Add task inputs to an ECR image Configure Amazon ECR permissions

Setting up Amazon ECR for private workflows

Before you create a private workflow, you containerize your workflow tools and create corresponding private image repositories in Amazon Elastic Container Registry (Amazon ECR). When you run the workflow, the HealthOmics service accesses the containers that you provide.

Note

HealthOmics doesn't support ARM containers and doesn't support access to public containers.

Topics

Add task inputs to an ECR container image
Configure Amazon ECR permissions

Add task inputs to an ECR container image

Add all executables, libraries, and scripts needed to run a workflow task into the Amazon ECR image that's used to run the task.

It's best practice to avoid using scripts, binaries, and libraries that are external to a tasks container image. This is especially important when using nf-core workflows that use a bin directory as part of the workflow package. While this directory will be available to the workflow task, it's mounted as a read-only directory. Required resources in this directory should be copied into the task image and made available at runtime or when building the container image used for the task.

Configure Amazon ECR permissions

For the HealthOmics service to access your private repository, you create an IAM policy for the HealthOmics service. You add this policy to each private repository referenced by a workflow. The private repository and workflow must be in the same region.

You can set up cross-account support to allow multiple AWS accounts (in the same region as the repository) access to the same repository.

If you share a workflow that references any Amazon ECR containers, configure cross-account support for the shared workflow subscriber to access the containers.

To configure cross-account support, give permission to specific accounts by adding a policy statement similar to OmicsAccessCrossAccount in the following example.

To grant HealthOmics permission to access Amazon ECR

Open the private repositories page in the Amazon ECR console and select the repository you are granting access to.
From the side bar navigation, select Permissions.
Choose Edit JSON.
Choose Add Statement.

Add the following policy statement for Conditions and then select Save Policy.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "omics workflow",
            "Effect": "Allow",
            "Principal": {
                "Service": "omics.amazonaws.com"
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ]
        }
    ]
}

The resource-based policy on the registry grants HealthOmics permission to acquire a container image in the repository.

To use a cross-account container in the same region, add a permission statement similar to OmicsAccessCrossAccount in the following example.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "OmicsAccessPrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "omics.amazonaws.com"
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ]
        },
        {
            "Sid":"OmicsAccessCrossAccount",
            "Effect":"Allow",
            "Principal":{
                "AWS":"arn:aws:iam::{{AWS-account-ID}}:root"
            },
            "Action":[
            "ecr:GetDownloadUrlForLayer",
            "ecr:BatchGetImage",
            "ecr:BatchCheckLayerAvailability"
           ]
        }
   ]
}        
    ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Private workflows

Writing workflow definition files