Gremlin 到 AWS Neptune 的 403 禁止错误

Question

非常感谢您的提前帮助

我正尝试按照 https://docs.aws.amazon.com/neptune/latest/userguide/get-started.html 中的说明设置我的 AWS Neptune 环境。设置似乎没问题，我可以使用 Neptune Notebook 安装来检查状态。状态消息为：

{
  "status": "healthy",
  "startTime": "Tue May 12 04:24:52 UTC 2020",
  "dbEngineVersion": "1.0.2.2.R2",
  "role": "writer",
  "gremlin": {
    "version": "tinkerpop-3.4.3"
  },
  "sparql": {
    "version": "sparql-1.1"
  },
  "labMode": {
    "ObjectIndex": "disabled",
    "ReadWriteConflictDetection": "enabled"
  }
}

但是我无法通过 EC2 客户端实例中的 Gremlin 控制台连接到它，我收到如下 403 禁止错误：


         \,,,/
         (o o)
-----oOOo-(3)-oOOo-----
plugin activated: tinkerpop.server
plugin activated: tinkerpop.utilities
plugin activated: tinkerpop.tinkergraph
gremlin> :remote connect tinkerpop.server conf/neptune-remote.yaml
WARN  org.apache.tinkerpop.gremlin.driver.Cluster  - Using deprecated SSL trustCertChainFile support
ERROR org.apache.tinkerpop.gremlin.driver.Handler$GremlinResponseHandler  - Could not process the response
io.netty.handler.codec.http.websocketx.WebSocketHandshakeException: Invalid handshake response getStatus: 403 Forbidden
    at io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker13.verify(WebSocketClientHandshaker13.java:226)
    at io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker.finishHandshake(WebSocketClientHandshaker.java:276)
    at org.apache.tinkerpop.gremlin.driver.handler.WebSocketClientHandler.channelRead0(WebSocketClientHandler.java:69)
    at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)

我分配给 EC2 实例的 IAM 角色具有以下策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "neptune-db:*"
            ],
            "Resource": [
                "arn:aws:neptune-db:ap-southeast-2:<my aws account number>:*/*"
            ]
        }
    ]
}

我的 neptune-remote.yaml 文件如下：

hosts: [<my neptune cluster name>.cluster-<cluster id>.ap-southeast-2.neptune.amazonaws.com]
port: 8182
connectionPool: { enableSsl: true, trustCertChainFile: "SFSRootCAG2.pem"}
serializer: { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV3d0, config: { serializeResultToString: true }}

为了调试这个问题，我尝试使用 apache-tinkerpop-gremlin-console 版本 3.4.1、3.4.3 和 3.4.6。都有相同的错误响应

我也试过成功远程登录到上面的主机端口，如下所示，所以这不是 SG 或连接问题：

$ telnet <my neptune cluster name>.cluster-<cluster id>.ap-southeast-2.neptune.amazonaws.com 8182
Trying 172.30.1.200...
Connected to xxxxx-xxxxxxxx.cluster-xxxxxx.ap-southeast-2.neptune.amazonaws.com.
Escape character is '^]'.

我为此苦苦挣扎了一段时间，任何help/hint将不胜感激

谢谢！

Answer 1

根据评论添加答案，以防其他人也发现这个问题。

如果为 Amazon Neptune 集群启用了 IAM 身份验证，则所有查询请求都必须使用 SIG V4 进行签名。有关详细信息，请参阅 [1]。

[1] https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth-connecting-gremlin-console.html

Gremlin 到 AWS Neptune 的 403 禁止错误

403 Forbidden error for Gremlin to AWS Neptune

amazon-web-services

amazon-iam

gremlin

gremlin-server

amazon-neptune