL_ID", - "allowGuestAccess": true - }, - }, - "API": { - "GraphQL": { - "endpoint": "YOUR_API_ENDPOINT", - "region": "YOUR_API_REGION", - "defaultAuthMode": "YOUR_DEFAULT_AUTHORIZATION_MODE", - }, - }, -} -``` - + The user must be logged in for the Amplify Library to use the authenticated role from your Cognito identity pool. ```ts From ef584f397e0f377c801843620eb4993fbe0eaab5 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Thu, 11 Apr 2024 15:23:48 -0400 Subject: [PATCH 14/19] edit the public iam example, adding allowGuestAss to Amplify.configure instead of json file --- .../public-data-access/index.mdx | 37 +++++++++---------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx index 8b6e6e11200..c7b77ce8b3f 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx @@ -64,27 +64,26 @@ const schema = a.schema({ In your application, you can perform CRUD operations against the model using `client.models.` with the `iam` auth mode. -In the Amplify Library's client configuration file (`amplifyconfiguration.json`) set `allowGuestAccess` to `true`. This lets the Amplify Library use the unauthenticated role from your Cognito identity pool when your user isn't logged in. +In the Amplify Library's resource configuration set `allowGuestAccess` to `true`. This lets the Amplify Library use the unauthenticated role from your Cognito identity pool when your user isn't logged in. - + ```json -{ - "Auth": { - "Cognito": { - "userPoolId": "YOUR_USER_POOL_ID", - "userPoolClientId": "YOUR_USER_POOL_CLIENT_ID", - "identityPoolId": "YOUR_IDENTITY_POOL_ID", - "allowGuestAccess": true - }, - }, - "API": { - "GraphQL": { - "endpoint": "YOUR_API_ENDPOINT", - "region": "YOUR_API_REGION", - "defaultAuthMode": "YOUR_DEFAULT_AUTHORIZATION_MODE", - }, - }, -} +import { Amplify } from "aws-amplify"; +import config from "../amplifyconfiguration.json"; + +Amplify.configure( + { + ...config, + Auth: { + Cognito: { + identityPoolId: config.aws_cognito_identity_pool_id, + userPoolClientId: config.aws_user_pools_web_client_id, + userPoolId: config.aws_user_pools_id, + allowGuestAccess: true, + }, + }, + } +); ``` From bc39f46f90a90b759fea538f3904aca101af1746 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Thu, 11 Apr 2024 15:31:46 -0400 Subject: [PATCH 15/19] add ts tag and accordion title --- .../data/customize-authz/public-data-access/index.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx index c7b77ce8b3f..2ea47c2b6ff 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx @@ -66,8 +66,8 @@ In your application, you can perform CRUD operations against the model using `cl In the Amplify Library's resource configuration set `allowGuestAccess` to `true`. This lets the Amplify Library use the unauthenticated role from your Cognito identity pool when your user isn't logged in. - -```json + +```ts import { Amplify } from "aws-amplify"; import config from "../amplifyconfiguration.json"; From 06b6c54dec00793fc5a462ebb6635ae9239427de Mon Sep 17 00:00:00 2001 From: Rene Brandel <4989523+renebrandel@users.noreply.github.com> Date: Thu, 11 Apr 2024 12:38:33 -0700 Subject: [PATCH 16/19] Update src/pages/gen2/build-a-backend/data/customize-authz/configure-custom-identity-and-group-claim/index.mdx Co-authored-by: josef --- .../configure-custom-identity-and-group-claim/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/configure-custom-identity-and-group-claim/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/configure-custom-identity-and-group-claim/index.mdx index f4ab2718b49..6dc13f3656e 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/configure-custom-identity-and-group-claim/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/configure-custom-identity-and-group-claim/index.mdx @@ -38,7 +38,7 @@ export const data = defineData({ schema }); ``` -In your application, you can perform CRUD operations against the model using `client.models.` with the `userPool` auth mode. +In your application, you can perform CRUD operations against the model using `client.models.` with the `userPool` auth mode. ```ts import { generateClient } from 'aws-amplify/data'; From b60a787cd03bea00a9427329f6809e595eb951a3 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Thu, 11 Apr 2024 15:41:11 -0400 Subject: [PATCH 17/19] > --- .../customize-authz/custom-data-access-patterns/index.mdx | 2 +- .../data/customize-authz/multi-user-data-access/index.mdx | 2 +- .../customize-authz/per-user-per-owner-data-access/index.mdx | 2 +- .../data/customize-authz/public-data-access/index.mdx | 4 ++-- .../data/customize-authz/signed-in-user-data-access/index.mdx | 4 ++-- .../customize-authz/user-group-based-data-access/index.mdx | 2 +- .../using-oidc-authorization-provider/index.mdx | 2 +- 7 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/custom-data-access-patterns/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/custom-data-access-patterns/index.mdx index c8ae34691c7..730cfefd3f2 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/custom-data-access-patterns/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/custom-data-access-patterns/index.mdx @@ -51,7 +51,7 @@ export const data = defineData({ }); ``` -In your application, you can perform CRUD operations against the model using `client.models.` with the `lambda` auth mode. +In your application, you can perform CRUD operations against the model using `client.models.` with the `lambda` auth mode. ```ts import { generateClient } from 'aws-amplify/data'; diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/multi-user-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/multi-user-data-access/index.mdx index 839531de551..97c1cf8e932 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/multi-user-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/multi-user-data-access/index.mdx @@ -28,7 +28,7 @@ const schema = a.schema({ }); ``` -In your application, you can perform CRUD operations against the model using `client.models.` with the `userPool` auth mode. +In your application, you can perform CRUD operations against the model using `client.models.