0

Currently attempting to connect to Neptune via NodeJS Lambda. The code works to the point of getUrlAndHeaders in both libraries and I am getting response back and a connection is created, however, on attempt to insert/select, I get the 403.

  • There is a policy attached to the execution role, either "neptune-db:*" or "neptune-db:connect", but neither work.
  • All the same subnets are being used as a temporary measure
  • The docs mention Neptune lives in EC2 instances, but not seeing any reference to them
  • Confirmed that there are policies attached to said execution role for ec2: CreateNetworkInterface,DescribeNetworkInterface,DeleteNetworkInterface

What am I missing? I am working on testing other things in the process, but not gaining any traction.

Documentation:
AWS Neptune - IAM Auth Policy
AWS Neptune - Temp Credentials

Code being used/modeled after:
AWS Lambda Examples
gremlin-aws-sigv4

In Progress:
AWSLambdaVPCAccessExecutionRole - SF
@aws-sdk/client-neptune - NPM

Joe Kennedy
  • 91
  • 6
  • Do you have IAM Authentication enabled on your Neptune cluster? If yes requests to Neptune need to be signed with SigV4. – Kelvin Lawrence Jul 23 '21 at 14:46
  • @Kelvin Yes it is. Is that not what the libraries are doing beneath the impl? I see that ```getUrlAndHeaders``` calling aws4.sign. [https://github.com/shutterstock/gremlin-aws-sigv4/blob/master/lib/utils.js](gremlin-aws-sigv4/utils.js) – Joe Kennedy Jul 23 '21 at 14:55
  • Yes just wanted to verify - I see you are following the code from https://docs.aws.amazon.com/neptune/latest/userguide/lambda-functions-examples.html which should work. There are other reasons that a connection can still be blocked. For example if your organization uses AWS Organizations and the SCP policy does not allow access to Neptune. Also assuming SSL is enabled, your hostname needs to start with "wss://" which I have seen trip up a few people. If none of this helps we can dig deeper. – Kelvin Lawrence Jul 23 '21 at 15:06
  • @Kelvin I can see in the AWS doc example that wss:// is already applied. However, the one example on the npm page for gremlin-aws-sigv4 ends up calling "https:" for "/status". That is using the class "AwsSigV4DriverRemoteConnection". I can tell that is the issue because it logs error on "undefined' for 'submit'. The property '_client' is only set when the status call is successful. – Joe Kennedy Jul 23 '21 at 15:15
  • /status is a REST endpoint so would need to be called as HTTPS with SigV4 applied. Gremlin code that uses the Gremlin client (and does not send the query as a text string) needs the wss:// to indicate a secure web socket. – Kelvin Lawrence Jul 23 '21 at 15:24
  • @KelvinLawrence I got debug enabled - "get Neptune status "https:///status" (try #5). Ultimately code "AccessDeniedException". Going to confirm the ARN has what it needs. (Typo: stats > status) – Joe Kennedy Jul 23 '21 at 16:27
  • Is that a typo or did you really use `stats` it needs to be `status` ? – Kelvin Lawrence Jul 23 '21 at 16:28
  • That was a typo – Joe Kennedy Jul 23 '21 at 17:30
  • @KelvinLawrence Maybe I missed this, but was installing the Gremlin console a hard requirement? – Joe Kennedy Jul 24 '21 at 19:48
  • The Gremlin Console is not required at all if you are connecting from a Lambda to Neptune. – Kelvin Lawrence Jul 24 '21 at 23:31
  • Were you able to get it working? – Kelvin Lawrence Aug 02 '21 at 12:34
  • @KelvinLawrence Yes... within the custom module (Terraform) being used, the reference needed was the "resource-id" and not just any given ID. – Joe Kennedy Aug 02 '21 at 14:00

0 Answers0