Minimum Required Permissions?

I’m surprised to find that the generated policies don’t appear to have sufficient permissions to complete the tutorial?

Specifically the datomic-code-{region} and datomic-admin-... policies.

Attempting:

clojure -Adev -m datomic.ion.dev '{:op :push :uname "app-test"}'

Throws an s3 permissions error, unfortunately it doesn’t tell me which permission is missing, so other than toggling permissions until it succeeds, I might just need to give it broad s3 permissions.

Similarly:

clojure -Adev -m datomic.ion.dev '{:op :deploy-status, :execution-arn arn:aws:states:eu-west-1:705184605083:execution:{name}{name}-app-test-1561708638872}'

{:command-failed
 "{:op :deploy-status, :execution-arn arn:aws:states:eu-west-1:705184605083:execution:{name}{name}-app-test-1561708638872}",
 :causes
 ({:message
   "User: arn:aws:iam::705184605083:user/datomic-user is not authorized to perform: states:DescribeExecution on resource: arn:aws:states:eu-west-1:705184605083:execution:{name}{name}-app-test-1561708638872 (Service: AWSStepFunctions; Status Code: 400; Error Code: AccessDeniedException; Request ID: 9373a47b-997a-11e9-8a47-4dc94c90a952)",
   :class AWSStepFunctionsException})}

To which I’ve just given AWSStepFunctionsConsoleFullAccess for the moment.

As indicated in the Prerequisites section of the Ions tutorial, you need to have Administrator permissions to perform ion push/deploy.
We hope to provide a more fine-grained permission for this in the future and I will update this thread when/if we do have that available.

1 Like