How to configure to use LambdaAuthorizer for custom VTL resolvers query?

[nilyin]

Amplify CLI Version

14.2.5

Question

Hi, i can not manage Lambda Authorizer appsync auth for my custom query getComponentFiltered(id: ID!, organizationID: String): Component , which is using custom resolvers created with amplify add custom and then selecting CDK option. My custom VTL resolvers are created in backend and present locally in 'amplify\backend\custom\CustomResolvers\' folder along with 'cdk-stack.ts' and *.vtl files

real problem: when i invoke this query (either from client or from appsync web-console with a selection of Lambda Authorizer) i'm getting this error:

{
  "data": {
    "getComponentFiltered": null
  },
  "errors": [
    {
      "path": [
        "getComponentFiltered"
      ],
      "data": null,
      "errorType": "Unauthorized",
      "errorInfo": null,
      "locations": [
        {
          "line": 2,
          "column": 3,
          "sourceName": null
        }
      ],
      "message": "Not Authorized to access getComponentFiltered on type Query"
    }
  ]
}

my appsync has been set-up with Cognito UserPool as a default authorization method, with AWS_LAMBDA as a secondary method.

I tried adding @aws_lambda @aws_cognito_user_pools directives to my query in schema.graphql, but it leads to the fact that my custom resolvers are not detected anymore, as it seems appsync auto-generates own VTL templates based on these directives.

My question: is there a way to attach both AWS_LAMBDA and UserPool authentication capabilities to custom query with custom resolvers?

I am using Amplify JS Gen.1 v6 API (Transformer v2)

[nilyin]

hi, for those with the same issues:

1. i have tried via custom resource (amplify add custom) to add auth method to VTL resolver with cdk-stacks.ts but failed (VTL Resolver has no authentication configuration property)
2. i tried to update my client query to use standard graphql "extensions" property to force needed auth method like this:

{
  "query": "...",
  "variables": {...},
  "extensions": {"authorization": {"authMode": "AWS_LAMBDA"}}
}

but i failed as AW Appsync is not supporting this graphql standard's feature.

3. i rolled vack to VTL templates in resolvers/ folder with override.ts file to override datasource values for my resolvers. it worked with below hacks (it is not documented anywhere):

• add @auth(rules: [{ allow: private }, { allow: custom }]) to my custom query methods in schema.graphql
• add appsync own directives to types used in functions:

type ComponentConnection @aws_cognito_user_pools @aws_lambda
{
  items: [Component]!
  nextToken: String
}

• create override.ts as shown below (my table is calle Component so DataSourceName is ComponentTable):

import { AmplifyApiGraphQlResourceStackTemplate, AmplifyProjectInfo } from '@aws-amplify/cli-extensibility-helper';

export function override(resources: AmplifyApiGraphQlResourceStackTemplate, amplifyProjectInfo: AmplifyProjectInfo) {
  const res = resources as any;
  const targetDataSourceName = 'ComponentTable';

  console.log('--- [OVERRIDE DEBUG INIT] ---');
  console.log('Project Info:', {
    projectName: amplifyProjectInfo.projectName,
    envName: amplifyProjectInfo.envName,
  });
  

  console.log('=== PIPELINE RESOLVER OVERRIDE START ===');

  if (res.api) {
    Object.keys(res.api).forEach(resourceName => {
      const resource = res.api[resourceName];
      
      // ONLY modify AppSync Functions (not Resolvers)
      if (resource && resource.cfnResourceType === 'AWS::AppSync::FunctionConfiguration') {
        console.log(`🔍 Found AppSync Function: ${resourceName}`);
        
        if (resourceName.toLowerCase().includes('getcomponentfiltered') || 
            resourceName.toLowerCase().includes('searchcomponents')) {
          
          console.log(`🎯 Modifying Function: ${resourceName}`);
          
          // Method 1: Direct property
          if (resource.dataSourceName !== undefined) {
            const oldValue = resource.dataSourceName;
            resource.dataSourceName = targetDataSourceName;
            console.log(`✅ Updated dataSourceName: ${oldValue} → ${targetDataSourceName}`);
          }
          
          // Method 2: CFN Properties
          if (resource._cfnProperties && resource._cfnProperties.dataSourceName !== undefined) {
            const oldValue = resource._cfnProperties.dataSourceName;
            resource._cfnProperties.dataSourceName = targetDataSourceName;
            console.log(`✅ Updated _cfnProperties.dataSourceName: ${oldValue} → ${targetDataSourceName}`);
          }
          
          // Method 3: CDK Override
          if (typeof resource.addPropertyOverride === 'function') {
            resource.addPropertyOverride('DataSourceName', targetDataSourceName);
            console.log(`✅ Added property override: DataSourceName → ${targetDataSourceName}`);
          }
        }
      }
      
      // DO NOT modify Resolvers - just log them
      if (resource && resource.cfnResourceType === 'AWS::AppSync::Resolver') {
        if (resourceName.toLowerCase().includes('getcomponentfiltered') || 
            resourceName.toLowerCase().includes('searchcomponents')) {
          console.log(`ℹ️  Found Pipeline Resolver (not modifying): ${resourceName}`);
          console.log(`   Pipeline resolvers use functions, not direct datasources`);
        }
      }
    });
  }

  console.log('=== PIPELINE RESOLVER OVERRIDE END ===');
  
}

finally i am asking for a new feature to support graphql extensions standard property in Amplify JS client and in Appsync server as described in item 2) above. it can improve flexibility of managing auth from the client side.