amplify-category-api icon indicating copy to clipboard operation
amplify-category-api copied to clipboard

Published 20 hours ago verified publisher icon aws-amplify

Unable to call aggregateItems inside a lambda function

Open Tedsterh opened this issue 2 years ago • 8 comments

Before opening, please confirm:

  • [X] I have installed the latest version of the Amplify CLI (see above), and confirmed that the issue still persists.
  • [X] I have searched for duplicate or closed issues.
  • [X] I have read the guide for submitting bug reports.
  • [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
  • [X] I have removed any sensitive information from my code snippets and submission.

How did you install the Amplify CLI?

npm install -g @aws-amplify/cli

If applicable, what version of Node.js are you using?

v16.14.0

Amplify CLI Version

7.6.26

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No manual changes made

Amplify Categories

api

Amplify Commands

push

Describe the bug

I am unable to use aggregateItems when searching a model from inside a lambda function, the same lambda function is able to call and return the fields that are being denied by the aggregation.

These are the auth rules on my model

@auth(rules: [
  {allow: private, provider: iam},
  {allow: groups, groups: ["Admin"]},
])

The iam users should have full access permissions, there are no other auth rules on any of the fields.

This is the error returned

message: 'Unauthorized to run aggregation on field: amount'

But there are no other rules on the model that could be denying it.

Expected behavior

I should be able to get a sum from the searching aggregation without being denied.

Reproduction steps

  1. I created a model with the @searchable directive

  2. Added a lambda function with a call to search the model

  3. I gave the lambda function permission to query and mutate from the cli

  4. The request is signed using the access id and secret key as described in the docs

  5. I then ran amplify push to push the changes

  6. Ran the function from the AWS Lambda console

GraphQL schema(s)

# Put schemas below this line
enum TransactionType {
  income
  expense
}

type Transaction @model @searchable @auth(rules: [
    {allow: private, provider: iam},
    {allow: groups, groups: ["Admin"]},
  ]) {
    id: ID!
    type: TransactionType!
    amount: Float!
    transactionId: String!
    startedAt: AWSDateTime!
    completedAt: AWSDateTime!
}

Log output

# Put your logs below this line

Additional information

No response

Tedsterh avatar Mar 24 '22 18:03 Tedsterh