Minimum Required Permissions?

I’m surprised to find that the generated policies don’t appear to have sufficient permissions to complete the tutorial?

Specifically the datomic-code-{region} and datomic-admin-... policies.


clojure -Adev -m '{:op :push :uname "app-test"}'

Throws an s3 permissions error, unfortunately it doesn’t tell me which permission is missing, so other than toggling permissions until it succeeds, I might just need to give it broad s3 permissions.


clojure -Adev -m '{:op :deploy-status, :execution-arn arn:aws:states:eu-west-1:705184605083:execution:{name}{name}-app-test-1561708638872}'

 "{:op :deploy-status, :execution-arn arn:aws:states:eu-west-1:705184605083:execution:{name}{name}-app-test-1561708638872}",
   "User: arn:aws:iam::705184605083:user/datomic-user is not authorized to perform: states:DescribeExecution on resource: arn:aws:states:eu-west-1:705184605083:execution:{name}{name}-app-test-1561708638872 (Service: AWSStepFunctions; Status Code: 400; Error Code: AccessDeniedException; Request ID: 9373a47b-997a-11e9-8a47-4dc94c90a952)",
   :class AWSStepFunctionsException})}

To which I’ve just given AWSStepFunctionsConsoleFullAccess for the moment.

As indicated in the Prerequisites section of the Ions tutorial, you need to have Administrator permissions to perform ion push/deploy.
We hope to provide a more fine-grained permission for this in the future and I will update this thread when/if we do have that available.


Just confirming that this is still the case?

Are administrator permissions required for an application to connect to datomic cloud?

You do not require AWS Administrator permissions for your application to connect. You should use the “Datomic Admin” policy that is created by the Datomic system for your client applications:

Sorry, to be clear - the question here is: are Datomic Admin permissions required for an application to connect to Datomic Cloud?

Yes, the Datomic Admin policy is the recommended way to grant access to a Datomic system to an application.