Resource permissions - AWS HealthOmics
Lake Formation permissionsAmazon ECR permissions

Resource permissions

AWS HealthOmics creates and accesses resources in other services on your behalf when you run a job or create a store. In some cases, you need to configure permissions in other services to access resources or to allow HealthOmics to access them.

Lake Formation permissions

Before you use analytics features in HealthOmics, configure default database settings in Lake Formation.

To configure resource permissions in Lake Formation

  1. Open the Data catalog settings page in the Lake Formation console.

  2. Uncheck the IAM access control requirements for databases and tables under Default permissions for newly created databases and tables.

  3. Choose Save.

HealthOmics Analytics auto accepts data if your service policy has the correct RAM permissions, such as the following example. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "omics:*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ram:AcceptResourceShareInvitation",
        "ram:GetResourceShareInvitations"
      ],
      "Resource": "*"
    }
  ]
}

Amazon ECR permissions

For the HealthOmics service to access your private repository, you create an IAM policy for the HealthOmics service. You add this policy to each private repository referenced by a workflow. The private repository and workflow must be in the same region.

You can set up cross-account support to allow multiple AWS accounts (in the same region as the repository) access to the same repository.

If you share a workflow that references any Amazon ECR containers, configure cross-account support for the shared workflow subscriber to access the containers.

To configure cross-account support, give permission to specific accounts by adding a policy statement similar to OmicsAccessCrossAccount in the following example.

To grant HealthOmics permission to access Amazon ECR

  1. Open the private repositories page in the Amazon ECR console and select the repository you are granting access to.

  2. From the side bar navigation, select Permissions.

  3. Choose Edit JSON.

  4. Choose Add Statement.

  5. Add the following policy statement for Conditions and then select Save Policy.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "omics workflow access",
            "Effect": "Allow",
            "Principal": {
                "Service": "omics.amazonaws.com"
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ]
        }
    ]
}

The resource-based policy on the registry grants the HealthOmics service principal permission to acquire a container image in the repository.

To use a cross-account container in the same region, add a permission statement similar to OmicsAccessCrossAccount in the following example.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "OmicsAccessPrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "omics.amazonaws.com"
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ]
        },
        {
            "Sid":"OmicsAccessCrossAccount",
            "Effect":"Allow",
            "Principal":{
                "AWS":"arn:aws:iam::{{AWS-account-ID}}:root"
            },
            "Action":[
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
           ]
        }
   ]
}