MotivationDatomic's AWS support has been designed according to the principle of least privilege. When running in AWS, a Datomic transactor or peer needs only the minimum permissions necessary to communicate with various AWS services. These permissions are documented in Setting Up Storage Services.
But you still need some way to install these minimal permissions on ephemeral virtual hardware. Early versions of AWS left this problem to the developer. Solutions were tedious and ad hoc, but more important they were risky. Leaving every application developer the task of passing credentials around is a recipe for credentials lying around in a hundred different places (or even checked into source code repositories.)
IAM roles provide a generic solution to this problem. From the FAQ: "An IAM role allows you to delegate access, with defined permissions, to trusted entities without having to share long term access keys" (emphasis added). From a developer perspective, IAM roles get credentials out of your application code.
Starting with version 0.9.4314, Datomic supports IAM roles as the default mechanism for conveying credentials in AWS. What does this mean for developers?
- If you are configuring Datomic for the first time, the setup instructions will secure peers and transactors using IAM roles.
- If you have an existing Datomic installation and want to upgrade to roles, Migrating to IAM Roles will walk you through the process.
- Using explicit credentials in transactor properties and in connection URIs is deprecated, but will continue to work. Your existing deployments will not break.
IAM roles make your application both easier to manage and more secure. Use them.