Creating custom IAM policy statements to access data in Amazon Neptune
Neptune data-access policy statements use data-access
actions, resources, and condition keys, all of which are preceded by
a neptune-db: prefix.
Topics
Using query actions in Neptune data-access policy statements
There are three Neptune query actions that can be used in data-access policy
statements, namely ReadDataViaQuery, WriteDataViaQuery,
and DeleteDataViaQuery. A particular query may need permissions to
perform more than one of these actions, and it may not always be obvious what
combination of these actions must be permitted in order to run a query.
Before running a query, Neptune determines the permissions needed to run each step of the query, and combines these into the full set of permissions that the query requires. Note that this full set of permissions includes all actions that the query might perform, which is not necessarily the set of actions that the query actually will perform when it runs over your data.
This means that to permit a given query to run, you must provide permissions for every action that the query could possibly perform, whether or not it actually performs them.
Here are some sample Gremlin queries where this is explained in more detail:
-
g.V().count()g.V()andcount()only require read access, so the query as a whole only requiresReadDataViaQueryaccess. -
g.addV()addV()needs to check whether a vertex with a given ID exists or not before inserting a new one. This means that it requires bothReadDataViaQueryandWriteDataViaQueryaccess. -
g.V('1').as('a').out('created').addE('createdBy').to('a')g.V('1').as('a')andout('created')only require read access, butaddE().from('a')requires both read and write access becauseaddE()needs to read thefromandtovertices and check whether an edge with the same ID already exists before adding a new one. The query as a whole therefore needs bothReadDataViaQueryandWriteDataViaQueryaccess. -
g.V().drop()g.V()only requires read access.drop()needs both read and delete access because it needs to read a vertex or edge before deleting it, so the query as a whole requires bothReadDataViaQueryandDeleteDataViaQueryaccess. -
g.V('1').property(single, 'key1', 'value1')g.V('1')only requires read access, butproperty(single, 'key1', 'value1')requires read, write, and delete access. Here, theproperty()step inserts the key and value if they do not already exist in the vertex, but if they do already exist, it deletes the existing property value and inserts a new value in its place. Therefore, the query as a whole requiresReadDataViaQuery,WriteDataViaQuery, andDeleteDataViaQueryaccess.Any query that contains a
property()step will needReadDataViaQuery,WriteDataViaQuery, andDeleteDataViaQuerypermissions.
Here are some openCypher examples:
-
MATCH (n) RETURN nThis query reads all nodes in the database and returns them, which only requires
ReadDataViaQueryaccess. -
MATCH (n:Person) SET n.dept = 'AWS'This query requires
ReadDataViaQuery,WriteDataViaQuery, andDeleteDataViaQueryaccess. It reads all nodes with the label 'Person' and either adds a new property with the keydeptand valueAWSto them, or if thedeptproperty already exists, it deletes the old value and insertsAWSinstead. Also, if the value to be set isnull,SETdeletes the property altogether.Because the
SETclause may in some cases need to delete an existing value, it always needsDeleteDataViaQuerypermissions as well asReadDataViaQueryandWriteDataViaQuerypermissions. -
MATCH (n:Person) DETACH DELETE nThis query needs
ReadDataViaQueryandDeleteDataViaQuerypermissions. It finds all the nodes with The labelPersonand deletes them along with the edges connected to those nodes and any associated labels and properties. -
MERGE (n:Person {name: 'John'})-[:knows]->(:Person {name: 'Peter'}) RETURN nThis query needs
ReadDataViaQueryandWriteDataViaQuerypermissions. TheMERGEclause either matches a specified pattern or creates it. Since, a write can occur if the pattern is not matched, write permissions are needed as well as read permissions.
