Setup Account
You can use your own S3 bucket with Illumina Connected Analytics Genomic Data Store (GDS) for data storage. Your data will reside on the external storage account. ICA indexes the data records to use in analysis.
This section describes how to configure your AWS account to connect to GDS.
Make sure you have installed the AWS CLI and verified your installation using the documentation provided on the Amazon Web Services Website.
Create the GDS S3 bucket
If you have already created an S3 bucket to use with GDS, continue to Create and Configure the IAM user.
Make sure you consider the following before creating a bucket.
S3 buckets share a single global namespace across all of AWS. Each bucket requires a unique name and the name cannot be used for a bucket in another account.
S3 buckets are regional. Make sure you create the S3 bucket in the same region as the ICA environment you're using. In this document we'll be using
us-east-1
but this may be different for you.
Use the following command to create the S3 bucket. Replace BUCKET_NAME with the name of your bucket.
If one of the following errors occurs, resolve as follows:
BucketAlreadyExists— Another account has a bucket that uses the same name. Enter a unique name.
InvalidLocationConstraint—The region was not specified in the command. Enter the correct region.
Verify that the bucket exists using the following command:
aws s3 ls
Block Public Access for the S3 bucket
Public access is enabled by default. To increase security on the bucket, block public access with the following command:
If you would like to block public access to S3 buckets on an account level, use the AWS Console on the Amazon Web Services website.
Create the IAM User and User Policy
Creating an IAM user allows the GDS service access to manage resources in your account. IAM users are global resources and do not require a region to be specified.
To create the IAM user, enter the following command:
To create the IAM user policy, create a local file named illumina-ica-admin-policy.json containing the following content. Replace the
${BUCKET_NAME}
with the actual name of your bucket.
Note that this provides access to any key within the bucket. Optionally, this can be limited to a specific prefix. If doing so, also provide the chosen prefix into the Volume Configuration when creating it in a subsequent step.
Use the following command to attach the policy to the
illumina_ica_admin
user.
The policy is identified by the AWS Resource Number, which includes your AWS account number. The command creates the policy, retrieves your AWS account number, and then attaches the policy to the user.
To create the access key for the illumina_ica_admin IAM user, enter the following command:
The command creates an access key ID and secret access key for the illumina_ica_admin IAM user.
The secret access key is sensitive and should be stored securely. The access key is only displayed when this command is executed and cannot be recovered. A new access key must be created if the secret access key is lost.
Create ICA Secret for an AWS IAM User
To connect your S3 account to GDS, you need to add a secret credential in ICA, and then add a key to that named secret. Only a domain administrator can connect and S3 account to GDS.
Log into the domain administrator account using the following command:
Create a
aws_ica_user.json
JSON file in the following format containing the access key and secret access key.
To create an ICA secret for your AWS IAM user, enter the following command. For the following command, the
type
valueaws-user
indicates that it's a secret for AWS IAM user credentials. Run this command to create a secret namedaws_illumina_ica_admin
.
Manage ICA Secrets
Use the following commands to manage secrets.
Get a Secret
To view additional data about the secret, use the secret get command. The command does not return the secret. After created, the secret cannot be retrieved or viewed.
Update a Secret
To update a secret, enter the following command.
Delete a Secret
To delete a secret, enter the following command.
Last updated