`Unable to read keyfile` error when trying to initialize Datomic Cloud with Client API

Question

Howdy all.

I'm testing setting up Datomic Cloud using an IntelliJ IDE. I'm following the Client API tut from Datomic but am stuck initializing the client.

The spec from an API client is here, and the tut is here, under the step Using Datomic Cloud.

So the tut says to init a client like so:

(require '[datomic.client.api :as d])
(def cfg {:server-type :ion
      :region "<your AWS Region>" ;; e.g. us-east-1
      :system "<system name>"
      :creds-profile "<your_aws_profile_if_not_using_the_default>"
      :endpoint "<your endpoint>"})

They say to include an AWS profile if not using the default. I am using the default as far as I know--I'm not part of an org in AWS.

This is the (partially redacted) code from my tutorial.core namespace, where I'm trying to init Datomic:

(ns tutorial.core   
(:gen-class))
(require '[datomic.client.api :as d])
(def cfg {:server-type :cloud
      :region "us-east-2"
      :system "roam"
      :endpoint "https://API_ID.execute-api.us-east-2.amazonaws.com"
      })
(def client (d/client cfg))
(d/create-database client {:db-name "blocks"})
(d/connect client {:db-name "blocks"})

However, I'm getting an error from Datomic like: Forbidden to read keyfile at s3://URL/roam/datomic/access/admin/.keys. Make sure that your endpoint is correct, and that your ambient AWS credentials allow you to GetObject on the keyfile.

Do I need some sort of credential? Could anything else be causing this error? I got the endpoint URL from the ClientApiGatewayEndpoint in my CloudFormation Datomic stack.

Please let me know if I should provide more info! Thanks.

Answer 1

Hi Julia,

That looks like your REPL in intelliJ is missing aws credentials. These can be set by editing your REPL configuration in intelliJ and setting the environment credentials for AWS_SECRET_KEY etc:

http://imgur.com/a/P4tdshR

You can also provide a named profile if you have AWS profiles configured. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html. You can use these profiles in your connection (https://docs.datomic.com/cloud/tutorial/client.html#using-datomic-cloud) to a Datomic Cloud system, but if you are connecting locally from your laptop your REPL will also need sourced credentials that can access the AWS resources.

Comments

Hi Jaret, thanks so much! I don't have AWS profiles configured, but this is definitely my problem. Do you know of any guide on how to config the AWS credentials for the REPL (...and otherwise?) that applies to Clojure/Datomic. I'm struggling to find a good guide online.

I got my AWSAccessKeyId and AWSSecretKey from my security credentials, but am not sure where to find the "Secret access key" you have set up.

---

Julia, Your AWSSecretKey will be the same as your Secret Access Key, truthfully you probably do not need it.  I populate the value because of legacy programs which needed this environment variable set.  

>Do you know of any guide on how to config the AWS credentials for the REPL (...and otherwise?) that applies to Clojure/Datomic. I'm struggling to find a good guide online.

There are a lot of ways to skin this cat.  You can source credentials manually (i.e. have a file with the credentials and `source ~/.filename.creds`, utilize profiles, manually export each key and value.).  I recommend reading through AWS's recommendation and then determining what works best for you.  I personally utilize profiles or manually set the environment variables as shown in my previous screenshot.

---

Jaret, thanks for your detailed answer! I spent some time with the AWS docs yesterday and figured it out :~) It's definitely not straightforward from the Datomic docs, but I suppose they expect it would be prior knowledge.