-- 1. DBクラスター作成(IAM認証有効化)
aws neptune create-db-cluster \
--db-cluster-identifier cluster01 \
--engine neptune \
--engine-version 1.0.5.0 \
--port 8182 \
--no-storage-encrypted \
--no-deletion-protection \
--enable-iam-database-authentication
aws neptune create-db-instance \
--db-cluster-identifier cluster01 \
--engine neptune \
--db-instance-identifier instance01 \
--db-instance-class db.t3.medium \
--no-multi-az \
--no-auto-minor-version-upgrade
aws neptune describe-db-clusters --db-cluster-identifier cluster01
aws neptune describe-db-instances --db-instance-identifier instance01
-- 2. IAMポリシー作成
vim policy01.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"neptune-db:*"
],
"Resource": [
"arn:aws:neptune-db:ap-northeast-1:999999999999:cluster-XXXXXXXXXXXXXXXXXXXXXXXXXX/*"
]
}
]
}
aws iam create-policy \
--policy-name policy01 \
--policy-document file://policy01.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::999999999999:user/iamuser"
},
"Action": "sts:AssumeRole"
}
]
}
aws iam create-role \
--role-name role01 \
--assume-role-policy-document file://role01.json
-- 4. ポリシーをロールにアタッチ
aws iam attach-role-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy01 \
--role-name role01
-- 5. Gremlin コンソールのインストール
※エンジンバージョンが1.0.5.0でIAM認証する場合、Gremlinは3.4.11を使用する必要がある
sudo yum install -y java-1.8.0-devel
sudo /usr/sbin/alternatives --config java
Java 8 の数を入力
wget https://archive.apache.org/dist/tinkerpop/3.4.11/apache-tinkerpop-gremlin-console-3.4.11-bin.zip
unzip apache-tinkerpop-gremlin-console-3.4.11-bin.zip
cd apache-tinkerpop-gremlin-console-3.4.11
wget https://www.amazontrust.com/repository/SFSRootCAG2.cer
mkdir /tmp/certs/
cp /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.302.b08-0.amzn2.0.1.x86_64/jre/lib/security/cacerts /tmp/certs/cacerts
sudo keytool -importcert \
-alias neptune-tests-ca \
-keystore /tmp/certs/cacerts \
-file /home/ec2-user/apache-tinkerpop-gremlin-console-3.4.11/SFSRootCAG2.cer \
-noprompt \
-storepass changeit
hosts: [cluster01.cluster-xxxxxxxxxxxx.ap-northeast-1.neptune.amazonaws.com]
port: 8182
connectionPool: { enableSsl: true, trustStore: /tmp/certs/cacerts }
serializer: { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV3d0, config: { serializeResultToString: true }}
cat conf/neptune-remote.yaml
-- 6. 一時的な認証情報の取得
aws sts assume-role \
--role-arn arn:aws:iam::999999999999:role/role01 \
--role-session-name test
-- 7. 接続確認
cd apache-tinkerpop-gremlin-console-3.4.11
bin/gremlin.sh
:install com.amazonaws amazon-neptune-sigv4-signer 2.4.0
:install com.amazonaws aws-java-sdk-core 1.12.9
// The lines above only need to be executed once to get the dependencies into the console
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain
import com.amazonaws.neptune.auth.NeptuneNettyHttpSigV4Signer
System.setProperty("aws.accessKeyId","[your-access-key]")
System.setProperty("aws.secretKey","[your-secret-key]")
cluster = Cluster.build("[your-cluster]").
enableSsl(true).keyCertChainFile("SFSRootCAG2.pem").
handshakeInterceptor{ r ->
def sigV4Signer = new NeptuneNettyHttpSigV4Signer("[Amazon region]", new DefaultAWSCredentialsProviderChain())
sigV4Signer.signRequest(r)
return r
}.create()
client = cluster.connect()
client.submit("g.addV('person').property(id, '1').property('name', 'martin').property('age', 29)")
client.submit("g.addV('person').property(id, '2').property('name', 'vadas').property('age', 27).iterate()")
client.submit("g.V('1').addE('knows').to(g.V('2')).property('weight', 0.5).iterate()")
client.submit("g.V().valueMap()")
client.submit("g.E()")
:exit
-- 8. クリーンアップ
-- インスタンスの削除
aws neptune delete-db-instance \
--db-instance-identifier instance01 \
--skip-final-snapshot
aws neptune describe-db-instances
-- クラスターの削除
aws neptune delete-db-cluster \
--db-cluster-identifier cluster01 \
--skip-final-snapshot
aws neptune describe-db-clusters
-- ロールの一覧
aws iam list-roles | grep role01
-- ロールの削除
aws iam detach-role-policy \
--role-name role01 \
--policy-arn arn:aws:iam::999999999999:policy/policy01
aws iam delete-role --role-name role01
-- ポリシーの一覧
aws iam list-policies | grep policy01
-- ポリシーの削除
aws iam delete-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy01
