3

I am trying to connect to AWS neptune DB after enabling IAM DB authorisation and it is not able to connect and failing with below error.

{"code":"AccessDeniedException","requestId":"68bbc87a-cbf6-31d3-5829-91f32062239f","detailedMessage":"Missing Authentication Token"}

However Its working fine with disabling IAM DB authorisation.

I have created a policy (using link https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth-policy.html) to connect to neptune DB and attached the policy to IAM role which is being added to the ec2 instance. I can able to telnet to neptune DB endpoint with 8182 port.

Can someone please help.

Thirumal
  • 8,280
  • 11
  • 53
  • 103
santosh nahak
  • 55
  • 5
  • When you say "connecting", do you mean to run a query, or connect at least to the HTTP endpoint to do something like a status check or are you trying to access the control plane functions to modify the cluster? Once IAM authentication is enabled, all queries and other requests need to be signed using SigV4 credentials. If you can clarify what you are trying to do I will be able to post a full answer. – Kelvin Lawrence Feb 11 '21 at 14:41
  • I am trying to do the cluster status check..I am in a asumption that after attaching the role to node , it would automatically create temporary session token and be utilized while running the status query. Do i need to use user account I AM instead of role based IAM where explicitly I can pass secret key and access key? – santosh nahak Feb 13 '21 at 12:20
  • 1
    I added an answer below describing what you need to do when IAM Authentication is enabled. – Kelvin Lawrence Feb 13 '21 at 17:53

1 Answers1

2

When IAM authentication is enabled, requests to the HTTP endpoint must be signed using SigV4. You can use a tool like awscurl to do this.

Here is an example from the Amazon Neptune documentation that I have modified slightly to have it point to the /status endpoint.

Set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables correctly (and also AWS_SECURITY_TOKEN if you are using temporary credential). You can also pass these as parameters to awscurl. Then use a command such as (change the region to be your region).

awscurl -X GET --service neptune-db  --region us-west-2 "$SYSTEM_ENDPOINT/status"

You can get temporary credentials using sts via the AWS CLI tools as follows:

aws sts get-session-token

If you are running on an EC2 instance you can get the tokens from the metadata service so long as the EC2 instance has a role attached that has access to Neptune. More details here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html

Kelvin Lawrence
  • 14,674
  • 2
  • 16
  • 38