amazon-neptune-tools
amazon-neptune-tools copied to clipboard
Published
20 hours ago •
awslabs
awslabs
Additional IAM policy required to access the cluster details
Why does it need to have permission for "db:" (in the error logs)? I am expecting it to have a proper cluster id in ARN for permission request. I get the same error using aws cli command describe-db-instances but I tried aws describe-db-clusters --db-cluster-identifier neptune-dummy-id-xyz which works fine (with the permission I have for the role) and gives replica details. Do we actually need to have permission for "db:" to use refreshAgent.getAddresses().get(EndpointsType.ReadReplicas)?
NeptuneGremlinClusterBuilder builder = NeptuneGremlinClusterBuilder.build();
ClusterEndpointsRefreshAgent refreshAgent = new ClusterEndpointsRefreshAgent(
new GetEndpointsFromNeptuneManagementApi("neptune-dummy-id-xyz",
Arrays.asList(EndpointsType.ReadReplicas),
System.getenv(AWS_REGION_ENV_VAR),
WebIdentityTokenCredentialsProvider.create()));
builder.addContactPoints(refreshAgent.getAddresses().get(EndpointsType.ReadReplicas)); // Can't fetch addresses
Exception in thread "main" java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:107)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88)
Caused by: com.amazonaws.services.neptune.model.AmazonNeptuneException: User: arn:aws:sts::XXXYYYXXXYYY:assumed-role/CustomRole2/aws-sdk-java-XXXYYYXXXYYY is not authorized to perform: rds:DescribeDBInstances on resource: arn:aws:rds:us-west-2:XXXYYYXXXYYY:db:* because no identity-based policy allows the rds:DescribeDB
Instances action (Service: AmazonNeptune; Status Code: 403; Error Code: AccessDenied; Request ID: AAAAAAA-BBBB-CCCC-DDDD-7EEEEEEEEE; Proxy: null)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1879)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1418)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1387)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1157)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:814)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:781)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:755)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:715)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(Amazo at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1879)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1418) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1387) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1157) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:814) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:781) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:755) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:715) at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:697)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:561)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:541) at com.amazonaws.services.neptune.AmazonNeptuneClient.doInvoke(AmazonNeptuneClient.java:4542)
at com.amazonaws.services.neptune.AmazonNeptuneClient.invoke(AmazonNeptuneClient.java:4509)
at com.amazonaws.services.neptune.AmazonNeptuneClient.invoke(AmazonNeptuneClient.java:4498)
at com.amazonaws.services.neptune.AmazonNeptuneClient.executeDescribeDBInstances(AmazonNeptuneClient.java:2296)
at com.amazonaws.services.neptune.AmazonNeptuneClient.describeDBInstances(AmazonNeptuneClient.java:2264)
at software.amazon.neptune.cluster.GetEndpointsFromNeptuneManagementApi.getAddresses(GetEndpointsFromNeptuneManagementApi.java:
127)
at software.amazon.neptune.cluster.ClusterEndpointsRefreshAgent.getAddresses(ClusterEndpointsRefreshAgent.java:89)
at com.demo.common.Main.main(Main.java:34)
... 8 more
We'd need to confirm, but I believe the client needs to access the instance information in the cluster, which is why the additional IAM policies are needed.
I believe we don't need to have access for "db:*" with aws describe-db-clusters --db-cluster-identifier neptune-dummy-id-xyz and it serves the purpose. It may not be easy in most of the cases to get the access to all the instances for an IAM role.