Can't access Amazon Neptune via SSH tunnel Sigv4

Question

I'm trying to access Neptune cluster status endpoint from an SSH tunnel. I can hit it without issue on my bastion host, but when doing via ssh tunnel, I get:

https://localhost:8182/status

{"detailedMessage":"Bad request.","requestId":"random-request-id-appears-here","code":"BadRequestException"}

How can I do this? It seems like I need something with sigv4. I was hoping to see the response work after hitting this in my browser.

I've also tried awscurl after setting my env variables, I get:

    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='localhost', port=8182): Max retries exceeded with url: /status (Caused by SSLError(SSLCertVerificationError("hostname 'localhost' doesn't match either of '*.id.us-east-2.neptune.amazonaws.com', '*.id.us-east-2.neptune.amazonaws.com', '*.cluster-custom-id.us-east-2.neptune.amazonaws.com', '*.cluster-ro-id.us-east-2.neptune.amazonaws.com'")))

Answer 1

When using SSH tunnel for accessing Neptune using localhost, one need to explicitly pass Neptune endpoint as host header for signing the request. Consider below example for awscurl:

awscurl -k --service neptune-db --access_key $ACCESS_KEY --secret_key $SECRET_KEY --region <neptune_instance_region> --session_token $SESSION_TOKEN --header 'host: <neptune-cluster-endpoint-withouthttp-withoutport>' https://localhost:8182/status

Without the explicit host header, request would be signed using "localhost" with an invalid signature.