Access Control

A Datomic Administrator has permission to use all Client API and CLI functions. An Administrator can

• create, list, and delete Datomic databases
• read and write data for all Datomic databases within an account
• manage the access gateway (Datomic 781-9041 and lower)

All Datomic permissions are implemented via S3 read and write permissions on a System's S3 buckets. The IAM policy below demonstrates all the permissions needed to be administrator on a Datomic system:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "$(S3DatomicArn)/$(SystemName)/datomic/access/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "$(S3DatomicArn)/$(SystemName)/datomic/access/public-keys/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DescribeInstances",
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:RebootInstances"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
                "ec2:ResourceTag/datomic:system": "$(SystemName)"
              }
           }
        }
    ]
}

The s3:GetObject permission provides read, write, create, and delete access for all dbs in the specified system, the s3:PutObject permission allows the user to install access gateway keys, and the ec2:DescribeInstances permission allows the user to query for the public IP of the access gateway.

The built-in Administrator and PowerUser policies in IAM have all the permissions listed above; therefore all AWS Administrators and Power Users are also Datomic Administrators.

A GET request on the client endpoint will return a map with an :s3-auth-path. The value of :s3-auth-path is the location of the signing keys managed by Datomic Cloud. A user will only be able to create a client if they have IAM permissions for GetObject on the bucket listed in :s3-auth-path.

All Client API requests to Datomic Cloud use SSL, and authenticate via AWS HMAC-SHA256 signatures.

Users never interact with Client API signing keys, either during development or in production. Datomic Cloud manages the signing keys, which are stored in S3. Clients and tools run with IAM permission to read the keys when needed, but the keys themselves never appear in code or in configuration files. This reduces the likelihood of common problems such as inadvertently publishing credentials in source control.

Ion applications may need specific IAM permissions beyond those needed by Datomic itself. For example, your application might want to read from an S3 bucket, or send a message to an SNS queue.

Datomic Cloud lets you grant these permissions via IAM in such a way that your app:

• never mentions AWS credentials
• never has "dev vs. prod" conditional logic

To authorize ions to use AWS resources, follow the following four steps:

• in your program, always create AWS clients using the default credentials provider chain.
• create an IAM policy with the permissions your code needs
• add the policy to your Datomic nodes
• (optional) add the policy to a user for local testing

Only necessary for Datomic 781-9041 and Lower.

See Configuring Access.