search

awslabs / amazon-neptune-tools

Tools and utilities to enable loading data and building graph applications with Amazon Neptune.
Apache License 2.0
297 stars 151 forks source link

Additional IAM policy required to access the cluster details #208

Open snj07 opened 2 years ago

snj07 commented 2 years ago

Why does it need to have permission for "db:" (in the error logs)? I am expecting it to have a proper cluster id in ARN for permission request. I get the same error using aws cli command describe-db-instances but I tried aws describe-db-clusters --db-cluster-identifier neptune-dummy-id-xyz which works fine (with the permission I have for the role) and gives replica details. Do we actually need to have permission for "db:" to use refreshAgent.getAddresses().get(EndpointsType.ReadReplicas)?

        NeptuneGremlinClusterBuilder builder =  NeptuneGremlinClusterBuilder.build();
        ClusterEndpointsRefreshAgent refreshAgent = new ClusterEndpointsRefreshAgent(
                new GetEndpointsFromNeptuneManagementApi("neptune-dummy-id-xyz",
                Arrays.asList(EndpointsType.ReadReplicas),
                System.getenv(AWS_REGION_ENV_VAR),
                WebIdentityTokenCredentialsProvider.create()));
        builder.addContactPoints(refreshAgent.getAddresses().get(EndpointsType.ReadReplicas)); // Can't fetch addresses
Exception in thread "main" java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49)
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:107)
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
        at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88)
Caused by: com.amazonaws.services.neptune.model.AmazonNeptuneException: User: arn:aws:sts::XXXYYYXXXYYY:assumed-role/CustomRole2/aws-sdk-java-XXXYYYXXXYYY is not authorized to perform: rds:DescribeDBInstances on resource: arn:aws:rds:us-west-2:XXXYYYXXXYYY:db:* because no identity-based policy allows the rds:DescribeDB
Instances action (Service: AmazonNeptune; Status Code: 403; Error Code: AccessDenied; Request ID: AAAAAAA-BBBB-CCCC-DDDD-7EEEEEEEEE; Proxy: null)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1879)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1418)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1387)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1157)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:814)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:781)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:755)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:715)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(Amazo        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1879)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1418)                                                                   at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1387)                                                                            at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1157)                                                                                at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:814)                                                                                     at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:781)                                                                              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:755)                                                                                       at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:715)                                                                                    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:697)
        at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:561)
        at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:541)        at com.amazonaws.services.neptune.AmazonNeptuneClient.doInvoke(AmazonNeptuneClient.java:4542)
        at com.amazonaws.services.neptune.AmazonNeptuneClient.invoke(AmazonNeptuneClient.java:4509)
        at com.amazonaws.services.neptune.AmazonNeptuneClient.invoke(AmazonNeptuneClient.java:4498)
        at com.amazonaws.services.neptune.AmazonNeptuneClient.executeDescribeDBInstances(AmazonNeptuneClient.java:2296)
        at com.amazonaws.services.neptune.AmazonNeptuneClient.describeDBInstances(AmazonNeptuneClient.java:2264)
        at software.amazon.neptune.cluster.GetEndpointsFromNeptuneManagementApi.getAddresses(GetEndpointsFromNeptuneManagementApi.java:
127)
        at software.amazon.neptune.cluster.ClusterEndpointsRefreshAgent.getAddresses(ClusterEndpointsRefreshAgent.java:89)
        at com.demo.common.Main.main(Main.java:34)
        ... 8 more
beebs-systap commented 2 years ago

We'd need to confirm, but I believe the client needs to access the instance information in the cluster, which is why the additional IAM policies are needed.

snj07 commented 2 years ago

I believe we don't need to have access for "db:*" with aws describe-db-clusters --db-cluster-identifier neptune-dummy-id-xyz and it serves the purpose. It may not be easy in most of the cases to get the access to all the instances for an IAM role.