Amazon Neptune

Learn how to add Amazon Neptune as a resource in StrongDM using either access and secret keys or IAM.

Overview

This guide describes how to add an Amazon Neptune graph database as a datasource in StrongDM using either access keys or AWS IAM for authentication.

When the resource is added, StrongDM proxies client connections through a node (gateway, relay, or proxy cluster). This enables centralized access control, credential management, and audit logging. StrongDM supports standard Neptune client connections over HTTPS using the Gremlin or SPARQL protocols.

To add this datasource, you will need the Neptune cluster endpoint, port, and authentication details (if required). Optionally, you can store credentials in a supported secrets manager and reference them in StrongDM.

TLS is supported and recommended for secure connections. Ensure that your StrongDM nodes can reach the Neptune cluster endpoint on the appropriate port.

By default, Neptune access is unauthenticated, with the assumption that anything inside the VPC that can connect to the cluster can connect to the Neptune API. However, Amazon also offers an IAM-based configuration. Both configurations are fully supported by StrongDM, and you can choose which type when selecting a datasource type. Both configurations are detailed in the sections that follow.

Use this guide to complete all necessary preparations to add this resource to your StrongDM environment; input the correct properties in the Admin UI, CLI, SDKs, or Terraform provider; and test for a successful connection. Once configured, you can use StrongDM to connect client applications to Amazon Neptune through your chosen interface.

For general information about how to add a database as a resource in StrongDM, see our main guide, Add a Datasource.

Supported Versions and Clients

StrongDM supports Amazon Neptune clusters running supported Neptune engine versions, including connections via Gremlin and SPARQL.

Clients include, but are not limited to:

Gremlin Console
Apache TinkerPop-compatible clients
SPARQL 1.1 query tools and libraries

StrongDM does not modify the Neptune wire protocols. Any client compatible with Neptune’s Gremlin or SPARQL endpoints can connect through StrongDM.

Prerequisites

Before adding Amazon Neptune as a datasource in StrongDM, ensure the following requirements are met.

In StrongDM, you must have the following:

Administrator permission level
At least one StrongDM node (gateway, relay, or proxy cluster) deployed in a location that can reach the Neptune cluster endpoint (default port: 8182)
If using secrets management tools for storing your credentials, a Secret Store configured in StrongDM

To verify that the resource is accessible by the node, log in to the gateway or relay and use Netcat: nc -zv <HOSTNAME> <PORT> (in this example, nc -zv testdb-01.fancy.org 3306). If your gateway server can connect to this hostname, proceed.

Netcat is a tool for checking various hostnames and ports by either sending data (a ping) or checking for listeners on the ports. The command in the aforementioned example use "-z" to check for listeners without sending data and "-v" to show verbose output. If you don't have Netcat, you can install the Netcat package with whatever package manager you are using, such as "apt-get install netcat".

On the AWS side, you must have the following:

Amazon Neptune cluster deployed and available
Appropriate VPC and security group settings that allow inbound traffic from StrongDM nodes to the cluster
Any required database users or authentication mechanisms configured in Neptune

Resource Setup

Some setup steps are required to prepare a Neptune (IAM) resource to receive connections via StrongDM.

The AWS administrator should enable IAM authentication for the target Neptune resource in the AWS Management Console. This can be done at creation, or be modified at a later time. This is done by locating the Database authentication setting and choosing the option Password and IAM database authentication.
A Neptune administrator needs to log in to the database and create a user for use with StrongDM.
Finally, the AWS administrator needs to add an IAM policy to the IAM role that is attached to the gateway or relay to allow access, as in the example shown.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
             "rds-db:connect"
         ],
         "Resource": [
             "arn:aws:rds-db:us-east-2:1234567890:dbuser:cluster-ABCDEFGHIJKL01234/db_userx"
         ]
      }
   ]
}

For further help, consult the AWS Neptune IAM documentation.

Resource Management in StrongDM

After all prerequisites and prep work is done, you are ready to add the resource to StrongDM. This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs.

Set up and Manage With the Admin UI

If using the Admin UI to add Neptune as a resource to StrongDM, use the following steps.

Log in to the StrongDM Admin UI.
Go to Resources > Datasources.
Click Add datasource.
Select Neptune or Neptune (IAM) as the Datasource Type and set other configuration properties for your new database resource.
Complete all required fields.
Click Create to save the resource.
Click the resource name to Click the resource name to view status, diagnostic information, and setting details.

Set up and Manage With the CLI

This section provides an example of how to add the resource using the StrongDM CLI. For more information and examples, please see the CLI Reference documentation.

