Fetching data from 2 different AWS Neptune clusters with different IAM authentication

Question

I have a requirement where I want to fetch the data from 2 different AWS neptune endpoints, which are configured with different IAM roles/users. I will be having different access key and secret key for both the users. As per document "https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth-connecting-gremlin-java.html", we need to set access key and secret key as system properties.

So is the below way is correct to fetch data from 2 clusters.

import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
import com.amazonaws.neptune.auth.NeptuneNettyHttpSigV4Signer;
import com.amazonaws.neptune.auth.NeptuneSigV4SignerException;

 ...

System.setProperty("aws.accessKeyId","your-access-key1");
System.setProperty("aws.secretKey","your-secret-key1");

 ...

Cluster1 = Cluster.build((your cluster name1))
                 .enableSsl(true)
                 .handshakeInterceptor( r ->
                  {
                    try {
                      NeptuneNettyHttpSigV4Signer sigV4Signer =
                        new NeptuneNettyHttpSigV4Signer("(your region)", new DefaultAWSCredentialsProviderChain());
                      sigV4Signer.signRequest(r);
                    } catch (NeptuneSigV4SignerException e) {
                      throw new RuntimeException("Exception occurred while signing the request", e);
                    }
                    return r;
                  }
       
          ).create();
          
          
     ...

System.setProperty("aws.accessKeyId","your-access-key2");
System.setProperty("aws.secretKey","your-secret-key2");

 ...

Cluster2 = Cluster.build((your cluster name2))
                 .enableSsl(true)
                 .handshakeInterceptor( r ->
                  {
                    try {
                      NeptuneNettyHttpSigV4Signer sigV4Signer =
                        new NeptuneNettyHttpSigV4Signer("(your region)", new DefaultAWSCredentialsProviderChain());
                      sigV4Signer.signRequest(r);
                    } catch (NeptuneSigV4SignerException e) {
                      throw new RuntimeException("Exception occurred while signing the request", e);
                    }
                    return r;
                  }
       
          ).create();
              
          
          
try {
  Client client2 = Cluster2.connect();
  client2.submit("g.V().has('code','IAD')").all().get();
} catch (Exception e) {
  throw new RuntimeException("Exception occurred while connecting to cluster", e);
}

Answer 1

The NeptuneNettyHttpSigV4Signer has a constructor like:

public NeptuneNettyHttpSigV4Signer(
        final String regionName, 
        final AWSCredentialsProvider awsCredentialsProvider)

The example in the Neptune documentation shows the most common and easy AWSCredentialsProvider to use (DefaultAWSCredentialsProviderChain) which among other things will check those system properties for credentials. In your case you have two different signings to do so using a system property probably isn't the best approach as multi-threaded environments will run into issues when reading and writing them.

It would be better if you supplied a different AWSCredentialsProvider for this case, one that specifically provided credentials for each cluster. You can see all the options available to you in the javadocs. Perhaps the most analogous approach to the code you're using would be to do:

NeptuneNettyHttpSigV4Signer sigV4Signer = new AWSStaticCredentialsProvider(
"(your region)", 
new BasicAWSCredentials("<access-key>","<secret-key>"));

Of course, we're hardcoding credentials here so you might want to try an implementation that suits your case. The AWSCredentialsProvider is easy enough to implement yourself for custom solutions as well.