# IAM User Method To use the IAM user method, you need to: * [Set browser access](#id-1-configure-bucket-cors-permission) to the S3 bucket (CORS). * Create [data access permissions](#id-2-create-data-access-permission-aws-iam-policy) (IAM policy). * Create the [IAM user](#id-3-create-aws-iam-user) and [AWS access key](#id-4.-create-aws-access-key) and [propagate them](#id-7-create-ica-storage-credential) to ICA. * To use copy and move operations, you need to add the necessary [policy statements](#id-8-enabling-cross-account-access-for-copy-and-move-operations) in the S3 bucket policy. Optional steps: * It is also best practice to [block public access](#id-6-block-public-access-to-s3-bucket-optional) to the S3 bucket. * If your bucket is KMS-enabled, follow the additional steps described [here](https://help.ica.illumina.com/home/h-storage/s-awss3/s-sse-kms). ## 1 - Configure Bucket CORS Permission ICA requires **cross-origin resource sharing (CORS) permissions** to write to the S3 bucket for uploads via the browser. Refer to [Configuring cross-origin resource sharing (CORS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enabling-cors-examples.html) (expand the *Using the S3 console* section) documentation for instructions on enabling CORS via the **AWS Management Console**. In the cross-origin resource sharing (CORS) section, enter the following content. ```json [ { "AllowedHeaders": [ "*" ], "AllowedMethods": [ "HEAD", "GET", "PUT", "POST", "DELETE" ], "AllowedOrigins": [ "https://ica.illumina.com" ], "ExposeHeaders": [ "ETag", "x-amz-meta-custom-header" ] } ] ``` ## 2 - Create Data Access Permission - AWS IAM Policy ICA requires specific permissions to access data in an AWS S3 bucket. These permissions are contained in an **AWS IAM Policy**. #### Permissions Refer to the [Creating policies on the JSON tab](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html#access_policies_create-json-editor) documentation for instructions on creating an **AWS IAM Policy via the AWS Management Console**. Use the configuration below during the process, **tab one** shows the code for unversioned buckets, **tab two** the code for versioned and versioning-suspended buckets. {% tabs %} {% tab title="Unversioned buckets" %} Paste the JSON policy document below. Note the example below provides access to all object prefixes in the bucket. {% hint style="warning" %} Replace **\** with the name of the S3 bucket you created for ICA. Replace **\** with the name of the folder in your S3 bucket. {% endhint %} 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutBucketNotification",
                "s3:ListBucket",
                "s3:GetBucketNotification",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::<YOUR_BUCKET_NAME>"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:RestoreObject",
                "s3:DeleteObject",
                "s3:GetObjectTagging",
                "s3:PutObjectTagging"
            ],
            "Resource": "arn:aws:s3:::<YOUR_BUCKET_NAME>/<YOUR_FOLDER_NAME>/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sts:GetFederationToken"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
{% endtab %} {% tab title="Versioned/Suspended Buckets" %} On **Versioned OR Suspended** buckets, paste the JSON policy document below. Note the example below provides access to all objects prefixes in the bucket. {% hint style="warning" %} Replace **\** with the name of the S3 bucket you created for ICA. Replace **\** with the name of the folder in your S3 bucket. {% endhint %} ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutBucketNotification", "s3:ListBucket", "s3:GetBucketNotification", "s3:GetBucketLocation", "s3:ListBucketVersions", "s3:GetBucketVersioning" ], "Resource": [ "arn:aws:s3:::" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:RestoreObject", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObjectVersion", "s3:GetObjectTagging", "s3:PutObjectTagging", "s3:GetObjectVersionTagging", "s3:PutObjectVersionTagging" ], "Resource": "arn:aws:s3::://*" }, { "Effect": "Allow", "Action": [ "sts:GetFederationToken" ], "Resource": [ "*" ] } ] } ``` {% endtab %} {% endtabs %} #### (Optional) Set policy name to "illumina-ica-admin-policy" To create the **IAM Policy via the AWS CLI,** create a local file named `illumina-ica-admin-policy.json` containing the policy content above and run the following command. Be sure the path to the policy document (`--policy-document`) leads to the path where you saved the file: ```bash aws iam