# Add Amazon Neptune datasource
sdm admin datasources add amazonneptune my-neptune-cluster
  --hostname="my-neptune-cluster.cluster-abcdefghijkl.us-east-1.neptune.amazonaws.com"
  --port=8182
  --tls-required
  --bind-interface="127.0.0.1"
  --egress-filter="tag:env=prod"
  --port-override="-1"
  --proxy-cluster-id="n-1a2b345c67890123"
  --secret-store-id="se-e1b2"
  --subdomain="neptune-prod"
  --tags="env=production,team=graphdb"

# Add Amazon Neptune (IAM) datasource
sdm admin datasources add neptuneiam my-neptune-iam-cluster
  --endpoint="my-neptune-cluster.cluster-abcdefghijkl.us-east-1.neptune.amazonaws.com"
  --region="us-east-1"
  --port=8182
  --tls-required
  --bind-interface="127.0.0.1"
  --egress-filter="tag:env=prod"
  --port-override="-1"
  --proxy-cluster-id="n-1a2b345c67890123"
  --secret-store-id="se-e1b2"
  --subdomain="neptune-iam-prod"
  --tags="env=production,team=graphdb"
  --role-arn="arn:aws:iam::123456789012:role/NeptuneAccessRole"
  --role-external-id="external-id-optional"

Set up and Manage With Terraform

This section provides an example of how to configure and manage the resource using the Terraform provider. For more information and examples, please see the Terraform provider documentation.

# Install StrongDM provider
terraform {
  required_providers {
    sdm = {
      source  = "strongdm/sdm"
      version = "5.1.0"
    }
  }
}

# Configure StrongDM provider
provider "sdm" {
  # Add API access key and secret key from Admin UI
  api_access_key = "njjSn...5hM"
  api_secret_key = "ziG...="
}

# Create Amazon Neptune resource
resource "sdm_amazonneptune" "neptune_prod" {
  name             = "neptune-prod"
  hostname         = "my-neptune-cluster.cluster-abcdefghijkl.us-east-1.neptune.amazonaws.com"
  port             = 8182

  tls_required     = true
  bind_interface   = "127.0.0.1"
  egress_filter    = "tag:env=prod"
  port_override    = 12345
  proxy_cluster_id = "n-1a2b345c67890123"
  secret_store_id  = "se-e1b2"
  subdomain        = "neptune-prod"
  tags = {
    env  = "production"
    team = "graphdb"
  }
}

# Create Amazon Neptune (IAM) resource
resource "sdm_neptuneiam" "neptune_iam_prod" {
  name     = "neptune-iam-prod"
  endpoint = "my-neptune-cluster.cluster-abcdefghijkl.us-east-1.neptune.amazonaws.com"
  region   = "us-east-1"
  port     = 8182

  # IAM options (choose one approach)
  # 1. Use an assumed IAM role
  role_arn         = "arn:aws:iam::123456789012:role/NeptuneAccessRole"
  role_external_id = "external-id-optional"

  # 2. Or supply static AWS credentials (optional alternative, not recommended for production)
  # access_key        = "AKIAEXAMPLE"
  # secret_access_key = "secretKeyExample123"

  # Networking / routing
  bind_interface   = "127.0.0.1"
  egress_filter    = "tag:env=prod"
  port_override    = 12345
  proxy_cluster_id = "n-1a2b345c67890123"

  # Secrets / metadata
  secret_store_id = "se-e1b2"
  subdomain       = "neptune-iam-prod"
  tags = {
    env  = "production"
    team = "graphdb"
  }
}

Configuration Properties

The following configuration properties are required to define an Amazon Neptune or Amazon Neptune (IAM) datasource in StrongDM. These settings control how StrongDM connects to the resource, authenticates the connection, and optionally uses encryption or secret management. Each property must be correctly configured to ensure connectivity and access enforcement through StrongDM.

Amazon Neptune Properties

If you use the Neptune datasource type, you will have the following fields.

Property

Requirement

Description

Display Name

Required

Meaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)

Datasource Type

Required

Neptune

Proxy Cluster

Required

Defaults to "None (use gateways)"; if using proxy clusters, select the appropriate cluster to proxy traffic to this resource

Endpoint

Required

Endpoint (for example, <ENDPOINT>.<REGION>.neptune.amazonaws.com); must be accessible to a gateway or relay

Port

Optional

Port to connect to the service; default port value is 8182

Connectivity Mode

Required

Select either Virtual Networking Mode, which lets users connect to the resource with a software-defined, IP-based network; or Loopback Mode, which allows users to connect to the resource using the local loopback adapter in their operating system

IP Address

Optional

If Virtual Networking Mode is the selected connectivity mode, an IP address value in the range 100.64.0.1 to 100.127.255.252 (default 100.64.100.100); optionally change the default value for Virtual Networking Mode to your preferred IP address value, as long as it's a valid IP address defined by your organization settings; edit either on this form or later on the Admin UI's Port Overrides page after the resource is created; if Loopback Mode is the selected connectivity mode, the IP address value must be within the range of 127.0.0.1 to 127.0.0.34

Port Override

Optional

If Virtual Networking Mode is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource; if Loopback Mode is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource; when left empty, the system assigns the default port to this resource; preferred port also can be modified later from the Port Overrides settings

DNS

Optional

If Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, k8s.my-organization-name) instead of the bind address that includes IP address and port (for example, 100.64.100.100:5432)

Resource Tags

Optional

Datasource Tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

Amazon Neptune (IAM) Properties

If you use the Neptune (IAM) datasource type, you will have the following fields.

