Welcome! Please see the About page for a little more info on how this works.

+3 votes
in Cloud by
edited by

I'm running a Clojure service inside a Docker container, and have the SOCKS proxy configured to give me a connection to a Datomic Cloud system. I verified this setup by creating a database successfully yesterday.

Unfortunately, this morning when I added a new dependency to the service I had to rebuild the Docker container, and encountered the following error:

Downloading: com/datomic/ion/0.9.48/ion-0.9.48.jar from datomic-cloud
Error building classpath. Could not find artifact com.datomic:ion:jar:0.9.48 in central (https://repo1.maven.org/maven2/)
ERROR: Service 'clojure' failed to build : The command '/bin/sh -c clojure -A:dev:test:cider-clj:exit' returned a non-zero code: 1

I can aws s3 cp the JAR from the S3 bucket just fine but Maven isn't as cooperative. I do have an explicit AWS access key exported inside the Docker container (this was necessary to workaround issues with STS and assumed roles) but with the JAR being publicly accessible I wouldn't expect those credentials to cause problems.

I can't easily unset the credentials as they're baked into the container via an env_file but I could move this configuration into runtime rather than build time if this is the cause.

Has anyone else encountered this issue? If so, I'd massively appreciate any suggested workarounds/fixes.


Update: I've tried moving the AWS credentials from an env_file into a read-only volume, which means the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY vars are no longer exported at build time. This hasn't fixed the issue, which leads me to believe it's not the AWS credentials that are causing the problem. That said, with the AWS credentials in place during build there's a noticeable delay fetching from both the cognitect-dev-tools and datomic-cloud repos.

Update 2: I'm seeing the same error inside GitHub actions. Not just inside Docker containers…

3 Answers

+1 vote
selected by
Best answer

When retrieving any objects from the s3 maven repo, you are inherently acting as an AWS user. You must have AWS credentials set and those IAM creds must allow S3 access (HeadObject, GetObject, GetBucketLocation) to the Maven repo bucket (datomic-releases-1fc2183a).

I've granted these permissions and even tried giving full admin access to the IAM user. Unfortunately, I'm seeing the same error about building the classpath.
+3 votes

With some additional help from Mr. Miller over on Slack I was able to get this working on my host machine, inside a Docker container, and with GitHub Actions.

As Alex mentioned, IAM configuration is required to access the S3-hosted repo via tools.deps. I granted GetBucketLocation permission to all buckets, and all permissions to the datomic-releases-1fc2183a bucket.

Docker was the most fiddly to get working. There I created an AWS directory with config and credentials and used COPY to make that available at build time. I then mount the same directory as a read-only volume at runtime.

GitHub Actions required the aws-actions/configure-aws-credentials action, and a couple of secrets (don't forget to specify the region too or your build will fail).

Now I have this stuff properly configured I can get stuck into some feature development with the disruptive power of Clojure, Datomic, and AWS at my finger tips.

Massive thank you to Alex for all his help here. Thank you, Mr. Miller!

0 votes

For those who have stumbled upon this very same issue, here are the permissions you need:

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
            "Resource": [
                "arn:aws:s3:::datomic-releases-1fc2183a "
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:GetBucketLocation",
            "Resource": "arn:aws:s3:::*"

Further steps would be to:
1. Create a dedicated Policy in AWS IAM
2. Create a dedicated User in AWS IAM specifically for Clojure CLI (e.g. tools.deps)
3. Grant the User the previously created Policy ("Permissions" tab > "Permission policies")
4. Create an Access key for the User ("Security credentials" tab > "Access keys")
5. Save the generated AWS Access Key ID and AWS Secret Access Key
6. Add an S3 repo server to your local Maven config as per Deps and CLI docs, using datomic-cloud as a server id, so that tools.deps are able to pick them up

All these steps will help you to run clojure -P (with whatever aliases you use in your project, e.g. ion-dev or simply dev) without the above error.

P.S. It also makes sense to grant this permission to all other Administrators or PowerUsers via the same Policy.