create-policy --policy-name illumina-ica-admin-policy --policy-document file://illumina-ica-admin-policy.json ``` ## 3 - Create AWS IAM User An AWS IAM User is needed to create an Access Key for ICA to connect to the AWS S3 Bucket. The policy will be attached to the IAM user to grant the user the necessary permissions. Refer to the [Creating IAM users (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console) documentation for instructions on **creating an AWS IAM User via the AWS Management Console**. Use the following configuration during the process: * (optional) Set user name to "illumina\_ica\_admin" * Select the **Programmatic access** option for the type of access. * Select **Attach existing policies directly** when setting the permissions, and choose the policy created in [Create AWS IAM Policy](#create-aws-iam-policy). * (Optional) Retrieve the Access Key ID and Secret Access Key by choosing to **Download .csv.** To **create the IAM user and attach the policy via the AWS CLI,** enter the following command (AWS IAM users are global resources and do not require a region to be specified). This command creates an IAM user `illumina_ica_admin`, retrieves your AWS account number, and then attaches the policy to the user. ```bash aws iam create-user --user-name illumina_ica_admin ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) aws iam attach-user-policy --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/illumina-ica-admin-policy --user-name illumina_ica_admin ``` ## 4. -Create AWS Access Key {% hint style="warning" %} If the Access Key information was retrieved during the [IAM user creation](#id-3-create-aws-iam-user), skip this step. {% endhint %} Refer to the [Managing access keys (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey) AWS documentation for instructions on creating an **AWS Access Key via the AWS Console**. See the "To create, modify, or delete another IAM user's access keys (console)" sub-section. Use the command below to create the Access Key for the illumina\_ica\_admin IAM user. Note the `SecretAccessKey` is sensitive and should be stored securely. The access key is only displayed when this command is executed and cannot be recovered. **A new access key must be created if it is lost**. ```bash aws iam create-access-key --user-name illumina_ica_admin "AccessKey": { "UserName": "illumina_ica_admin", "AccessKeyId": "", "Status": "Active", "SecretAccessKey": "", "CreateDate": "2020-10-22 09:42:24+00:00" } ``` The `AccessKeyId` and `SecretAccessKey` values will be provided to ICA in the next step. ## 5 - S3 Bucket Policy Connecting your S3 bucket to ICA does not require any additional bucket policies.
What if you need a bucket policy for use cases beyond ICA? The bucket policy must then support the essential permissions needed by ICA without inadvertently restricting its functionality. {% hint style="warning" %} Be sure to replace the following fields: * YOUR\_BUCKET\_NAME: Replace this field with the name of the S3 bucket you created for ICA. * YOUR\_ACCOUNT\_ID: Replace this field with your account ID number. * YOUR\_IAM\_USER: Replace this field with the name of your IAM user created for ICA. {% endhint %} ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": [ "s3:PutObject", "s3:GetObject", "s3:RestoreObject", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObjectVersion", "s3:GetObjectTagging", "s3:PutObjectTagging", "s3:GetObjectVersionTagging", "s3:PutObjectVersionTagging" ], "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*", "Condition": { "ArnNotLike": { "aws:PrincipalArn": [ "arn:aws:iam::YOUR_ACCOUNT_ID:user/YOUR_IAM_USER", "arn:aws:sts::YOUR_ACCOUNT_ID:federated-user/*" ] } } } ] } ``` In this example, **restriction is enabled** on the bucket policy to prevent any kind of access to the bucket. However, there is an **exception** **rule** added **for the IAM user** that ICA is using to connect to the S3 bucket. The exception rule is allowing ICA to perform the above S3 action permissions necessary for ICA functionalities. Additionally, the exception rule is applied to the STS federated user session principal associated with ICA. Since ICA leverages the **AWS STS to provide temporary credentials** that allow users to perform actions on the S3 bucket, it is crucial to include these STS federated user session principals in your policy's whitelist. Failing to do so could result in 403 Forbidden errors when users attempt to interact with the bucket's objects using the provided temporary credentials.
