How to Use Cognito Identity Pool with Unauthenticated Users in Amplify v6 for API Gateway Access
If you've recently upgraded to Amplify v6 and found yourself struggling to allow unauthenticated users to invoke your API Gateway, you're not alone. I spent hours combing through migration guides, only to realize that there's a key change in how Amplify v6 handles unauthenticated users compared to v5. This post will walk you through the issue and the solution, so you can save yourself the headache I went through.
The Problem: Unauthenticated Users and Amplify v6
In Amplify v5, allowing unauthenticated users to access your backend through API Gateway was relatively straightforward. You could simply set up your Amplify.configure with the mandatorySignIn key set to false, and unauthenticated users would be granted temporary credentials via the Cognito identity pool.
Here's how it looked in v5:
import { Amplify, API } from 'aws-amplify';
Amplify.configure({
Auth: {
mandatorySignIn: false,
identityPoolId: 'XX-XXXX-X:XXXXXXXX-XXXX-1234-abcd-1234567890ab',
region: 'XX-XXXX-X',
},
API: {
endpoints: [
{
name: 'MyAPIGatewayAPI',
endpoint: 'https://1234567890-abcdefgh.amazonaws.com/XXX'
},
]
}
});
This setup worked perfectly, with unauthenticated users receiving temporary credentials to interact with your API. But when I upgraded to Amplify v6, I noticed that this setup no longer worked. The API Gateway started rejecting requests from unauthenticated users, and I couldn’t find any mention of mandatorySignIn in the v6 documentation.
I started seeing this error:
Access to fetch at 'https://1234567890.execute-api.us-east-1.amazonaws.com/' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
This error might look like a typical CORS issue, but knowing that CORS problems are usually not the real cause - and since my Cognito identity pool was working fine with API Gateway in Amplify v5 - I figured something else was wrong. So, I started looking for a solution to get Amplify v6 working properly with unauthenticated users.
The Solution: Introducing allowGuestAccess in Amplify v6
After some research, I discovered that the key mandatorySignInallowGuestAccess in Amplify v6. This new key serves the same purpose — allowing unauthenticated users to gain temporary credentials from the Cognito identity pool.
Here's how you can update your configuration to work with Amplify v6:
Amplify.configure({
Auth: {
Cognito: {
identityPoolId: 'XX-XXXX-X:XXXXXXXX-XXXX-1234-abcd-1234567890ab',
allowGuestAccess: true,
}
},
API: {
REST: {
MyAPIGatewayAPI: {
endpoint: 'https://1234567890-abcdefgh.amazonaws.com/XXX',
region: 'XX-XXXX-X'
}
}
}
});
This small but crucial change ensures that unauthenticated users will once again receive the necessary temporary credentials from the Cognito identity pool, allowing them to invoke your API Gateway endpoints without any issues.
Where to Find More Information
If you're looking for more details on how to implement allowGuestAccess, you can find the documentation by clicking here and scrolling down to the tab that says 'Existing Resources'. This will give you a clearer understanding of how to use this key and other related configurations.
Final Thoughts
Migrating from Amplify v5 to v6 comes with its fair share of changes, and it's easy to get stuck when things that worked perfectly before suddenly break. The shift from mandatorySignInallowGuestAccess for unauthenticated users is one such change. By updating your configuration as shown above, you can get back on track and ensure that your unauthenticated users can still access your API Gateway endpoints.
If you’ve been tearing your hair out trying to figure this out, I hope this post saves you some time and frustration.