unable to connect to AWS Neptune DB after enabling IAM DB authorisation

Question

I am trying to connect to AWS neptune DB after enabling IAM DB authorisation and it is not able to connect and failing with below error.

{"code":"AccessDeniedException","requestId":"68bbc87a-cbf6-31d3-5829-91f32062239f","detailedMessage":"Missing Authentication Token"}

However Its working fine with disabling IAM DB authorisation.

I have created a policy (using link https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth-policy.html) to connect to neptune DB and attached the policy to IAM role which is being added to the ec2 instance. I can able to telnet to neptune DB endpoint with 8182 port.

Can someone please help.

Answer 1

When IAM authentication is enabled, requests to the HTTP endpoint must be signed using SigV4. You can use a tool like awscurl to do this.

Here is an example from the Amazon Neptune documentation that I have modified slightly to have it point to the /status endpoint.

Set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables correctly (and also AWS_SECURITY_TOKEN if you are using temporary credential). You can also pass these as parameters to awscurl. Then use a command such as (change the region to be your region).

awscurl -X GET --service neptune-db  --region us-west-2 "$SYSTEM_ENDPOINT/status"

You can get temporary credentials using sts via the AWS CLI tools as follows:

aws sts get-session-token

If you are running on an EC2 instance you can get the tokens from the metadata service so long as the EC2 instance has a role attached that has access to Neptune. More details here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html