IAM User Method

To use the IAM user method, you need to:

Set browser access to the S3 bucket (CORS).
Create data access permissions (IAM policy).
Create the IAM user and AWS access key and propagate them to ICA.
To use copy and move operations, you need to add the necessary policy statements in the S3 bucket policy.

Optional steps:

It is also best practice to block public access to the S3 bucket.
If your bucket is KMS-enabled, follow the additional steps described here.

1 - Configure Bucket CORS Permission

ICA requires cross-origin resource sharing (CORS) permissions to write to the S3 bucket for uploads via the browser. Refer to Configuring cross-origin resource sharing (CORS) (expand the Using the S3 console section) documentation for instructions on enabling CORS via the AWS Management Console.

In the cross-origin resource sharing (CORS) section, enter the following content.

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "HEAD",
            "GET",
            "PUT",
            "POST",
            "DELETE"
        ],
        "AllowedOrigins": [
            "https://ica.illumina.com"
        ],
        "ExposeHeaders": [
            "ETag",
            "x-amz-meta-custom-header"
        ]
    }
]

2 - Create Data Access Permission - AWS IAM Policy

ICA requires specific permissions to access data in an AWS S3 bucket. These permissions are contained in an AWS IAM Policy.

Permissions

Refer to the Creating policies on the JSON tab documentation for instructions on creating an AWS IAM Policy via the AWS Management Console. Use the configuration below during the process, tab one shows the code for unversioned buckets, tab two the code for versioned and versioning-suspended buckets.

Paste the JSON policy document below. Note the example below provides access to all object prefixes in the bucket.

Replace <YOUR_BUCKET_NAME> with the name of the S3 bucket you created for ICA. Replace <YOUR_FOLDER_NAME> with the name of the folder in your S3 bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutBucketNotification",
                "s3:ListBucket",
                "s3:GetBucketNotification",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::<YOUR_BUCKET_NAME>"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:RestoreObject",
                "s3:DeleteObject",
                "s3:GetObjectTagging",
                "s3:PutObjectTagging"
            ],
            "Resource": "arn:aws:s3:::<YOUR_BUCKET_NAME>/<YOUR_FOLDER_NAME>/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sts:GetFederationToken"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

On Versioned OR Suspended buckets, paste the JSON policy document below. Note the example below provides access to all objects prefixes in the bucket.

Replace <YOUR_BUCKET_NAME> with the name of the S3 bucket you created for ICA. Replace <YOUR_FOLDER_NAME> with the name of the folder in your S3 bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutBucketNotification",
                "s3:ListBucket",
                "s3:GetBucketNotification",
                "s3:GetBucketLocation",
                "s3:ListBucketVersions",
                "s3:GetBucketVersioning"
            ],
            "Resource": [
                "arn:aws:s3:::<YOUR_BUCKET_NAME>"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:RestoreObject",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObjectVersion",
                "s3:GetObjectTagging",
                "s3:PutObjectTagging"
            ],
            "Resource": "arn:aws:s3:::<YOUR_BUCKET_NAME>/<YOUR_FOLDER_NAME>/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sts:GetFederationToken"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

(Optional) Set policy name to "illumina-ica-admin-policy"

To create the IAM Policy via the AWS CLI, create a local file named illumina-ica-admin-policy.json containing the policy content above and run the following command. Be sure the path to the policy document (--policy-document) leads to the path where you saved the file:

aws iam create-policy --policy-name illumina-ica-admin-policy --policy-document file://illumina-ica-admin-policy.json

3 - Create AWS IAM User

An AWS IAM User is needed to create an Access Key for ICA to connect to the AWS S3 Bucket. The policy will be attached to the IAM user to grant the user the necessary permissions.

Refer to the Creating IAM users (console) documentation for instructions on creating an AWS IAM User via the AWS Management Console. Use the following configuration during the process:

(optional) Set user name to "illumina_ica_admin"
Select the Programmatic access option for the type of access.
Select Attach existing policies directly when setting the permissions, and choose the policy created in Create AWS IAM Policy.
(Optional) Retrieve the Access Key ID and Secret Access Key by choosing to Download .csv.

To create the IAM user and attach the policy via the AWS CLI, enter the following command (AWS IAM users are global resources and do not require a region to be specified). This command creates an IAM user illumina_ica_admin, retrieves your AWS account number, and then attaches the policy to the user.

aws iam create-user --user-name illumina_ica_admin
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
aws iam attach-user-policy --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/illumina-ica-admin-policy --user-name illumina_ica_admin

4. -Create AWS Access Key

If the Access Key information was retrieved during the IAM user creation, skip this step.

Refer to the Managing access keys (console) AWS documentation for instructions on creating an AWS Access Key via the AWS Console. See the "To create, modify, or delete another IAM user's access keys (console)" sub-section.

Use the command below to create the Access Key for the illumina_ica_admin IAM user. Note the SecretAccessKey is sensitive and should be stored securely. The access key is only displayed when this command is executed and cannot be recovered. A new access key must be created if it is lost.

aws iam create-access-key --user-name illumina_ica_admin

    "AccessKey": {
        "UserName": "illumina_ica_admin",
        "AccessKeyId": "<access key id>",
        "Status": "Active",
        "SecretAccessKey": "<secret access key>",
        "CreateDate": "2020-10-22 09:42:24+00:00"
    }

The AccessKeyId and SecretAccessKey values will be provided to ICA in the next step.

