Amazon Neptune
User Guide (API Version 2017-11-29)

Prerequisites: IAM Role and Amazon S3 Access

Loading data from an Amazon S3 bucket requires an AWS Identity and Access Management (IAM) role that has access to the bucket. Amazon Neptune assumes this role in order to load the data.

The following sections show how to create an IAM policy and an IAM role, associate the two, and then attach the role to your Neptune cluster.

Note

These instructions require you to have access to the IAM console and permissions to manage IAM roles and policies. For more information, see Permissions for Working in the AWS Management Console in the IAM User Guide.

The Amazon Neptune console requires the user to have the following IAM permissions to attach the role to the Neptune cluster:

iam:GetAccountSummary on resource: * iam:ListAccountAliases on resource: * iam:PassRole on resource: *

Creating an IAM Role to Allow Amazon Neptune to Access Amazon S3 resources

After creating an IAM policy to allow Neptune to access Amazon S3 resources, create an IAM role and attach the IAM policy to the new IAM role. Start with an Amazon S3 role and modify it to allow Amazon Neptune.

To create an IAM role to allow Amazon Neptune to access AWS services

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles.

  3. Choose Create role.

  4. Under AWS service, choose S3.

  5. Choose Next: Permissions.

  6. Use the filter box to filter by the term S3 and check the box next to AmazonS3ReadOnlyAccess.

    Note

    This policy grants s3:Get* and s3:List* permissions to all buckets. Later steps restrict access to the role using the Trust policy.

    The Loader only requires s3:Get* and s3:List* permissions to the bucket you are loading from, so you can restrict these permssions by the S3 resource, as well.

    If your S3 bucket is encrypted, you need to add kms:Decrypt permissions

  7. Choose Next: Review.

  8. Set Role Name to a name for your IAM role, for example: NeptuneLoadFromS3. You can also add an optional Role Description value, such as: "Allows Neptune to access S3 resources on your behalf."

  9. Choose Create Role.

  10. In the navigation pane, choose Roles.

  11. In the Search field, type the name of the role you created, and choose the role when it appears in the list.

  12. On the Trust Relationships tab, choose Edit trust relationship.

  13. In the text field, paste the following trust policy.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "rds.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
  14. Choose Update trust policy.

  15. Complete the steps in Adding the IAM Role to an Amazon Neptune Cluster.

Adding the IAM Role to an Amazon Neptune Cluster

Use the console to add the IAM role to an Amazon Neptune cluster. This allows any Neptune DB instance in the cluster to assume the role and load from Amazon S3.

Note

The Amazon Neptune console requires the user to have the following IAM permissions to attach the role to the Neptune cluster:

iam:GetAccountSummary on resource: * iam:ListAccountAliases on resource: * iam:PassRole on resource: *

To add an IAM role to an Amazon Neptune cluster

  1. Sign in to the AWS Management Console, and open the Amazon Neptune console at https://console.aws.amazon.com/neptune/home.

  2. In the navigation pane, choose Clusters.

  3. Choose the radio button next to the cluster you want to modify.

  4. Under Actions, choose Manage IAM roles.

  5. Choose the IAM role you created in the previous section.

  6. Choose Done.

Creating the Amazon S3 VPC Endpoint

The Neptune loader requires a VPC endpoint for Amazon S3.

To set up access for Amazon S3

  1. Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the left navigation pane, choose Endpoints.

  3. Choose Create Endpoint.

  4. Choose the Service Name com.amazonaws.region.s3.

    Note

    If the region here is incorrect, make sure the console region is correct.

  5. Choose the VPC that contains your Neptune DB instance.

  6. Select the check box next to the route tables that are associated with the subnets related to your cluster. If you only have one route table, you must select that box.

  7. Choose Create Endpoint.

For information about creating the endpoint, see VPC Endpoints in the Amazon VPC User Guide. For information about the limitations of VPC endpoints, VPC Endpoints for Amazon S3.

Next Steps

Now that you have granted access to the Amazon S3 bucket, you can prepare to load data. For information about supported formats, see Load Data Formats.