AWS HealthOmics creates and accesses resources in other services on your behalf when you run a job or create a store. In some cases, you need to configure permissions in other services to access resources or to allow HealthOmics to access them.
Lake Formation permissions
Before you use analytics features in HealthOmics, configure default database settings in Lake Formation.
To configure resource permissions in Lake Formation
-
Open the Data catalog settings
page in the Lake Formation console. -
Uncheck the IAM access control requirements for databases and tables under Default permissions for newly created databases and tables.
-
Choose Save.
HealthOmics Analytics auto accepts data if your service policy has the correct RAM permissions, such as the following example.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"omics:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ram:AcceptResourceShareInvitation",
"ram:GetResourceShareInvitations"
],
"Resource": "*"
}
]
} Amazon ECR permissions
Before the HealthOmics service can run a workflow in a container from your private Amazon ECR repository, you create a resource policy for the container. The policy grants permission for the HealthOmics service to use the container. You add this resource policy to each private repository referenced by the workflow.
Note
The private repository and the workflow must be in the same region.
The following sections describe the required policy configurations.
Topics
Create a resource policy for the Amazon ECR repository
Create a resource policy to allow the HealthOmics service to run a workflow using a container in the repository. The policy grants permission for the HealthOmics service principal to access the required Amazon ECR actions.
Follow these steps to create the policy:
-
Open the private repositories
page in the Amazon ECR console and select the repository you're granting access to. -
From the side bar navigation, select Permissions.
-
Choose Edit JSON.
-
Choose Add Statement.
-
Add the following policy statement and then select Save Policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "omics workflow access", "Effect": "Allow", "Principal": { "Service": "omics.amazonaws.com" }, "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability" ] } ] }
Amazon ECR repository policies for shared workflows
HealthOmics automatically allows a shared workflow to access the Amazon ECR repository while the workflow is running in the subscriber's account. You don't need to grant additional repository access for shared workflows.
By default, subscriber don’t have access to the Amazon ECR repository to use the underlying containers. Optionally, you can customize access to the Amazon ECR repository by adding condition keys to the repository's resource policy. The following sections provide example policies.
Restrict access to specific workflows
You can list individual workflows in a condition statement, so only these workflow can use containers in the repository. The SourceArn condition key specifies the ARN of the shared workflow. The following example grants permission for the specified workflow to use this repository.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "OmicsAccessPrincipal",
"Effect": "Allow",
"Principal": {
"Service": "omics.amazonaws.com"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
]
},
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:omics:us-east-1:1234678901:workflow/1234567"
}
}
]
} Restrict access to specific accounts
You can list subscriber accounts in a condition statement, so that only these accounts have permission to use containers in the repository. The SourceAccount condition key specifies the AWS account of the subscriber. The following example grants permission for the specified account to use this repository.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "OmicsAccessPrincipal",
"Effect": "Allow",
"Principal": {
"Service": "omics.amazonaws.com"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
]
},
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
}
}
]
} You can also deny Amazon ECR permissions to specific subscribers, as shown in the following example policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "OmicsAccessPrincipal",
"Effect": "Allow",
"Principal": {
"Service": "omics.amazonaws.com"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
]
},
"Condition": {
"StringNotEquals": {
"aws:SourceAccount": "123456789012"
}
}
]
} 