Rest API Calls with Authenticated Users and User Groups

[thomasdavidwang]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Next.js

Amplify APIs

REST API

Amplify Version

v6

Amplify Categories

api

Backend

Amplify Gen 2 (Preview)

Environment information

# Put output below this line

System:
    OS: macOS 14.5
    CPU: (10) arm64 Apple M1 Pro
    Memory: 4.09 GB / 32.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 22.0.0 - /opt/homebrew/bin/node
    Yarn: 1.22.19 - /usr/local/bin/yarn
    npm: 10.5.1 - /opt/homebrew/bin/npm
    bun: 1.1.6 - /opt/homebrew/bin/bun
    Watchman: 2024.04.22.00 - /opt/homebrew/bin/watchman
  Browsers:
    Chrome: 128.0.6613.119
    Safari: 17.5

Describe the bug

I created a Rest API using Amplify Gen 2 and AWS CDK according to the documentation, using IAM as an authorizer. When attempting to call this API from the frontend, the API calls were being made with the Group Role instead of the Authenticated User Role. As a result, we were getting 403 errors that stated "The client is not authorized to perform this operation."

Expected behavior

Successful API Requests

Reproduction steps

1. Create an amplify gen 2 backend, with user groups enabled in the Auth, and a Rest API.
2. Send a Post request using AWS Amplify from the front end, after a user associated with a user group signs in.

Code Snippet

// Put your code below this line.

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[cwomack]

Hey, @thomasdavidwang 👋. Can you clarify which docs you were following to set up the group roles and access? Also, does your amplify/backend.ts mimic this section of the docs with the associated policies?

If you could share the code snippet of how you're calling the API, that may help as well. Thanks!

[thomasdavidwang]

Hi @cwomack, thanks for looking into this!

The user groups were created according to: https://docs.amplify.aws/react/build-a-backend/auth/concepts/user-groups/

Appropriate users are automatically put into a user group using a post-confirmation trigger: https://docs.amplify.aws/react/build-a-backend/functions/examples/add-user-to-group/

And our backend does attach the relevant policies to the authenticated and unauthenticated roles, as described in the docs you shared.

We're calling the API using amplify. This is the relevant code snippet:

let restOperation = post({
apiName: "appointmentsApi",
path: "appointments",
options: {
body: request,
},
});

However, what we were seeing from the API Gateway access logs is that the API calls were being made using a User Group Role, which did not have the appropriate policies, and not the authenticated user role.

Also, the API is confirmed to work for unauthenticated users, as well as authenticated users who are not in a user group.

[cwomack]

@thomasdavidwang, thanks for the follow up and additional context. This looks related to another issue in the amplify-cli repo #13916. We're looking into this and will provide an update as soon as we can.

[cwomack]

@thomasdavidwang, we're tracking this as a bug on the amplify-backend repo within issue #1771 over there. We'll close this out as a duplicate on the JS side, but please follow that issue for updates on progress.