AWS amplify - Can't synchronize via DataStore if I use an API Key; but Cognito User Pools work

Question

I've setup an amplify project for react.js, which should allow authorized and unauthorized access to my application. Therefore, I've configured two authentication methods: Cognito User Pools and API key. The first one is my default. My application runs fine, if I sign in via the Cognito User Pool. All data is beeing synchronized via the DataStore. But if I switch to the API Key as unauthenticated user, I only get unauthorized errors under the hood. E.g. for one of my custom types:

errorType: "Unauthorized"
message: "Not Authorized to access onCreateMyCustomType on type Subscription"

The API key is sent correctly as "x-api-key".

If I manually query the Graph-API (e.g. via the amplify.js-API in my application or the third party tool GraphiQL), I can get the results. Just the synchronization isn't working as it does for authenticated users.

In my schema, I control the access via @auth. E.g.:

@auth(rules: [
    # Owner access
    { allow: owner },

    # System access
    { allow: private, provider: iam },

    # Admin access
    { allow: groups, groups: ["Admin"] },

    # Default user access
    { allow: groups, groups: ["User"], operations: [read] },

    # Everyone
    { allow: public, operations: [read] }
  ])

I'm switching the authentication method via:

Amplify.configure({
  ...awsconfig,
  aws_appsync_authenticationType: isAuthenticated ? 'AMAZON_COGNITO_USER_POOLS' : 'API_KEY',
});

Answer 1

I could solve the issue. There wasn't a public access defined for some custom types, so the whole synchronization failed. After uncommenting these in my scheme and pushing the changes, all data could be synchronized. A better approach could be selective sync to disable the synchronization for the affected types, if the user isn't signed in. But I haven't tried that yet.