Access Control

Throughout this page, the following metavariables are used:

Datomic Administrator Policy

A Datomic Administrator has permission to use all Client API and CLI functions. An Administrator can

  • create, list, and delete Datomic databases
  • read and write data for all Datomic databases within an account
  • manage the Bastion

All Datomic permissions are implemented via S3 read and write permissions on a System's S3 buckes. The IAM policy below demonstrates all the permissions needed to be administrator on a Datomic system:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "$(S3DatomicArn)/$(SystemName)/datomic/access/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "$(S3DatomicArn)/$(SystemName)/datomic/access/public-keys/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DescribeInstances",
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:RebootInstances"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
                "ec2:ResourceTag/datomic:system": "$(SystemName)"
              }
           }
        }
    ]
}

The s3:GetObject permission provides read, write, create, and delete access for all dbs in the specified system, the s3:PutObject permission allows the user to install bastion keys, and the ec2:DescribeInstances permission allows the user to query for the public IP of the bastion.

The built-in Administrator and PowerUser policies in IAM have all the permissions listed above; therefore all AWS Administrators and Power Users are also Datomic Administrators.

Authorize Client Applications

See Client Applications for instructions on allowing client applications to access the Datomic system.

Authorize Bastion Users

How Datomic Access Control Works

All Client API requests to Datomic Cloud use SSL, and authenticate via AWS HMAC-SHA26 signatures. Users never interact with Client API signing keys, either during development or in production. Datomic Cloud manages the signing keys, which are stored in S3. Clients and tools run with IAM permission to read the keys when needed, but the keys themselves never appear in code or in configuration files. This reduces the likelihood of common problems such as inadvertently publishing credentials in source control.

Authorize Ions to Access Other AWS Services

Ion applications may need specific IAM permissions beyond those needed by Datomic itself. For example, your application might want to read from an S3 bucket, or send a message to an SNS queue.

Datomic Cloud lets you grant these permissions via IAM in such a way that your app:

  • never mentions AWS credentials
  • never has "dev vs. prod" conditional logic

To authorize ions to use AWS resources, follow the following four steps:

Default Credentials Provider Chain

In the AWS SDK, the DefaultCredentialsProviderChain loads credentials from the runtime environment, so that you do not have to place credentials directly in your code.

When creating AWS client objects, call constructors that use the default chain, such as defaultClient.

Creating an IAM Policy

You can create an IAM policy listing any permissions your application needs. As a best practice, you should use fine-grained policies to grant your application the least privilege needed to perform its duties.

Adding an IAM Policy to Datomic Nodes

The Datomic Compute CF template lets you specify a custom policy via the template parameter named NodePolicyArn. In the console UI this parameter appears under:

Optional Configuration | Existing IAM managed policy for instances

You can set or update your custom node policy at any time by performing a parameter upgrade and setting the NodePolicyArn to the ARN of your policy.

Testing an IAM Policy Locally

To test your IAM policy locally, attach your IAM policy to the user you use for development. See Configure AWS Access Keys for more information.