Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IAM role cannot access Neptune cluster even when rds:DescribeDBClusters is added to the policy #120

Open
ShruthiVEth opened this issue Feb 27, 2024 · 3 comments
Open

IAM role cannot access Neptune cluster even when rds:DescribeDBClusters is added to the policy #120

ShruthiVEth opened this issue Feb 27, 2024 · 3 comments

Comments

@ShruthiVEth
Copy link

ShruthiVEth commented Feb 27, 2024
edited
Loading

When executing neptune-export with a java project, IAM role of the ECS is not able to access the neptune cluster with the below error. I have attached the below policy to the IAM role but still see the same error. How do I set up neptune export to look for one specific cluster instead of cluster:*?

An error occurred while exporting from Neptune: User: arn:aws:sts::xxxxxxxxxx:assumed-role/ecs-task-v2/xxxxxxxxxx is not authorized to perform: rds:DescribeDBClusters on resource: arn:aws:rds:us-east-1:xxxxxxxxxx:cluster:* because no identity-based policy allows the rds:DescribeDBClusters action (Service: AmazonNeptune; Status Code: 403; Error Code: AccessDenied;

Policy: {
    "Version": "",
    "Statement": [
        {
            "Action": [
                "rds:DescribeDBInstances",
                "rds:ListTagsForResource"
            ],
            "Effect": "Allow",
            "Resource": [
                "Arn:aws:rds:us-east-1:xxxxxxxxxx:db:neptune”
            ],
            "Sid": "AllowSpecificRDS1"
        },
        {
            "Action": [
                "rds:DescribeDBClusters",
                "rds:ListTagsForResource",
                "rds:DescribeDBClusterParameters"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:rds:us-east-1:xxxxxxxxxxcluster:neptune-cluster"
            ],
            "Sid": "AllowSpecificRDS2"
        }
    ]
}
@Cole-Greer
Copy link
Collaborator

Hi @ShruthiVEth,
I will be looking into this. Could you confirm that the second "resource arn" in your IAM policy matches the resource arn listed in the 403 error?

@ShruthiVEth
Copy link
Author

Hi @Cole-Greer, the arn in the error is missing the cluster name. It has * instead.

@Cole-Greer
Copy link
Collaborator

Thanks @ShruthiVEth, could you share a (redacted) example of the command you are using to invoke Neptune Export?

One observation I have noted is that export appears to be calling rds:DescribeDBClusters on resource: arn:aws:rds:<region>:<account>:cluster:* when run with --endpoint <neptune-endpoint> but if run using --cluster-id <neptune-cluster-id> instead, it will call rds:DescribeDBClusters on resource: arn:aws:rds:<region>:<account>:cluster:<neptune-cluster-id>. I need to look into this further to see if the required permissions can be tightened with --endpoint. Perhaps switching to a cluster-id based command can unblock you in the meantime.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ShruthiVEth @Cole-Greer