Neptune Analytics graphs use AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to Neptune Analytics graphs. Service-linked roles are predefined by Neptune Analytics graphs and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes using Neptune Analytics graphs easier because you don't have to add the necessary permissions manually. Neptune Analytics defines the permissions in its service-linked roles, and unless defined otherwise, only Neptune Analytics graphs can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. You can delete the roles only after first deleting their related resources. This protects your Neptune Analytics graph resources because you can't inadvertently remove the permissions to access the resources.
For information about other services that support service-linked roles, see AWS services that work with IAM and look for the services that are marked with Yes in the Service-Linked Role column. Choose a Yes with a link to view the service-linked role documentation for that service.
Service-linked role permissions for Neptune Analytics Graphs
Neptune Analytics graphs uses the service-linked role named AWSServiceRoleForNeptuneGraph
to allow them to call AWS services on behalf of your DB clusters.
This service-linked role has an IAM managed permissions policy attached to it named AWSServiceRoleForNeptuneGraphPolicy that grants it permissions to operate in your account. See AWS managed policies for Amazon Neptune. This policy provides read-only access to all Amazon Neptune Analytics resources along with read-only permissions for dependent services, as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GraphMetrics",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": [
"AWS/Neptune",
"AWS/Usage"
]
}
}
},
{
"Sid": "GraphLogGroup",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/neptune/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "GraphLogEvents",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/neptune/*:log-stream:*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}Note
To allow an IAM entity such as a user, group, or role to be able to create, edit, or delete a service-linked role, you must set the appropriate permissions, like this:
{
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/neptune-graph.amazonaws.com/AWSServiceRoleForNeptuneGraph",
"Condition": {
"StringLike": {
"iam:AWSServiceName":"neptune-graph.amazonaws.com"
}
}If those permissions have not been set, or have not yet propagated, you may receive the following error message when you try to create a service-linked role:
Unable to create the resource. Verify that you have permission to create service linked role. Otherwise wait and try again later.
For more information, see Service-linked role permissions in the IAM User Guide.
Creating a service-linked role for Neptune Analytics
You don't have to create a service-linked role manually for Neptune Analytics. When you create a graph, Neptune Analytics automatically creates the service-linked role for you.
Editing a service-linked role for Neptune Analytics
Neptune Analytics doesn't allow you to edit the AWSServiceRoleForNeptuneGraph
service-linked role. After you create a service-linked role, you cannot change the
name of the role because various entities might reference it. However, you can edi
t the description of the role using IAM. For more information, see
Editing
a service-linked role in the IAM User Guide.
Deleting a service-linked role
If you no longer need to use a feature or service that requires a service-linked role, it's best to delete that role so you don't have an unused entity that is not actively monitored or maintained.
However, before you can delete the service-linked role, you must first confirm that the role has no active sessions, and remove any resources that it uses.
To check whether a service-linked role has an active session in the IAM console
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. In the navigation pane of the IAM console, choose
Roles. Then choose the name (not the check box) of theAWSServiceRoleForNeptuneGraphrole.On the Summary page for the chosen role, choose the Access Advisor tab.
Note
If you are unsure whether Neptune Analytics is using the AWSServiceRoleForNeptuneGraph
role, you can try to delete the role. If the service is using the role, then the deletion
fails and you can view the AWS Regions where the role is being used. If the role is
being used, then you must wait for the session to end before you can delete the role.
You cannot revoke the session for a service-linked role.
To delete your clusters so that you can delete AWSServiceRoleForNeptuneGraph
Open the Neptune console at https://console.aws.amazon.com/neptune/
. In the navigation pane, choose Graphs.
Choose a cluster that you want to delete.
For Actions, choose Delete.
If you are prompted to Create final Snapshot?, choose Yes or No. If you choose Yes enter the name of your final snapshot for Final snapshot name.
Choose Delete.
You can use the IAM console, the IAM CLI, or the IAM API to delete the
AWSServiceRoleForNeptuneGraph service-linked role. For more information,
see Deleting
a service-linked role in the IAM User Guide.
