Minimum Required Permissions?

Folcon · June 28, 2019, 8:17am

I’m surprised to find that the generated policies don’t appear to have sufficient permissions to complete the tutorial?

Specifically the datomic-code-{region} and datomic-admin-... policies.

Attempting:

clojure -Adev -m datomic.ion.dev '{:op :push :uname "app-test"}'

Throws an s3 permissions error, unfortunately it doesn’t tell me which permission is missing, so other than toggling permissions until it succeeds, I might just need to give it broad s3 permissions.

Similarly:

clojure -Adev -m datomic.ion.dev '{:op :deploy-status, :execution-arn arn:aws:states:eu-west-1:705184605083:execution:{name}{name}-app-test-1561708638872}'

{:command-failed
 "{:op :deploy-status, :execution-arn arn:aws:states:eu-west-1:705184605083:execution:{name}{name}-app-test-1561708638872}",
 :causes
 ({:message
   "User: arn:aws:iam::705184605083:user/datomic-user is not authorized to perform: states:DescribeExecution on resource: arn:aws:states:eu-west-1:705184605083:execution:{name}{name}-app-test-1561708638872 (Service: AWSStepFunctions; Status Code: 400; Error Code: AccessDeniedException; Request ID: 9373a47b-997a-11e9-8a47-4dc94c90a952)",
   :class AWSStepFunctionsException})}

To which I’ve just given AWSStepFunctionsConsoleFullAccess for the moment.

marshall · July 1, 2019, 4:15pm

As indicated in the Prerequisites section of the Ions tutorial, you need to have Administrator permissions to perform ion push/deploy.
We hope to provide a more fine-grained permission for this in the future and I will update this thread when/if we do have that available.

category · August 17, 2020, 8:17am

Just confirming that this is still the case?

Are administrator permissions required for an application to connect to datomic cloud?

marshall · August 17, 2020, 2:01pm

You do not require AWS Administrator permissions for your application to connect. You should use the “Datomic Admin” policy that is created by the Datomic system for your client applications: https://docs.datomic.com/cloud/operation/access-control.html

category · August 17, 2020, 2:28pm

Sorry, to be clear - the question here is: are Datomic Admin permissions required for an application to connect to Datomic Cloud?

marshall · August 17, 2020, 2:56pm

Yes, the Datomic Admin policy is the recommended way to grant access to a Datomic system to an application.

Topic		Replies	Views
Ion deploy fails due to Access Denied Troubleshooting	9	2998	August 31, 2020
Ions Tutorial: Comments Troubleshooting	3	2551	July 14, 2020
Ions push/deployments automation issues Datomic Applications	4	1923	May 18, 2019
Push fails by not finding an artifact in S3 Troubleshooting	5	1415	July 5, 2019
Frustrating first experience Datomic Cloud	7	2227	January 11, 2021

Minimum Required Permissions?

Related Topics