Fork me on GitHub
Slack Archive

This page is not created by, affiliated with, or supported by Slack Technologies, Inc.

2020-07-05

Channels

#datomic
<
2020-07-05
>
Joe Lane00:07:07

@mail524 What release of Datomic Cloud are you using? I'm on the latest and if I wanted to add a node policy to my instances I would: 1. Find and select the compute stack 2. Click the update button on the top right 3. Use the current template 4. Scroll to the bottom of the "Specify Stack Details" page 5. Add my Policy Arn

Joe Lane00:07:15

4. (Bottom)

bamarco01:07:02

Thanks @joe.lane I got it working well enough to move on to my next error. I'm running a solo topology com.datomic/client-cloud #:mvn{:version "0.8.81"}. Now I just have to figure out the function signature for the websockets $connect function.

Aron07:07:55

I tried running the aws s3 cp . --debug 2> log and this is the result 2020-07-05 08:14:56,113 - MainThread - urllib3.connectionpool - DEBUG - "HEAD /maven/releases/com/datomic/ion/0.9.7/ion-0.9.7.jar HTTP/1.1" 403 0 At this point I am not sure where should I look next for any fix, please if you have even just guesses, don't hold back, it would help me learn.

marshall12:07:34

Your AWS credentials need to allow access to the public datomic maven repo. If you are not running as an AWS administrator (not just the datomic admin policy), youll need to add an s3 read permission for the datomic maven bucket to your user

Aron13:07:48

oh, that sounds it!

Aron13:07:21

it's just that I am severely confused atm. what 's3 read permission for a specific bucket' means. Should I copy what is in the textbox? https://docs.datomic.com/cloud/operation/access-control.html or should I use http://awspolicygen.s3.amazonaws.com/policygen.html to generate something?

marshall13:07:39

this is a separate issue/policy from the datomic admin policy

marshall13:07:52

one second, let me find an example

Aron13:07:11

ok, thanks for clearing up that confusion 🙂

marshall13:07:26

{
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::datomic-releases-1fc2183a/*",
                "arn:aws:s3:::ddatomic-releases-1fc2183a"
            ]
        }

marshall13:07:32

something like that

marshall13:07:50

the issue is that by default AWS users/roles/etc have no permissions

marshall13:07:11

so if you don’t explicitly allow them to read from a bucket, even if that bucket is publicly accessible, the client permissions for the AWS role will prevent

Aron13:07:06

makes sense, I was suspicious of something like this, but being completely new to most of the terms, I got lost easily and since I used search, it lead me to the wrong places

marshall13:07:30

we are actively working on improving the docs/forum search

marshall13:07:44

for finding answers to this (and other) questions

Aron13:07:53

well, if you know someone who works on the datomic website/docs, I would happily help for free

marshall14:07:27

I just realized the role rule i posted wasnt quite right

marshall14:07:31

give me a few to correct it

Aron10:07:02

Finally I got time to get back to this, but it says that Policy has invalid resource this is the json I am trying to save: 

{
  "Id": "Policy1594355345891",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor2",
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:GetBucketLocation"],
      "Resource": "arn:aws:s3:::datomic-releases-1fc2183a",
      "Principal": {
        "AWS": ["arn:aws:iam::263904136339:user/same-page-dev"]
      }
    }
  ]
}

Aron10:07:23

If I could at least know if the error is with my local or my remote aws config, but the more docs I read the more confused I get. Nothing seems to have any effect for the better.

Alex Miller (Clojure team)13:07:12

the log is actually very helpful as that removes everything but the s3 call. your iam user is in eu-west-1 but is correctly trying to get to the bucket in us-east-1. from the head request failing this is almost certainly something to do with your iam permissions for this user, like not being permitted to do s3 downloads

Alex Miller (Clojure team)13:07:01

I'm thinking maybe your iam user does not have aws administrator permissions?

Aron13:07:35

I will double check it now

Aron13:07:24

Afaik I can tell, everything is set as it is written. I have checked this yesterday when I said that I had a suspicion. I wrote it then that "the user is added to the group the policy is attached to the group", hoping if that's not enough someone will point it out. Should I make screenshots? What would be a troubleshoot option here?

Alex Miller (Clojure team)13:07:49

you used the Datomic administrator policy?

Aron13:07:35

I think yes, but these are specifically the kind of questions that if I misunderstand it even a bit, that can lead to much confusion. When I subscribed, the template created a policy called arn:aws:iam::263904136339:policy/datomic-admin-datomic-same-page-eu-west-1 which I then attached to a new group and my user is added to this group, so if I go to https://console.aws.amazon.com/iam/home?#/users/same-page-dev?section=permissions where same-page-dev is the username, I can see the name of the policy listed. (datomic-admin-datomic-same-page-eu-west-1)

Aron13:07:56

I also wish I could specify a default profile for datomic, but I haven't found this without specifying a default for aws, but that makes the named profile thing a bit useless right now, but probably I just misunderstand the reason for these named profiles

Alex Miller (Clojure team)14:07:24

that sounds right, but I'm not an expert on this end of things. maybe @jaret or @marshall can confirm tomorrow

Aron15:07:58

thanks, I think I will just clear anything and start completely over

jaret13:07:12

Thanks @U064X3EF3! @U0VQ4N5EE catching up from the weekend, were you able to resolve after starting over or are you still seeing permission errors? If so, it may be useful to log a case to <mailto:[email protected]|[email protected]> so we can share your specific policy and review. I suspect that you are in fact having IAM issues and have previously seen issues with setting the specific region. I can also double check how you have your profiles configured, because using profiles is our recommended resolution to having local AWS creds defaulted to a different AWS region than your Datomic system.

jaret13:07:36

Scratch that I see that @marshall spotted the issue and helped you up higher in the the threads.

Aron10:07:13

also tried 

{
  "Id": "Policy1594355345891",
  "Version": "2012-10-17",
  "Statement": [
      {
            "Sid": "DatomicS3BucketAccess",
            "Effect": "Allow",
            "Action": [
                "*"
            ],
            "Resource": [
                "arn:aws:s3:::datomic-releases-1fc2183a",
                "arn:aws:s3:::datomic-releases-1fc2183a/*",
                "arn:aws:s3:::datomic-code-7cf69135-6e19-4e99-878e-9c3f4a48ad48",
                "arn:aws:s3:::datomic-code-7cf69135-6e19-4e99-878e-9c3f4a48ad48/*"
            ]
        }
  ]
}
But this says Missing required field Principal

Aron15:07:08

sometimes it helps 🙂

bamarco17:07:44

I am attempting to log a message by using cast/dev as shown here https://docs.datomic.com/cloud/ions/ions-monitoring.html#dev The first thing I do in my ion function is call (cast/dev {:msg "socket-connect" :req (str req)}) I can not find this message output in cloudwatch anywhere. I have checked the log group for the datomic system overall and for the specific connect ion. I also tried calling with cast/event with no luck. I do get a thrown error printed out for my function, but I don't get the log that happens before that error occurs.

Joe Lane23:07:40

@mail524 1. Dev is only for local, and will never show up in cloudwatch 2. If the payload is too large it won't be submitted to cloudwatch. 3. In the process of debugging like this, try printing the (cast/event {:msg "socket-connect" :req (str (keys req))})