API access unauthenticated error using IAM as an additional auth mode on client

Which Category is your question related to? Multiple auth modes on API

Amplify CLI Version 4.4.0

What AWS Services are you utilizing? Amplify Auth, Amplify API, Lambda resolver

Provide additional details e.g. code snippets My API has the default auth mode set as cognito user pool and one additional auth mode as IAM. However when I access the API with the following code with amplify generated aws-exports.js config:

    const res = await API.graphql({
      query: queries.getHanShanRate,
      variables: {input: {currency: 'CNY'}},
      authMode: 'AWS_IAM'
    });
    console.log(res);

I get the following error with code 401:

{
  "errors" : [ {
    "errorType" : "UnauthorizedException",
    "message" : "Permission denied"
  } ]
}

However in the Appsync web console, using the IAM auth mode do the same query returns the expected result shown in the screen shot below:

Do I need additional IAM configurations on the client side? The documentation is lacking in this regard and there isn’t much examples that I can follow. My graphql schema as shown in AppSync web console (as current graphql transform library does not yet support multiple auth modes):

# this query invokes a lambda resolver to get data from an external source
type Query {
	getHanShanRate(input: getReferenceRateInput): ReferenceRateResult
		@aws_iam
}

type ReferenceRateResult @aws_iam {
	currency: Currency
	rate: Float
	fee: Float
	feeCurrency: Currency
	updatedAt: AWSDateTime
}

My intention for this setup is straight forward: I need to open some APIs to unauthenticated users while other APIs are protected by cognito user pool by default. Is there a better way of achieving the same goal?