Cole-Greer
commented
8 months ago Hi @ShruthiVEth, I will be looking into this. Could you confirm that the second "resource arn" in your IAM policy matches the resource arn listed in the 403 error?
Open ShruthiVEth opened 8 months ago
Cole-Greer
commented
8 months ago Hi @ShruthiVEth, I will be looking into this. Could you confirm that the second "resource arn" in your IAM policy matches the resource arn listed in the 403 error?
ShruthiVEth
commented
8 months ago Hi @Cole-Greer, the arn in the error is missing the cluster name. It has * instead.
Cole-Greer
commented
8 months ago Thanks @ShruthiVEth, could you share a (redacted) example of the command you are using to invoke Neptune Export?
One observation I have noted is that export appears to be calling rds:DescribeDBClusters on resource: arn:aws:rds:<region>:<account>:cluster:* when run with --endpoint <neptune-endpoint> but if run using --cluster-id <neptune-cluster-id> instead, it will call rds:DescribeDBClusters on resource: arn:aws:rds:<region>:<account>:cluster:<neptune-cluster-id>. I need to look into this further to see if the required permissions can be tightened with --endpoint. Perhaps switching to a cluster-id based command can unblock you in the meantime.
When executing neptune-export with a java project, IAM role of the ECS is not able to access the neptune cluster with the below error. I have attached the below policy to the IAM role but still see the same error. How do I set up neptune export to look for one specific cluster instead of cluster:*?
An error occurred while exporting from Neptune: User: arn:aws:sts::xxxxxxxxxx:assumed-role/ecs-task-v2/xxxxxxxxxx is not authorized to perform: rds:DescribeDBClusters on resource: arn:aws:rds:us-east-1:xxxxxxxxxx:cluster:* because no identity-based policy allows the rds:DescribeDBClusters action (Service: AmazonNeptune; Status Code: 403; Error Code: AccessDenied;