Amazon web services 403小鬼对AWS海王星的禁止错误
非常感谢你的帮助 我正试图按照上的说明设置我的AWS Neptune环境。设置似乎很好,我可以使用Neptune笔记本安装来检查状态。状态消息为:Amazon web services 403小鬼对AWS海王星的禁止错误,amazon-web-services,amazon-iam,gremlin,gremlin-server,amazon-neptune,Amazon Web Services,Amazon Iam,Gremlin,Gremlin Server,Amazon Neptune,非常感谢你的帮助 我正试图按照上的说明设置我的AWS Neptune环境。设置似乎很好,我可以使用Neptune笔记本安装来检查状态。状态消息为: { "status": "healthy", "startTime": "Tue May 12 04:24:52 UTC 2020", "dbEngineVersion": "1.0.2.2.R2", "role": "writer", "gremlin": { "version": "tinkerpop-3.4.3"
{
"status": "healthy",
"startTime": "Tue May 12 04:24:52 UTC 2020",
"dbEngineVersion": "1.0.2.2.R2",
"role": "writer",
"gremlin": {
"version": "tinkerpop-3.4.3"
},
"sparql": {
"version": "sparql-1.1"
},
"labMode": {
"ObjectIndex": "disabled",
"ReadWriteConflictDetection": "enabled"
}
}
但是,我无法通过EC2客户端实例中的Gremlin控制台连接到它,我得到403禁止错误,如下所示:
\,,,/
(o o)
-----oOOo-(3)-oOOo-----
plugin activated: tinkerpop.server
plugin activated: tinkerpop.utilities
plugin activated: tinkerpop.tinkergraph
gremlin> :remote connect tinkerpop.server conf/neptune-remote.yaml
WARN org.apache.tinkerpop.gremlin.driver.Cluster - Using deprecated SSL trustCertChainFile support
ERROR org.apache.tinkerpop.gremlin.driver.Handler$GremlinResponseHandler - Could not process the response
io.netty.handler.codec.http.websocketx.WebSocketHandshakeException: Invalid handshake response getStatus: 403 Forbidden
at io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker13.verify(WebSocketClientHandshaker13.java:226)
at io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker.finishHandshake(WebSocketClientHandshaker.java:276)
at org.apache.tinkerpop.gremlin.driver.handler.WebSocketClientHandler.channelRead0(WebSocketClientHandler.java:69)
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
hosts: [<my neptune cluster name>.cluster-<cluster id>.ap-southeast-2.neptune.amazonaws.com]
port: 8182
connectionPool: { enableSsl: true, trustCertChainFile: "SFSRootCAG2.pem"}
serializer: { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV3d0, config: { serializeResultToString: true }}
我分配给EC2实例的IAM角色具有以下策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"neptune-db:*"
],
"Resource": [
"arn:aws:neptune-db:ap-southeast-2:<my aws account number>:*/*"
]
}
]
}
{
“版本”:“2012-10-17”,
“声明”:[
{
“效果”:“允许”,
“行动”:[
“海王星db:*”
],
“资源”:[
“arn:aws:neptune db:ap-southeast-2::*/*”
]
}
]
}
我的neptune-remote.yaml文件如下:
\,,,/
(o o)
-----oOOo-(3)-oOOo-----
plugin activated: tinkerpop.server
plugin activated: tinkerpop.utilities
plugin activated: tinkerpop.tinkergraph
gremlin> :remote connect tinkerpop.server conf/neptune-remote.yaml
WARN org.apache.tinkerpop.gremlin.driver.Cluster - Using deprecated SSL trustCertChainFile support
ERROR org.apache.tinkerpop.gremlin.driver.Handler$GremlinResponseHandler - Could not process the response
io.netty.handler.codec.http.websocketx.WebSocketHandshakeException: Invalid handshake response getStatus: 403 Forbidden
at io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker13.verify(WebSocketClientHandshaker13.java:226)
at io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker.finishHandshake(WebSocketClientHandshaker.java:276)
at org.apache.tinkerpop.gremlin.driver.handler.WebSocketClientHandler.channelRead0(WebSocketClientHandler.java:69)
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
hosts: [<my neptune cluster name>.cluster-<cluster id>.ap-southeast-2.neptune.amazonaws.com]
port: 8182
connectionPool: { enableSsl: true, trustCertChainFile: "SFSRootCAG2.pem"}
serializer: { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV3d0, config: { serializeResultToString: true }}
主机:[.cluster-.ap-southest-2.neptune.amazonaws.com]
港口:8182
connectionPool:{enableSsl:true,trustCertChainFile:“SFSRootCAG2.pem”}
序列化程序:{className:org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV3d0,配置:{serializeResultToString:true}}
为了调试这个问题,我尝试使用ApacheTinkerpoGremlin控制台版本3.4.1、3.4.3和3.4.6。它们都有相同的错误响应
我还尝试通过telnet成功连接到上述主机端口,如下所示,因此这不是SG或连接问题:
$ telnet <my neptune cluster name>.cluster-<cluster id>.ap-southeast-2.neptune.amazonaws.com 8182
Trying 172.30.1.200...
Connected to xxxxx-xxxxxxxx.cluster-xxxxxx.ap-southeast-2.neptune.amazonaws.com.
Escape character is '^]'.
$telnet.cluster-.ap-southest-2.neptune.amazonaws.com 8182
正在尝试172.30.1.200。。。
已连接到xxxxx-xxxxxxxx.cluster-xxxxxx.ap-southest-2.neptune.amazonaws.com。
转义字符为“^]”。
我为此奋斗了一段时间,任何帮助/暗示都将不胜感激
谢谢 根据评论添加答案,以防其他人也发现这一点 如果为Amazon Neptune群集启用IAM身份验证,则必须使用SIG V4对所有查询请求进行签名。有关更多信息,请参见[1]
[1] 很高兴尝试帮助您。一些有助于缩小问题范围的问题…您的群集上是否启用了IAM身份验证?从EC2实例中,您可以执行以下操作:curl:8182/status?EC2实例是否与Neptune位于同一VPC?嗨,开尔文,非常感谢您的帮助。我刚刚尝试了curl:8182/status,得到了以下结果:curl:(52)服务器的空回复。ec2实例与Neptune位于同一VPC中,但它与AWS指令位于公共子网中。您的Neptune群集是否启用了IAM安全?如果需要,您必须使用SIG V4对请求进行签名。您可以卷曲集群的/status API吗?您应该在curl命令中使用HTTPS<代码>curl https://:8182/状态。检查这是否有效。我相当肯定,如果在集群中确实启用了IAM Auth,那么它也应该为您提供403。要检查这一点,请使用Neptune控制台或CLI描述群集的详细信息。已为Neptune群集启用IAM db Auth。当我尝试卷曲https://:8182/status时,我得到了{“requestId”:“…”,“code”:“AccessDeniedException”,“detailedMessage”:“缺少身份验证令牌”}错误。