Currently attempting to connect to Neptune via NodeJS Lambda.
The code works to the point of getUrlAndHeaders in both libraries and I am getting response back and a connection is created, however, on attempt to insert/select, I get the 403.
There is a policy attached to the execution role, either "neptune-db:*" or "neptune-db:connect", but neither work.
All the same subnets are being used as a temporary measure
The docs mention Neptune lives in EC2 instances, but not seeing any reference to them
Confirmed that there are policies attached to said execution role for ec2: CreateNetworkInterface,DescribeNetworkInterface,DeleteNetworkInterface
What am I missing? I am working on testing other things in the process, but not gaining any traction.
Documentation:
AWS Neptune - IAM Auth Policy
AWS Neptune - Temp Credentials
Code being used/modeled after:
AWS Lambda Examples
gremlin-aws-sigv4
In Progress:
AWSLambdaVPCAccessExecutionRole - SF
#aws-sdk/client-neptune - NPM
Related
I have configured cross account s3 bucket access from a ec2 instance. when I login to the aws ec2 server and run aws cli command to get s3 bucket data that have created in the another aws account, its work properly. please find below command.
aws s3 ls s3://test-bucket-name --profile demo
But, I need to do this using nodejs sdk. I have a application that run on ec2. This application needs to access this bucket data through the application. Is there any way to access this bucket data from application using nodejs?
Launch the EC2 instance with an IAM role in account 1 that has permission to assume an IAM role in account 2. That second role provides S3 access to the relevant bucket/objects in account 2.
Code using the AWS JavaScript SDK will automatically get credentials for IAM role 1. Your code can then assume IAM role 2, get credentials, and then access the cross-account S3 bucket.
I have written an AWS Lambda nodejs function for creating a stack in CloudFormation, using CloudFormation template and given input parameters from UI.
When I run my Lambda function with respected inputs, a stack is successfully creating and instances like (ec2, rds, and vpc, etc.) are also created and working perfectly.
Now I want to make this function as public and use this function with user AWS credentials.
So public user uses my function with his AWS credentials those resources should be created in his account and user doesn't want to see my template code.
How can I achieve this?
You can leverage AWS Cloud Development Kit better, than directly using CloudFormation for this purpose. Although CDK may not be directly used within Lambda, a workaround is mentioned here.
AWS CloudFormation will create resources in the AWS Account that is associated with the credentials used to create the stack.
The person who creates the stack will need to provide (upload) a template file or they can reference a template that is stored in Amazon S3, which is accessible to their credentials (meaning that it is either public, or their credentials have been given permission to access the template in S3).
We have ElasticSearch domain created in one of the AWS account.
We are trying to use AWS cli command to "describe" this domain.
aws es describe-elasticsearch-domain --domain-name <domain-name>
But receiving error:
An error occurred (ResourceNotFoundException) when calling the
DescribeElasticsearchDomain operation: Domain not found:
We than used list-domain command:
aws es list-domain-names
But received empty response:
{
"DomainNames": [] }
We double checked account info. and credentials in .aws folder and we are pointing to correct aws account also able to view other resources in that account except ElasticSearch.
Any help is appreciated.
It's not the permission issue, It can be profile issue may be command run in other account but I am sure your Elastic search cluster is in a different region and you set the different region in aws configure
All you need to pass region to the aws command
aws es list-domain-names --region DOMAIN_REGION
or
aws es list-domain-names --region us-west-1
The exception clearly said the resources not found in the region by default which specified in aws configure using aws-cli.
aws es describe-elasticsearch-domain --domain-name youdomain domain_region
I'm trying to figure out a way to run Terraform from inside an AWS WorkSpace. Is that even possible? Has anyone made this work?
AWS WorkSpaces doesn't apply the same concept with an Instance Profile and associated IAM role that is attached to it.
I'm pretty confident, however, that you can run Terraform in an AWS WorkSpace just as you can do it from your personal computer. With Internet access (or VPC endpoints), it can reach AWS APIs and just requires a set of credentials, which in this case (without instance profiles) would be an AWS Access Key and Secret Access Key - just like on your local computer.
$aws configure set region=CrossRegion-US
$ aws iam get-user.
Could not connect to the endpoint URL: https://iam.CrossRegion-US.amazonaws.com/
Is this happening because I have set an incorrect region or is Softlayer in progress of improving the API support?
I have also used the region from authentication endpoints. Still, I get the same error.
Setting custom endpoints is not possible within the ~/.aws/config or ~/.aws/credentials files, instead it must be passed as an argument to each command. In your example above, you were trying to connect to AWS because a custom endpoint was not provided to let the CLI know where to connect.
For example, to list the contents of bucket-1:
aws --endpoint-url=https://{endpoint} s3 ls s3://bucket-1/
In the case of IBM Cross-Region object storage, the default endpoint would be s3-api.us-geo.objectstorage.softlayer.net. (In this case, the region would be us-standard, although this is not necessary to explicitly declare as it is the only region currently offered.)
For more information, the documentation has information on both using the AWS CLI and connecting to endpoints.
All that said, user information is not accessible using the implementation of the S3 API. Some user information can be accessed using the SoftLayer API, but generally speaking user information isn't directly used by the object storage system in this release, as permissions are issued at the storage account level.