Exporting files from a HealthLake Data Store
You can export files from your data store to an Amazon Simple Storage Service (Amazon S3) bucket. Files from your data store are exported in newline delimited JSON (.ndjson) format, where each line consists of a valid FHIR resource. A customer-owned KMS key is required for encryption of the Amazon S3 bucket for all export jobs. To learn more about creating a KMS key, see Creating keys in the AWS Key Management Service Developer Guide.
Only one export job can run at time, and you can only export 5,000 FHIR resource per file.
You can still create, read, update, or delete FHIR resources while an export job is in progress.
Performing an export
You can start an export job using either the Amazon HealthLake console or the Amazon HealthLake export API, start-fhir-export-job API.
Exporting from your Data Store
Prerequisites
To use Amazon HealthLake APIs, you must create an AWS Identity Access and Management (IAM) policy and attach it to an IAM role. To learn more about IAM roles and trust policies, see IAM Policies and Permissions.
To export files
-
Create an S3 bucket. The Amazon S3 bucket must be in the same AWS region as the service, and BlockPublicAccess must be turned on for all options. To learn more, see Using Amazon S3 block public access. An Amazon-owned or customer-owned KMS key must also be used for encryption. To learn more about using KMS keys, see Amazon Key Management Service.
-
Create and add an IAM policy to allow the user to create and attach roles and policies. The following is an example.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "healthlake.amazonaws.com" } } } ] } -
Create a data access role. HealthLake uses this to write the output Amazon S3 bucket.
-
Add a trust policy to the data access role. The following is an example trust policy.
{"Version": "2012-10-17", "Statement": [ {"Effect": "Allow", "Principal": {"Service": [ "healthlake.amazonaws.com" ] }, "Action": "sts:AssumeRole" "Condition": { "StringEquals": { "aws:SourceAccount": "(accountId)" }, "ArnEquals": { "aws:SourceArn": "arn:aws:healthlake:(region):(accountId):datastore/fhir/(datastoreId)" } } } ] } -
Add a permission policy to the data access role that enables the role to access the S3 bucket.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketPublicAccessBlock", "s3:GetEncryptionConfiguration" ], "Resource": [ "arn:aws:s3:::outputS3Bucket" ], "Effect": "Allow" }, { "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::outputS3Bucket/*" ], "Effect": "Allow" }, { "Action": [ "kms:DescribeKey", "kms:GenerateDataKey*" ], "Resource": [ "arn:aws:kms:us-east-1:012345678910:key/d330e7fc-b56c-4216-a250-f4c43ef46e83" ], "Effect": "Allow" } ] } -
Use the start-fhir-export-job operation to begin a bulk export job.
-
To get the ID, ARN, name, start time, end time, and current status of a FHIR export job, use describe-fhir-export-job. Use list-fhir-export-jobs to list all export jobs and their statuses.
Exporting files (console)
To export files (console)
-
Create an output S3 bucket in the same region as HealthLake.
-
To start a new export job, identify the output Amazon S3 bucket and either create or identify the IAM role that you want to use. To learn more about IAM roles and trust policies, see IAM Roles. An Amazon-owned or customer-owned KMS key must also be used for encyrption. To learn more about using KMS keys, see Amazon Key Management Service.
-
To see the status of your export job use
ListFHIRExportJobs. For more details on theListFHIRExportJobsAPI command, see ListFHIRExportJobs in the Amazon HealthLake API Reference.