` with the `userPool` auth mode. ```ts import { generateClient } from 'aws-amplify/data'; diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/per-user-per-owner-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/per-user-per-owner-data-access/index.mdx index c814e0fc20a..54a84cd4217 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/per-user-per-owner-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/per-user-per-owner-data-access/index.mdx @@ -42,7 +42,7 @@ const schema = a.schema({ }); ``` -In your application, you can perform CRUD operations against the model using `client.models.` with the `userPool` auth mode. +In your application, you can perform CRUD operations against the model using `client.models.` with the `userPool` auth mode. ```ts import { generateClient } from 'aws-amplify/data'; diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx index c37708545c4..e8563ce4ccf 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx @@ -27,7 +27,7 @@ const schema = a.schema({ }); ``` -In your application, you can perform CRUD operations against the model using `client.models.` by specifying the `apiKey` auth mode. +In your application, you can perform CRUD operations against the model using `client.models.` by specifying the `apiKey` auth mode. ```ts import { generateClient } from 'aws-amplify/data'; @@ -61,7 +61,7 @@ const schema = a.schema({ }); ``` -In your application, you can perform CRUD operations against the model using `client.models.` with the `iam` auth mode. +In your application, you can perform CRUD operations against the model using `client.models.` with the `iam` auth mode. In the Amplify Library's resource configuration set `allowGuestAccess` to `true`. This lets the Amplify Library use the unauthenticated role from your Cognito identity pool when your user isn't logged in. diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx index 8a7cd88ccd6..d02f7009a7f 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/signed-in-user-data-access/index.mdx @@ -33,7 +33,7 @@ const schema = a.schema({ }); ``` -In your application, you can perform CRUD operations against the model using `client.models.` with the `userPool` auth mode. +In your application, you can perform CRUD operations against the model using `client.models.` with the `userPool` auth mode. ```ts import { generateClient } from 'aws-amplify/data'; @@ -68,7 +68,7 @@ const schema = a.schema({ }); ``` -In your application, you can perform CRUD operations against the model using `client.models.` with the `iam` auth mode. +In your application, you can perform CRUD operations against the model using `client.models.` with the `iam` auth mode. The user must be logged in for the Amplify Library to use the authenticated role from your Cognito identity pool. diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/user-group-based-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/user-group-based-data-access/index.mdx index 7e4cdf6bab3..2de0c26b284 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/user-group-based-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/user-group-based-data-access/index.mdx @@ -29,7 +29,7 @@ const schema = a.schema({ }); ``` -In your application, you can perform CRUD operations against the model using `client.models.` with the `userPool` auth mode. +In your application, you can perform CRUD operations against the model using `client.models.` with the `userPool` auth mode. ```ts import { generateClient } from 'aws-amplify/data'; diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/using-oidc-authorization-provider/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/using-oidc-authorization-provider/index.mdx index a57c2377408..0132ebf9dfe 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/using-oidc-authorization-provider/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/using-oidc-authorization-provider/index.mdx @@ -50,7 +50,7 @@ export const data = defineData({ }); ``` -In your application, you can perform CRUD operations against the model using `client.models.` by specifying the `oidc` auth mode. +In your application, you can perform CRUD operations against the model using `client.models.` by specifying the `oidc` auth mode. ```ts import { generateClient } from 'aws-amplify/data'; From 45c02438976f4b84ba99ce84ff967fa32573fdcc Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Fri, 12 Apr 2024 09:11:39 -0400 Subject: [PATCH 18/19] add filename titles to code snippets --- .../data/customize-authz/public-data-access/index.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx index e8563ce4ccf..b7c75f73c4b 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx @@ -67,7 +67,7 @@ In your application, you can perform CRUD operations against the model using `cl In the Amplify Library's resource configuration set `allowGuestAccess` to `true`. This lets the Amplify Library use the unauthenticated role from your Cognito identity pool when your user isn't logged in. -```ts +```ts title="src/App.tsx" import { Amplify } from "aws-amplify"; import config from "../amplifyconfiguration.json"; @@ -88,7 +88,7 @@ Amplify.configure( -```ts +```ts title="src/App.tsx" import { generateClient } from 'aws-amplify/data'; import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition From 0117ae2306e48e009a22a55201b3f4e2690c0d07 Mon Sep 17 00:00:00 2001 From: Rene Brandel <4989523+renebrandel@users.noreply.github.com> Date: Fri, 12 Apr 2024 06:49:50 -0700 Subject: [PATCH 19/19] Update src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx --- .../data/customize-authz/public-data-access/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx b/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx index b7c75f73c4b..ecfc87a8c9f 100644 --- a/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx +++ b/src/pages/gen2/build-a-backend/data/customize-authz/public-data-access/index.mdx @@ -64,7 +64,7 @@ const schema = a.schema({ In your application, you can perform CRUD operations against the model using `client.models.` with the `iam` auth mode. -In the Amplify Library's resource configuration set `allowGuestAccess` to `true`. This lets the Amplify Library use the unauthenticated role from your Cognito identity pool when your user isn't logged in. +If you're not using the auto-generated **amplifyconfiguration.json** file, then you must set the Amplify Library resource configuration's `allowGuestAccess` flag to `true`. This lets the Amplify Library use the unauthenticated role from your Cognito identity pool when your user isn't logged in. ```ts title="src/App.tsx"