Using SageMaker Notebook with IAM DB authenticated Neptune database

0

How do I configure the notebook so it can connect to the Neptune database that has IAM DB Authentication enabled? I received "Missing authentication token" error message when running %status in the notebook cell.

Update 1: The IAM role also has the policy to access neptune as well. Here is the excerpt of it:

 {
       "Action": "neptune-db:*",
       "Effect": "Allow",
       "Resource": "arn:aws:neptune-db:region:account-id:cluster-resource-id/*",
 }

Is there additional permissions that need to be included?

Update 2: After adding the proper resource ARN, I am able to query the database. However when the IAM DB Authentication option for neptune is set to true, I received "Missing authentication token" when running queries from notebook

{
  "code": "AccessDeniedException",
  "requestId": "84c4efd9-370b-065d-e3b8-bb3389bb96d0",
  "detailedMessage": "Missing Authentication Token"
}
  • Does your SageMaker Execution Role have permission to call Neptune? If not, you need to create a policy with necessary permission and attach it to your SageMaker Execution Role.

  • I have update my question to include the policy, but this still does not allow me to access neptune from notebook

profile picture
asked 9 months ago482 views
2 Answers
3
Accepted Answer

You need to ensure that your notebook configuration is set with the proper IAM configuration:

Use %graph_notebook_config to fetch the current config:

{
  "host": "neptunedbcluster-xxxxxxxxxx.cluster-xxxxxxxxxx.us-west-2.neptune.amazonaws.com",
  "port": 8182,
  "proxy_host": "",
  "proxy_port": 8182,
  "auth_mode": "DEFAULT",
  "load_from_s3_arn": "",
  "ssl": true,
  "ssl_verify": true,
  "aws_region": "us-west-2",
  "sparql": {
    "path": "sparql"
  },
  "gremlin": {
    "traversal_source": "g",
    "username": "",
    "password": "",
    "message_serializer": "graphsonv3"
  },
  "neo4j": {
    "username": "neo4j",
    "password": "password",
    "auth": true,
    "database": null
  }
}

Then set a new config using %%graph_notebook_config (note the two % this time) along with the updated JSON included in the body of the cell. You'll need to change the auth_mode parameter to IAM in order for the cell magics to use IAM Authentication when communicating with Neptune.

profile pictureAWS
answered 9 months ago
profile picture
EXPERT
reviewed a month ago
1

Hi, your resource ARN is incorrect.

As per https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonneptune.html#amazonneptune-resources-for-iam-policies, proper syntax is arn:${Partition}:neptune-db:${Region}:${Account}:${RelativeId}/database

So, fix it and it should be fine: you can omit some parts: region, account, etc. to make them implicit. But you must keep the corresponding colons for those parts that you omit (region, account).

Best,

Didier

profile pictureAWS
EXPERT
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions