Additional IAM policy required to access the cluster details

[snj07]

Why does it need to have permission for "db:" (in the error logs)? I am expecting it to have a proper cluster id in ARN for permission request. I get the same error using aws cli command describe-db-instances but I tried aws describe-db-clusters --db-cluster-identifier neptune-dummy-id-xyz which works fine (with the permission I have for the role) and gives replica details. Do we actually need to have permission for "db:" to use refreshAgent.getAddresses().get(EndpointsType.ReadReplicas)?

        NeptuneGremlinClusterBuilder builder =  NeptuneGremlinClusterBuilder.build();
        ClusterEndpointsRefreshAgent refreshAgent = new ClusterEndpointsRefreshAgent(
                new GetEndpointsFromNeptuneManagementApi("neptune-dummy-id-xyz",
                Arrays.asList(EndpointsType.ReadReplicas),
                System.getenv(AWS_REGION_ENV_VAR),
                WebIdentityTokenCredentialsProvider.create()));
        builder.addContactPoints(refreshAgent.getAddresses().get(EndpointsType.ReadReplicas)); // Can't fetch addresses

Exception in thread "main" java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49)
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:107)
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
        at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88)
Caused by: com.amazonaws.services.neptune.model.AmazonNeptuneException: User: arn:aws:sts::XXXYYYXXXYYY:assumed-role/CustomRole2/aws-sdk-java-XXXYYYXXXYYY is not authorized to perform: rds:DescribeDBInstances on resource: arn:aws:rds:us-west-2:XXXYYYXXXYYY:db:* because no identity-based policy allows the rds:DescribeDB
Instances action (Service: AmazonNeptune; Status Code: 403; Error Code: AccessDenied; Request ID: AAAAAAA-BBBB-CCCC-DDDD-7EEEEEEEEE; Proxy: null)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1879)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1418)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1387)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1157)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:814)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:781)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:755)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:715)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(Amazo        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1879)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1418)                                                                   at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1387)                                                                            at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1157)                                                                                at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:814)                                                                                     at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:781)                                                                              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:755)                                                                                       at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:715)                                                                                    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:697)
        at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:561)
        at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:541)        at com.amazonaws.services.neptune.AmazonNeptuneClient.doInvoke(AmazonNeptuneClient.java:4542)
        at com.amazonaws.services.neptune.AmazonNeptuneClient.invoke(AmazonNeptuneClient.java:4509)
        at com.amazonaws.services.neptune.AmazonNeptuneClient.invoke(AmazonNeptuneClient.java:4498)
        at com.amazonaws.services.neptune.AmazonNeptuneClient.executeDescribeDBInstances(AmazonNeptuneClient.java:2296)
        at com.amazonaws.services.neptune.AmazonNeptuneClient.describeDBInstances(AmazonNeptuneClient.java:2264)
        at software.amazon.neptune.cluster.GetEndpointsFromNeptuneManagementApi.getAddresses(GetEndpointsFromNeptuneManagementApi.java:
127)
        at software.amazon.neptune.cluster.ClusterEndpointsRefreshAgent.getAddresses(ClusterEndpointsRefreshAgent.java:89)
        at com.demo.common.Main.main(Main.java:34)
        ... 8 more

[beebs-systap]

We'd need to confirm, but I believe the client needs to access the instance information in the cluster, which is why the additional IAM policies are needed.

[snj07]

I believe we don't need to have access for "db:*" with aws describe-db-clusters --db-cluster-identifier neptune-dummy-id-xyz and it serves the purpose. It may not be easy in most of the cases to get the access to all the instances for an IAM role.