Access Control

Throughout this page, the following metavariables are used:

Datomic Administrator Policy

A Datomic Administrator has permission to use all Client API and CLI functions. An Administrator can

  • create, list, and delete Datomic databases
  • read and write data for all Datomic databases within an account
  • manage the Bastion

All Datomic permissions are implemented via S3 read and write permissions on a System's S3 buckes. The IAM policy below demonstrates all the permissions needed to be administrator on a Datomic system:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "$(S3DatomicArn)/$(SystemName)/datomic/access/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "$(S3DatomicArn)/$(SystemName)/datomic/access/public-keys/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DescribeInstances",
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:RebootInstances"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
                "ec2:ResourceTag/datomic:system": "$(SystemName)"
              }
           }
        }
    ]
}

The s3:GetObject permission provides read, write, create, and delete access for all dbs in the specified system, the s3:PutObject permission allows the user to install bastion keys, and the ec2:DescribeInstances permission allows the user to query for the public IP of the bastion.

The built-in Administrator and PowerUser policies in IAM have all the permissions listed above; therefore all AWS Administrators and Power Users are also Datomic Administrators.

Fine-Grained Permission Policies

The table below translates IAM permissions to the Datomic permissions that they imply:

ActionResourceDatomic Permission
GetObject$(S3DatomicArn)/$(SystemName)/datomic/access/*admin
GetObject$(S3DatomicArn)/$(SystemName)/datomic/access/dbs/catalog/readcatalog access (list-dbs)
GetObject$(S3DatomicArn)/$(SystemName)/datomic/access/dbs/db/$(DbName)read and write DbName
GetObject$(S3DatomicArn)/$(SystemName)/datomic/access/dbs/db/$(DbName)/readread DbName
GetObject$(S3DatomicArn)/$(SystemName)/datomic/access/private-keys/bastionbastion access

You can combine the IAM permissions above to create policies that match your specific needs. Once you have created a policy in the IAM console, you will need to associate the policy with a role (for running EC2 instances), or with an IAM user's group (for human users).

Example: Read/Write Access to Two Databases

The following policy grants read and write permission to the first-db and second-db databases in the day-of-datomic system, with the ARN of arn:aws:s3:::day-of-datomic-s3datomic-abcdefghijkl:

{
    "Version": "2012-10-17",
    "Statement": [
    {
        "Action": [
            "s3:GetObject"
        ],
        "Resource": [
            "arn:aws:s3:::day-of-datomic-s3datomic-abcdefghijkl/day-of-datomic/datomic/access/dbs/db/first-db/*",
            "arn:aws:s3:::day-of-datomic-s3datomic-abcdefghijkl/day-of-datomic/datomic/access/dbs/db/second-db/*"
        ],
        "Effect": "Allow"
        }
    ]
}

Example: Read-Only Access to a Database

The following policy grants read only permission to the first-db database in the day-of-datomic system, with the ARN of arn:aws:s3:::day-of-datomic-s3datomic-abcdefghijkl:

{
    "Version": "2012-10-17",
    "Statement": [
    {
        "Action": [
            "s3:GetObject"
        ],
        "Resource": [
            "arn:aws:s3:::day-of-datomic-s3datomic-abcdefghijkl/day-of-datomic/datomic/access/dbs/db/first-db/read/.keys"
        ],
        "Effect": "Allow"
        }
    ]
}

Authorize Client Applications

See Client Applications for instructions on allowing client applications to access the Datomic system.

Authorize Bastion Users

How Datomic Access Control Works

All Client API requests to Datomic Cloud use SSL, and authenticate via AWS HMAC-SHA26 signatures.

Users never interact with Client API signing keys, either during development or in production. Datomic Cloud manages the signing keys, which are stored in S3. Clients and tools run with IAM permission to read the keys when needed, but the keys themselves never appear in code or in configuration files. This reduces the likelihood of common problems such as inadvertently publishing credentials in source control.