## 6 - Block Public Access to S3 bucket (optional) By default, public access to the S3 bucket is allowed. For increased security, it is advised to **block public access** with the following command below. Change `` to the name of your S3 bucket. ``` aws s3api put-public-access-block --bucket --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true" ``` To block public access to S3 buckets on account level, you can use the AWS Console on the [Amazon Web Services](https://aws.amazon.com/console/) website. ## 7 - Create ICA Storage Credential ### Storage Credential To connect your S3 account to ICA, you need to add a storage credential in ICA containing the Access Key ID and Access Key created in the previous step. **From the ICA home screen**, navigate to **System Settings > Credentials** > **Create > Storage Credential** to create a new storage credential. Provide a **name** for the storage credentials, ensure the type is set to "AWS user" and provide the **Access Key ID** and **Secret Access Key**. {% hint style="info" %} The key prefix is mandatory in your storage credentials if you created a folder as recommended in step 2 [data access permissions](#id-2-create-data-access-permission-aws-iam-policy). {% endhint %} ### Storage Configuration Once the storage credentials are present, create a **storage configuration** using the secret credential. Refer to [Create a Storage Configuration](https://help.ica.illumina.com/home/h-storage/..#create-a-storage-configuration) for details. ## 8 - Enabling Cross-Account Access for Copy and Move Operations ICA uses **AssumeRole** to copy and move objects from a bucket in an AWS account to another bucket in another AWS account. To allow cross account access to a bucket, the following policy statements must be **added in the S3 bucket policy:** {% hint style="warning" %} Be sure to replace the following fields: * **\**: Replace this field with the ARN of the cross account role you want to give permission to. Refer to the table below to determine which region-specific Role ARN should be used. * **\**: Replace this field with the name of the S3 bucket you created for ICA. {% endhint %} {% tabs %} {% tab title="Unversioned" %} ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCrossAccountAccess", "Effect": "Allow", "Principal": { "AWS": "" }, "Action": [ "s3:PutObject", "s3:DeleteObject", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload", "s3:GetObject", "s3:GetObjectTagging", "s3:PutObjectTagging" ], "Resource": [ "arn:aws:s3:::", "arn:aws:s3:::/*" ] } ] } ``` {% endtab %} {% tab title="Versioned or Suspended" %} ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCrossAccountAccess", "Effect": "Allow", "Principal": { "AWS": "" }, "Action": [ "s3:PutObject", "s3:DeleteObject", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload", "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObjectVersion", "s3:GetObjectTagging", "s3:PutObjectTagging", "s3:GetObjectVersionTagging", "s3:PutObjectVersionTagging" ], "Resource": [ "arn:aws:s3:::", "arn:aws:s3:::/*" ] } ] } ``` {% endtab %} {% endtabs %} The ARN of the cross account role you want to give permission to is specified in the Principal. Refer to the table below to determine which region-specific Role ARN should be used.
RegionRole ARN
Australia (AU)arn:aws:iam::079623148045:role/ica_aps2_crossacct
Canada (CA)arn:aws:iam::079623148045:role/ica_cac1_crossacct
Germany (EU)arn:aws:iam::079623148045:role/ica_euc1_crossacct
India (IN)arn:aws:iam::079623148045:role/ica_aps3_crossacct
Indonesia (ID)arn:aws:iam::079623148045:role/ica_aps4_crossacct
Israel (IL)arn:aws:iam::079623148045:role/ica_ilc1_crossacct
Japan (JP)arn:aws:iam::079623148045:role/ica_apn1_crossacct
Singapore (SG)arn:aws:iam::079623148045:role/ica_aps1_crossacct
South Korea (KR)arn:aws:iam::079623148045:role/ica_apn2_crossacct
UK (GB)arn:aws:iam::079623148045:role/ica_euw2_crossacct
United Arab Emirates (AE)arn:aws:iam::079623148045:role/ica_mec1_crossacct
United States (US)arn:aws:iam::079623148045:role/ica_use1_crossacct
## Enable Copying Object Tags (optional) You can enable copying object tags when performing **Copy**, **Move**, **Archive** and **Unarchive** Operations within the same account or across accounts when using your own S3 storage. If you want to use copying of your tags, * **Contact Illumina support to enable TaggingPermissionType** on the ICA Storage Configuration record associated with the S3 bucket with Object tags. * Verify you have the required permission in your policies * In the configuration above, the **s3:GetObjectTagging** and **s3:PutObjectTagging** are part of the [IAM Policy](#id-2-create-data-access-permission-aws-iam-policy). * **s3:GetObjectTagging** and **s3:PutObjectTagging** are part of the [S3 Bucket policy](#id-6-s3-bucket-policy). * For cross-account copy or move operations, **s3:GetObjectTagging** and **s3:PutObjectTagging** are included in the [cross-account access bucket policy](#id-8-enabling-cross-account-access-for-copy-and-move-operations).