amazon-s3clojureleiningendatomic

`Unable to read keyfile` error when trying to initialize Datomic Cloud with Client API on AWS S3

I'm testing setting up Datomic Cloud using an IntelliJ IDE. I'm following the Client API tut from Datomic but am stuck initializing the client.

The spec from an API client is here, and the tut is here, under the step Using Datomic Cloud.

So the tut says to init a client like so:

(require '[datomic.client.api :as d])
(def cfg {:server-type :ion
      :region "<your AWS Region>" ;; e.g. us-east-1
      :system "<system name>"
      :creds-profile "<your_aws_profile_if_not_using_the_default>"
      :endpoint "<your endpoint>"})

They say to include an AWS profile if not using the default. I am using the default as far as I know--I'm not part of an org in AWS.

This is the (partially redacted) code from my tutorial.core namespace, where I'm trying to init Datomic:

(ns tutorial.core   
(:gen-class))
(require '[datomic.client.api :as d])
(def cfg {:server-type :cloud
  :region "us-east-2"
  :system "roam"
  :endpoint "https://API_ID.execute-api.us-east-2.amazonaws.com"
  })
(def client (d/client cfg))
(d/create-database client {:db-name "blocks"})
(d/connect client {:db-name "blocks"})

However, I'm getting an error from Clojure: Forbidden to read keyfile at s3://URL/roam/datomic/access/admin/.keys. Make sure that your endpoint is correct, and that your ambient AWS credentials allow you to GetObject on the keyfile.

Do I need some sort of credential? Could anything else be causing this error? I got the endpoint URL from the ClientApiGatewayEndpoint in my CloudFormation Datomic stack.

Please let me know if I should provide more info! Thanks. I tried the solution mentioned here and it didn't not work, I can't find an answered question for this anywhere online.

Solution

  • When you initialize the client from your computer, the datomic library is trying to reach S3 to read some configuration file using whatever AWS credentials you passed. You mention that you are using the default profile, so most likely you have a ~/.aws/credentials file with a [default] entry and an access and secret key.

    The error:

    Forbidden to read keyfile at s3://URL/roam/datomic/access/admin/.keys. Make sure that your endpoint is correct, and that your ambient AWS credentials allow you to GetObject on the keyfile.

    Means that the datomic library can't read the file from S3. There's many reasons why this could be the case. Try running the following using the AWS cli

    aws s3 cp s3://URL/roam/datomic/access/admin/.keys .

    I'm assuming that it will fail and that would mean your default profile doesn't have the necessary permissions to read this resource from S3, thus the error you get from datomic. To fix it you would need to add the necessary permission to your AWS user IAM role (GetObject on the keyfile, as suggested by the error message).

    One thing you could try is creating a profile. In your ~/.aws/credentials

    [datomic]
aws_access_key_id = your-access-key
aws_secret_access_key = your-secret-key
region = us-east-2

    Then change your cfg map to:

    (def cfg {:server-type :cloud
  :region "us-east-2"
  :system "roam"
  :creds-profile "datomic"
  :endpoint "https://API_ID.execute-api.us-east-2.amazonaws.com"
  }