This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2020-07-05
Channels
- # babashka (1)
- # beginners (75)
- # clojure (8)
- # clojure-uk (7)
- # clojurescript (14)
- # code-reviews (6)
- # conjure (5)
- # cursive (13)
- # data-science (1)
- # datomic (46)
- # fulcro (10)
- # helix (15)
- # jackdaw (1)
- # jobs-discuss (10)
- # jobs-rus (1)
- # off-topic (17)
- # pathom (1)
- # re-frame (19)
- # releases (1)
- # spacemacs (9)
- # sql (29)
- # test-check (18)
- # tools-deps (6)
- # xtdb (3)
@mail524 What release of Datomic Cloud are you using? I'm on the latest and if I wanted to add a node policy to my instances I would: 1. Find and select the compute stack 2. Click the update button on the top right 3. Use the current template 4. Scroll to the bottom of the "Specify Stack Details" page 5. Add my Policy Arn
Thanks @joe.lane I got it working well enough to move on to my next error. I'm running a solo topology com.datomic/client-cloud #:mvn{:version "0.8.81"}
. Now I just have to figure out the function signature for the websockets $connect function.
I tried running the aws s3 cp
and this is the result 2020-07-05 08:14:56,113 - MainThread - urllib3.connectionpool - DEBUG -
At this point I am not sure where should I look next for any fix, please if you have even just guesses, don't hold back, it would help me learn.
Your AWS credentials need to allow access to the public datomic maven repo. If you are not running as an AWS administrator (not just the datomic admin policy), youll need to add an s3 read permission for the datomic maven bucket to your user
it's just that I am severely confused atm. what 's3 read permission for a specific bucket' means. Should I copy what is in the textbox? https://docs.datomic.com/cloud/operation/access-control.html or should I use http://awspolicygen.s3.amazonaws.com/policygen.html to generate something?
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::datomic-releases-1fc2183a/*",
"arn:aws:s3:::ddatomic-releases-1fc2183a"
]
}
so if you don’t explicitly allow them to read from a bucket, even if that bucket is publicly accessible, the client permissions for the AWS role will prevent
makes sense, I was suspicious of something like this, but being completely new to most of the terms, I got lost easily and since I used search, it lead me to the wrong places
well, if you know someone who works on the datomic website/docs, I would happily help for free
Finally I got time to get back to this, but it says that Policy has invalid resource
this is the json I am trying to save:
{
"Id": "Policy1594355345891",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:GetBucketLocation"],
"Resource": "arn:aws:s3:::datomic-releases-1fc2183a",
"Principal": {
"AWS": ["arn:aws:iam::263904136339:user/same-page-dev"]
}
}
]
}
If I could at least know if the error is with my local or my remote aws config, but the more docs I read the more confused I get. Nothing seems to have any effect for the better.
the log is actually very helpful as that removes everything but the s3 call. your iam user is in eu-west-1 but is correctly trying to get to the bucket in us-east-1. from the head request failing this is almost certainly something to do with your iam permissions for this user, like not being permitted to do s3 downloads
at the top of the tutorial, there is a list of prereqs, the last of which are > Run in an environment with https://docs.datomic.com/cloud/getting-started/connecting.html. > Have https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator permissions.
I'm thinking maybe your iam user does not have aws administrator permissions?
the steps are at https://docs.datomic.com/cloud/getting-started/configure-access.html#authorize-user
Afaik I can tell, everything is set as it is written. I have checked this yesterday when I said that I had a suspicion. I wrote it then that "the user is added to the group the policy is attached to the group", hoping if that's not enough someone will point it out. Should I make screenshots? What would be a troubleshoot option here?
you used the Datomic administrator policy?
I think yes, but these are specifically the kind of questions that if I misunderstand it even a bit, that can lead to much confusion. When I subscribed, the template created a policy called arn:aws:iam::263904136339:policy/datomic-admin-datomic-same-page-eu-west-1 which I then attached to a new group and my user is added to this group, so if I go to https://console.aws.amazon.com/iam/home?#/users/same-page-dev?section=permissions where same-page-dev is the username, I can see the name of the policy listed. (datomic-admin-datomic-same-page-eu-west-1)
I also wish I could specify a default profile for datomic, but I haven't found this without specifying a default for aws, but that makes the named profile thing a bit useless right now, but probably I just misunderstand the reason for these named profiles
that sounds right, but I'm not an expert on this end of things. maybe @jaret or @marshall can confirm tomorrow
Thanks @U064X3EF3! @U0VQ4N5EE catching up from the weekend, were you able to resolve after starting over or are you still seeing permission errors? If so, it may be useful to log a case to <mailto:[email protected]|[email protected]> so we can share your specific policy and review. I suspect that you are in fact having IAM issues and have previously seen issues with setting the specific region. I can also double check how you have your profiles configured, because using profiles is our recommended resolution to having local AWS creds defaulted to a different AWS region than your Datomic system.
Scratch that I see that @marshall spotted the issue and helped you up higher in the the threads.
linking for jaret, sorry if redundant : ) I don't want to spam the channel https://clojurians.slack.com/archives/C03RZMDSH/p1594375442110400?thread_ts=1593933535.453500&cid=C03RZMDSH
also tried
{
"Id": "Policy1594355345891",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DatomicS3BucketAccess",
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"arn:aws:s3:::datomic-releases-1fc2183a",
"arn:aws:s3:::datomic-releases-1fc2183a/*",
"arn:aws:s3:::datomic-code-7cf69135-6e19-4e99-878e-9c3f4a48ad48",
"arn:aws:s3:::datomic-code-7cf69135-6e19-4e99-878e-9c3f4a48ad48/*"
]
}
]
}
But this says Missing required field Principal
I am attempting to log a message by using cast/dev
as shown here https://docs.datomic.com/cloud/ions/ions-monitoring.html#dev
The first thing I do in my ion function is call (cast/dev {:msg "socket-connect" :req (str req)})
I can not find this message output in cloudwatch anywhere. I have checked the log group for the datomic system overall and for the specific connect
ion. I also tried calling with cast/event
with no luck.
I do get a thrown error printed out for my function, but I don't get the log that happens before that error occurs.