I recently needed to configure Datomic on AWS for a client who is deploying their applications on the Amazon cloud, with the transactor set up to use Amazon’s DynamoDB as its storage service. The docs on the Datomic site were helpful, but left some things a little unclear.

Getting Started

First, realize that the command you use to initialize the storage for Datomic in DynamoDB

bin/datomic ensure-transactor <my-config-file> <my-config-file-modified>

is different from the command you use to start your transactor for normal use after setup. (Previously, I had only used Datomic with the built-in file storage – which actually uses the Java-based H2 database – and with Infinispan hosted in the Immutant app server, and neither of these storages require a separate configuration process to be run, so this was new to me.) NOTE: You can use the same filename for both the 3rd and 4th arguments to the command above, and the file will be modified in place by Datomic.

The ‘ensure-transactor’ step does all the work of configuring needed IAM Roles in your account, and of creating the Dynamo table for you. While the Datomic docs talk about using IAM Roles for authentication a privilege management as the preferred option, it is not clearly stated that this configuration step still requires that the EC2 instance’s environment have two variables defined: AWS_ACCESS_KEY_ID and AWS_SECRET_KEY. The values you specify in these variables must be for a user that has administrative level access to your AWS account. It’s important to note that these variables are not required to be present in the environment when you are starting and running the transactor for normal use, so you don’t need to save them in your .bashrc file or anything like that, but you will have to export them in your terminal console while initializing the Datomic transactor on AWS.

Ready to Run

After the ensure-transactor step has completed, assuming you left the ‘aws-transactor-role’ and ‘aws-peer-role’ parameters blank in your input config file (the second argument to ‘bin/datomic ensure-transactor’ above), then the output config file will have been modified to include role names of ‘datomic-aws-transactor’ and ‘datomic-aws-peer’ respectively. A look at your AWS account’s IAM settings will reveal that these roles were in fact created by the ensure-transactor process.

At this stage, you can run

unset AWS_ACCESS_KEY_ID unset AWS_SECRET_KEY

to sanitize your environment, and then execute

bin/transactor <my-config-file-modified>

with the modified transactor config file produced by the ensure-transactor process. At this point, you should be ready to work against Datomic on AWS just as you would on any other storage supported by Datomic.