Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IAM Roles (IRSA) doesn't work with gremlin-console #42

Open
talmarco opened this issue Nov 9, 2021 · 8 comments
Open

IAM Roles (IRSA) doesn't work with gremlin-console #42

talmarco opened this issue Nov 9, 2021 · 8 comments

Comments

@talmarco
Copy link

talmarco commented Nov 9, 2021

I'm trying to configure IRSA (IAM Roles) when using neptune-gremlin, but without success.
I have created an IAM policy, attached this policy to a role and this role is also attached to a Kubernetes service account by mentioning the role name as an annotation.

Service Account:

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<account-id>:role/role-name
  name: neptune-sa
  namespace: dev

Policy:

{
  "Effect": "Allow",
  "Action": "neptune-db:*",
  "Resource": "arn:aws:neptune-db:<our-region>:<account-id>:cluster-<cluster-id>/*"
}

I'm creating the pod using the following command:

kubectl run gremlin-console \
  --rm=true -i --tty --image <gremlin-console-image> --env="SERVICE_REGION=<our-region>"  \
  <endpoint-name>.<our-region>.neptune.amazonaws.com -n dev \
  --overrides='{ "spec": { "serviceAccountName": "neptune-sa" }  }'

The error I'm getting is:

ERROR org.apache.tinkerpop.gremlin.driver.Handler$GremlinResponseHandler  - Could not process the response
io.netty.handler.codec.http.websocketx.WebSocketHandshakeException: Invalid handshake response getStatus: 403 Forbidden
        at io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker13.verify(WebSocketClientHandshaker13.java:274)
        at io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker.finishHandshake(WebSocketClientHandshaker.java:302)
        at org.apache.tinkerpop.gremlin.driver.handler.WebSocketClientHandler.channelRead0(WebSocketClientHandler.java:69)
        at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:93)
        at io.netty.handler.codec.http.websocketx.extensions.WebSocketClientExtensionHandler.channelRead(WebSocketClientExtensionHandler.java:127)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:436)
        at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:321)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:295)
        at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:251)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)                                                                                                                                                                                                                 at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1486)
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1235)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1282)
io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498)
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)                                                                                                                                                                                                                          at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
        at java.lang.Thread.run(Thread.java:748)

As a side note; this mechanism works for me on all other pods but Gremlin <> Neptune.

Thanks!
@krlawrence
Copy link

If you have IAM authentication enabled on the Neptune cluster, the call to Neptune has to be signed using SigV4. Are you signing that request?

@talmarco
Copy link
Author

If you have IAM authentication enabled on the Neptune cluster, the call to Neptune has to be signed using SigV4. Are you signing that request?

IAM authentication is enabled. My hunch is gremlin-console doesn't support WebIdentityToken when signing the request.

@afreeland
Copy link

@talmarco seeing this as well, was curious if you had ever resolved it? I noticed this when trying to use the neptune-export utility from the neptune user guide documentation.

@krlawrence
Copy link

Hi @afreeland - can you say a bit more about the exact steps you are trying and the failure you are seeing?

@talmarco
Copy link
Author

talmarco commented May 7, 2022

@talmarco seeing this as well, was curious if you had ever resolved it? I noticed this when trying to use the neptune-export utility from the neptune user guide documentation.

Nope, still have the same problem

@afreeland
Copy link

@krlawrence I am a bit embarrassed to say but I believe it was because I was missing the AWS_ACCESS_KEY_ID and the AWS_SECRET_ACCESS_KEY. I had the SERVICE_REGION defined but was going kind of out of band in our environment and wasn't getting the two env vars that were required.

For me I was using the neptune-export.jar and didn't have much control over the signature part but was seeing the exporter throw errors very similar to the above.

I did all the checks to make sure VPC was looking good and then was able to use curl 7.79.1 with the new --aws-sigv4 parameter to hit neptune cluster...and was like, okay...let me take some steps back lol.

I believe once I added those env vars life was good and connectivity seemed to work...so my use-case may be different than the original thread.

@Piroddi
Copy link

Piroddi commented Jul 27, 2022

Hi @talmarco, experiencing the same. Were you ever able to resolve ?

@talmarco
Copy link
Author

talmarco commented Aug 2, 2022

@Piroddi Unfortunately i didn't manage to resolve this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@afreeland @Piroddi @krlawrence @talmarco