IAM role cannot access Neptune cluster even when rds:DescribeDBClusters is added to the policy

[ShruthiVEth]

When executing neptune-export with a java project, IAM role of the ECS is not able to access the neptune cluster with the below error. I have attached the below policy to the IAM role but still see the same error. How do I set up neptune export to look for one specific cluster instead of cluster:*?

An error occurred while exporting from Neptune: User: arn:aws:sts::xxxxxxxxxx:assumed-role/ecs-task-v2/xxxxxxxxxx is not authorized to perform: rds:DescribeDBClusters on resource: arn:aws:rds:us-east-1:xxxxxxxxxx:cluster:* because no identity-based policy allows the rds:DescribeDBClusters action (Service: AmazonNeptune; Status Code: 403; Error Code: AccessDenied;

Policy: {
    "Version": "",
    "Statement": [
        {
            "Action": [
                "rds:DescribeDBInstances",
                "rds:ListTagsForResource"
            ],
            "Effect": "Allow",
            "Resource": [
                "Arn:aws:rds:us-east-1:xxxxxxxxxx:db:neptune”
            ],
            "Sid": "AllowSpecificRDS1"
        },
        {
            "Action": [
                "rds:DescribeDBClusters",
                "rds:ListTagsForResource",
                "rds:DescribeDBClusterParameters"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:rds:us-east-1:xxxxxxxxxxcluster:neptune-cluster"
            ],
            "Sid": "AllowSpecificRDS2"
        }
    ]
}

[Cole-Greer]

Hi @ShruthiVEth,
I will be looking into this. Could you confirm that the second "resource arn" in your IAM policy matches the resource arn listed in the 403 error?

[ShruthiVEth]

Hi @Cole-Greer, the arn in the error is missing the cluster name. It has * instead.

[Cole-Greer]

Thanks @ShruthiVEth, could you share a (redacted) example of the command you are using to invoke Neptune Export?

One observation I have noted is that export appears to be calling rds:DescribeDBClusters on resource: arn:aws:rds:<region>:<account>:cluster:* when run with --endpoint <neptune-endpoint> but if run using --cluster-id <neptune-cluster-id> instead, it will call rds:DescribeDBClusters on resource: arn:aws:rds:<region>:<account>:cluster:<neptune-cluster-id>. I need to look into this further to see if the required permissions can be tightened with --endpoint. Perhaps switching to a cluster-id based command can unblock you in the meantime.