Minimum Required Permissions?

Folcon · June 28, 2019, 8:17am

I’m surprised to find that the generated policies don’t appear to have sufficient permissions to complete the tutorial?

Specifically the datomic-code-{region} and datomic-admin-... policies.

Attempting:

clojure -Adev -m datomic.ion.dev '{:op :push :uname "app-test"}'

Throws an s3 permissions error, unfortunately it doesn’t tell me which permission is missing, so other than toggling permissions until it succeeds, I might just need to give it broad s3 permissions.

Similarly:

clojure -Adev -m datomic.ion.dev '{:op :deploy-status, :execution-arn arn:aws:states:eu-west-1:705184605083:execution:{name}{name}-app-test-1561708638872}'

{:command-failed
 "{:op :deploy-status, :execution-arn arn:aws:states:eu-west-1:705184605083:execution:{name}{name}-app-test-1561708638872}",
 :causes
 ({:message
   "User: arn:aws:iam::705184605083:user/datomic-user is not authorized to perform: states:DescribeExecution on resource: arn:aws:states:eu-west-1:705184605083:execution:{name}{name}-app-test-1561708638872 (Service: AWSStepFunctions; Status Code: 400; Error Code: AccessDeniedException; Request ID: 9373a47b-997a-11e9-8a47-4dc94c90a952)",
   :class AWSStepFunctionsException})}

To which I’ve just given AWSStepFunctionsConsoleFullAccess for the moment.

marshall · July 1, 2019, 4:15pm

As indicated in the Prerequisites section of the Ions tutorial, you need to have Administrator permissions to perform ion push/deploy.
We hope to provide a more fine-grained permission for this in the future and I will update this thread when/if we do have that available.

category · August 17, 2020, 8:17am

Just confirming that this is still the case?

Are administrator permissions required for an application to connect to datomic cloud?

marshall · August 17, 2020, 2:01pm

You do not require AWS Administrator permissions for your application to connect. You should use the “Datomic Admin” policy that is created by the Datomic system for your client applications: https://docs.datomic.com/cloud/operation/access-control.html

category · August 17, 2020, 2:28pm

Sorry, to be clear - the question here is: are Datomic Admin permissions required for an application to connect to Datomic Cloud?

marshall · August 17, 2020, 2:56pm

Yes, the Datomic Admin policy is the recommended way to grant access to a Datomic system to an application.

Topic		Replies	Views
Ion deploy fails due to Access Denied Troubleshooting	9	3132	August 31, 2020
IAM permissions to access s3://datomic-releases-1f2183a? Datomic Cloud	1	878	February 26, 2019
Ions Tutorial: Comments Troubleshooting	3	2608	July 14, 2020
Ions push/deployments automation issues Datomic Applications	4	1984	May 18, 2019
Push fails by not finding an artifact in S3 Troubleshooting	5	1477	July 5, 2019

Minimum Required Permissions?

Related topics