Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(aws-appsync): userPoolConfig authorizer ignores the userpool region

See original GitHub issue

When adding an authorizer to the appSync, using the userPoolConfig, we can import the authorizer from the Arn, however the the CF will add the deployment region rather than the authorizer region for that particular instance.

Reproduction Steps

    const currentAuthorizer = cognito.UserPool.fromUserPoolArn(this, 'AuthInAnotherRegion', userPoolArn);
    const featuresApi = new appsync.GraphqlApi(this, 'GqlApi', {
      name: 'feature-control',
      schema: appsync.Schema.fromAsset('graphql/schema.graphql'),
      authorizationConfig: {
        defaultAuthorization: {
          authorizationType: appsync.AuthorizationType.USER_POOL,
          userPoolConfig: {
            userPool: currentAuthorizer,
          },
        },
    });

What did you expect to happen?

Resources:
  GqlApi4E487465:
    Type: AWS::AppSync::GraphQLApi
    Properties:
      AuthenticationType: AMAZON_COGNITO_USER_POOLS
      Name: feature-control
      UserPoolConfig:
        AwsRegion: eu-west-2
        DefaultAction: ALLOW
        UserPoolId: eu-west-2_USERPOOLID
    Metadata:
      aws:cdk:path: FeaturesBackendFrankFurt/GqlApi/Resource

What actually happened?

Resources:
  GqlApi4E487465:
    Type: AWS::AppSync::GraphQLApi
    Properties:
      AuthenticationType: AMAZON_COGNITO_USER_POOLS
      Name: feature-control
      UserPoolConfig:
        AwsRegion: eu-central-1
        DefaultAction: ALLOW
        UserPoolId: eu-west-2_USERPOOLID
    Metadata:
      aws:cdk:path: FeaturesBackendFrankFurt/GqlApi/Resource

Environment

  • CDK CLI Version : 1.94.1
  • Framework Version:
  • Node.js Version: 14.16.0
  • OS : macOS Darwin
  • Language (Version): typescript

Other

I have tried overwriting the env to see if that would be picked up as a workaround to no avail:

defaultAuthorization: {
          authorizationType: appsync.AuthorizationType.USER_POOL,
          userPoolConfig: {
            userPool: currentAuthorizer,
          },
        },

I expect the region to be picked up based on the retuned authorizer. As it most likely will include its own region (or picked up from the id as it is also included…)

This is 🐛 Bug Report

Thanks!

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
DaWyzcommented, Mar 21, 2021

The issue is related to the way the Cognito UserPools are imported. You won’t be able to parse the value from the arn as it’s recreated on import. Created a PR to fix the issue.

1reaction
psoares-resilientcommented, Mar 19, 2021

Found a workaround (not sure if it is intended to be used this way… ).

The code will set the region based on the userPoll.stack.region, by passing a new Stack and setting the region I wan as props, it will pick up the right region. It does look a but hacky, but it works:

    const currentAuthorizer = cognito.UserPool.fromUserPoolArn(
      new Stack(this, 'ImportCognitoFromAnotherRegion', {
        env: {
          region: 'eu-west-2',
        },
      }),
      'TheCognitoFromAnotherRegion',
      userPoolArn
    );
Read more comments on GitHub >

github_iconTop Results From Across the Web

UserPoolConfig - AppSync - AWS Documentation
A regular expression for validating the incoming Amazon Cognito user pool app client ID. If this value isn't set, no filtering is applied....
Read more >
AWS AppSync Developer Guide - Amazon S3
AWS AppSync console. The first page you see is Getting Started, which has information such as your endpoint URL and authorization mode.
Read more >
Serverless Appsync Plugin
Deploy AppSync API's in minutes using this Serverless plugin. Getting Started. Be sure to check out all that AWS AppSync has to offer....
Read more >
Class: AWS.AppSync - API Manual
AWS AppSync provides API actions for creating and interacting with ... The signing region for AWS IAM authorization. ... The user pool ID....
Read more >
Authenticate AppSync queries console with Cognito User Pools
Sub ${AWS::Region} DefaultAction: ALLOW. Should be: ... AMAZON_COGNITO_USER_POOLS UserPoolConfig: UserPoolId: !Ref UserPool AwsRegion: !
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

(dynamodb): grantReadData() should always grant permissions to secondary indexes

Next page

(ecs): add a name prop to ContainerDefinition