Property

Requirement

Description

Display Name

Required

Meaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)

Datasource Type

Required

Neptune (IAM)

Proxy Cluster

Required

Defaults to "None (use gateways)"; if using proxy clusters, select the appropriate cluster to proxy traffic to this resource

Endpoint

Required

Endpoint (for example, <ENDPOINT>.<REGION>.neptune.amazonaws.com); must be accessible to a gateway or relay

Port

Optional

Port to connect to the service; default port value is 8182

Connectivity Mode

Required

IP Address

Optional

If Virtual Networking Mode is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if Loopback Mode is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, 127.0.0.1); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if Virtual Networking Mode and/or multi-loopback mode is enabled for your organization

Port Override

Optional

If Virtual Networking Mode is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if Loopback Mode is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the Port Overrides settings

DNS

Optional

Region

Required

AWS region (for example, us-east-1)

Secret Store

Optional

Credential store location; defaults to Strong Vault; learn more about [Secret Store#secret-store-options) options

Access Key ID

Optional

Access key ID, such as AKIAIOSFODNN7EXAMPLE, from your AWS key pair; if the IAM role on the node is used for authentication, do not set the access key ID

Secret Access Key

Optional

Secret access key, such as wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY, from your AWS key pair; ; if the IAM role on the node is used for authentication, do not set the secret access key

AWS S3 Output Location

Required

Amazon S3 output location (for example, s3://aws-athena-query-results-123456789012-us-east-1/MyInsertQuery/2021/10/04/abc1234d-5efg-67hi-jklm-89n0op12qr34)

Assume Role ARN

Optional

Role ARN, such as arn:aws:iam::000000000000:role/RoleName, that allows users accessing this resource to assume a role using AWS AssumeRole functionality

Assume Role ARN (path)

Optional

If Secret Store integration is configured for your organization and you selected a Secret Store type that is not StrongDM, the path to the secret in your Secret Store (for example, path/to/credential?key=optionalKeyName); the key argument is optional

Assume Role External ID

Optional

External ID role to assume after login (for example 12345)

Assume Role External ID (path)

Optional

If Secret Store integration is configured for your organization and you selected a Secret Store type that is not StrongDM, the path to the secret in your Secret Store (for example, path/to/credential?key=optionalKeyName); the key argument is optional

Resource Tags

Optional

Datasource Tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

Secret Store options

By default, datasource credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.

Non-StrongDM options appear in the Secret Store dropdown if they are created under Settings > Secrets Management. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.

Resource status

After a resource is created, the Admin UI displays that resource as unhealthy until the health checks run successfully. When the resource is ready, the Health icon indicates a positive, green status.

When the resource does not display a positive status, click the resource name to go to the Diagnostics tab and check for errors.

Test the Connection

After you have added your resource in StrongDM, follow these steps to verify that it’s working correctly.

Assign yourself access by ensuring that your user or role has access to the resource. In the StrongDM Admin UI, go to Access > Roles, and ensure that your user or role is assigned to the Neptune resource.
In the CLI, run sdm status to list the available datasources. Ensure that the Neptune resource appears in your list of accessible datasources.
Connect through StrongDM, as in the following example:
```
sdm connect neptune-prod
```
See the CLI Reference documentation for details on sdm connect.

Use Gremlin Console or another supported client to send a simple query. For example:

gremlin> :remote connect tinkerpop.server conf/remote.yaml
gremlin> g.V().limit(1)

connection.close()

In the StrongDM Admin UI, check Logs > Queries (and Logs > Connections) to confirm your session and requests are logged.
If you set TLS required on the resource, confirm that the connection negotiates TLS successfully.

When these steps succeed, you’re ready to connect to your resource through StrongDM.

Help

If you encounter issues, please consult the StrongDM Help Center.

Be prepared to provide the following information to StrongDM Support, so that they can inspect logs and confirm node and resource health:

Resource name or ID
CLI error output or logs
Node name and region
Timestamps of failed attempts

Last updated 9 days ago

Was this helpful?

Overview

Supported Versions and Clients

Prerequisites

Resource Setup

Resource Management in StrongDM

Set up and Manage With the Admin UI

Set up and Manage With the CLI

Set up and Manage With Terraform

Set up and manage with SDKs

Configuration Properties

Amazon Neptune Properties

Amazon Neptune (IAM) Properties

Secret Store options

Resource status

Test the Connection

Help