Using SageMaker Notebook with IAM DB authenticated Neptune database
How do I configure the notebook so it can connect to the Neptune database that has IAM DB Authentication enabled? I received "Missing authentication token" error message when running %status in the notebook cell.
Update 1: The IAM role also has the policy to access neptune as well. Here is the excerpt of it:
{
"Action": "neptune-db:*",
"Effect": "Allow",
"Resource": "arn:aws:neptune-db:region:account-id:cluster-resource-id/*",
}
Is there additional permissions that need to be included?
Update 2: After adding the proper resource ARN, I am able to query the database. However when the IAM DB Authentication option for neptune is set to true, I received "Missing authentication token" when running queries from notebook
{
"code": "AccessDeniedException",
"requestId": "84c4efd9-370b-065d-e3b8-bb3389bb96d0",
"detailedMessage": "Missing Authentication Token"
}
- Newest
- Most votes
- Most comments
You need to ensure that your notebook configuration is set with the proper IAM configuration:
Use %graph_notebook_config to fetch the current config:
{
"host": "neptunedbcluster-xxxxxxxxxx.cluster-xxxxxxxxxx.us-west-2.neptune.amazonaws.com",
"port": 8182,
"proxy_host": "",
"proxy_port": 8182,
"auth_mode": "DEFAULT",
"load_from_s3_arn": "",
"ssl": true,
"ssl_verify": true,
"aws_region": "us-west-2",
"sparql": {
"path": "sparql"
},
"gremlin": {
"traversal_source": "g",
"username": "",
"password": "",
"message_serializer": "graphsonv3"
},
"neo4j": {
"username": "neo4j",
"password": "password",
"auth": true,
"database": null
}
}
Then set a new config using %%graph_notebook_config (note the two % this time) along with the updated JSON included in the body of the cell. You'll need to change the auth_mode parameter to IAM in order for the cell magics to use IAM Authentication when communicating with Neptune.
Thanks, updating auth_mode to IAM works! By the way, is it possible to set the default auth_mode?
Just adding a comment that the relevant documentation can be found here https://docs.aws.amazon.com/neptune/latest/userguide/notebooks-magics.html#notebooks-line-magics-graph-notebook-config
"By the way, is it possible to set the default auth_mode?" - If you open a Terminal in your notebook instance you'll notice a
graph_notebook_config.jsonfile in the home directory. That is the default config used whenever you create a new notebook. So you can change theauth_modethere toIAMand it will be the new default.
Hi, your resource ARN is incorrect.
As per https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonneptune.html#amazonneptune-resources-for-iam-policies, proper syntax is arn:${Partition}:neptune-db:${Region}:${Account}:${RelativeId}/database
So, fix it and it should be fine: you can omit some parts: region, account, etc. to make them implicit. But you must keep the corresponding colons for those parts that you omit (region, account).
Best,
Didier
I updated the resource ARN as per this docs https://docs.aws.amazon.com/neptune/latest/userguide/iam-data-resources.html. It works fine if the Neptune IAM DB Authentication is set to false, but then I received "Missing Authentication Token" once I set it to true.
Relevant content
- asked 12 days ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Does your SageMaker Execution Role have permission to call Neptune? If not, you need to create a policy with necessary permission and attach it to your SageMaker Execution Role.
I have update my question to include the policy, but this still does not allow me to access neptune from notebook