We have 2 AWS accounts(111111111111, 222222222222). First account have VPS and Endpoint for cassandra service. This VPC share to the second account.
How can get correct list of system.peers from aws keyspaces service from the second account?
AWS user was created in the second account with permissions like:
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcEndpoints"
],
"Resource": "*"
and
AmazonKeyspacesFullAccess
Using this user, I have access to connect to any keyspace in the second account. But a cannot get peer list from keyspace system: Keyspaces_user-at-22222222@cqlsh:system> SELECT * FROM system.peers;
peer | data_center | host_id | preferred_ip | rack | release_version | rpc_address | schema_version | tokens
------+-------------+---------+--------------+------+-----------------+-------------+----------------+--------
(0 rows)
If I use other user(Keyspaces_user-at-111111111111), that created in first account with the same permissions - I have to get this list, but i cannot see my created keyspaces because in the first account I haven't any created keystaces.
As additional, I add permissions for user Keyspaces_user-at-22222222:
"Action": "cassandra:*",
"Effect": "Allow",
"Resource": [
"arn:aws:cassandra:us-east-1:111111111111:/keyspace/system*"
]
but it doesn't help
MB I missed VPC Endpoint policies configuration. Current VPC Endpoint policy:
{
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Principal": "*",
"Resource": "*"
}
]
}