5 - S3 Bucket Policy

Connecting your S3 bucket to ICA does not require any additional bucket policies.

What if you need a bucket policy for use cases beyond ICA?

The bucket policy must then support the essential permissions needed by ICA without inadvertently restricting its functionality.

Be sure to replace the following fields:

YOUR_BUCKET_NAME: Replace this field with the name of the S3 bucket you created for ICA.
YOUR_ACCOUNT_ID: Replace this field with your account ID number.
YOUR_IAM_USER: Replace this field with the name of your IAM user created for ICA.

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Deny",
             "Principal": {
                 "AWS": "*"
             },
             "Action": [
                 "s3:PutObject",
                 "s3:GetObject",
                 "s3:RestoreObject",
                 "s3:DeleteObject",
                 "s3:DeleteObjectVersion",
                 "s3:GetObjectVersion",
                 "s3:GetObjectTagging",
                 "s3:PutObjectTagging"
             ],
             "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*",
             "Condition": {
                 "ArnNotLike": {
                     "aws:PrincipalArn": [
                         "arn:aws:iam::YOUR_ACCOUNT_ID:user/YOUR_IAM_USER",
                         "arn:aws:sts::YOUR_ACCOUNT_ID:federated-user/*"
                     ]
                 }
             }
         }
     ]
 }

In this example, restriction is enabled on the bucket policy to prevent any kind of access to the bucket. However, there is an exception rule added for the IAM user that ICA is using to connect to the S3 bucket. The exception rule is allowing ICA to perform the above S3 action permissions necessary for ICA functionalities.

Additionally, the exception rule is applied to the STS federated user session principal associated with ICA. Since ICA leverages the AWS STS to provide temporary credentials that allow users to perform actions on the S3 bucket, it is crucial to include these STS federated user session principals in your policy's whitelist. Failing to do so could result in 403 Forbidden errors when users attempt to interact with the bucket's objects using the provided temporary credentials.

6 - Block Public Access to S3 bucket (optional)

By default, public access to the S3 bucket is allowed. For increased security, it is advised to block public access with the following command below. Change <YOUR_BUCKET_NAME> to the name of your S3 bucket.

aws s3api put-public-access-block --bucket <YOUR_BUCKET_NAME> --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

To block public access to S3 buckets on account level, you can use the AWS Console on the Amazon Web Services website.

7 - Create ICA Storage Credential

To connect your S3 account to ICA, you need to add a storage credential in ICA containing the Access Key ID and Access Key created in the previous step. From the ICA home screen, navigate to System Settings > Credentials > Create > Storage Credential to create a new storage credential.

Provide a name for the storage credentials, ensure the type is set to "AWS user" and provide the Access Key ID and Secret Access Key.

With the secret credentials created, a storage configuration can be created using the secret credential. Refer to the instructions to Create a Storage Configuration for details.

The key prefix is mandatory in your storage credentials if you created a folder as recommended in step 2 data access permissions.

8 - Enabling Cross-Account Access for Copy and Move Operations

ICA uses AssumeRole to copy and move objects from a bucket in an AWS account to another bucket in another AWS account. To allow cross account access to a bucket, the following policy statements must be added in the S3 bucket policy:

Be sure to replace the following fields:

<ASSUME_ROLE_ARN>: Replace this field with the ARN of the cross account role you want to give permission to. Refer to the table below to determine which region-specific Role ARN should be used.
<YOUR_BUCKET_NAME>: Replace this field with the name of the S3 bucket you created for ICA.

  {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowCrossAccountAccess",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "<ASSUME_ROLE_ARN>"
                },
                "Action": [
                    "s3:PutObject",
                    "s3:DeleteObject",
                    "s3:ListMultipartUploadParts",
                    "s3:AbortMultipartUpload",
                    "s3:GetObject",
                    "s3:GetObjectTagging",
                    "s3:PutObjectTagging"
                ],
                "Resource": [
                    "arn:aws:s3:::<YOUR_BUCKET_NAME>",
                    "arn:aws:s3:::<YOUR_BUCKET_NAME>/*"
                ]
            }
        ]
    }

  {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowCrossAccountAccess",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "<ASSUME_ROLE_ARN>"
                },
                "Action": [
                    "s3:PutObject",
                    "s3:DeleteObject",
                    "s3:ListMultipartUploadParts",
                    "s3:AbortMultipartUpload",
                    "s3:GetObject",
                    "s3:GetObjectVersion",
                    "s3:DeleteObjectVersion"
                ],
                "Resource": [
                    "arn:aws:s3:::<YOUR_BUCKET_NAME>",
                    "arn:aws:s3:::<YOUR_BUCKET_NAME>/*"
                ]
            }
        ]
    }

The ARN of the cross account role you want to give permission to is specified in the Principal. Refer to the table below to determine which region-specific Role ARN should be used.

Region

Role ARN

Australia (AU)

arn:aws:iam::079623148045:role/ica_aps2_crossacct

Canada (CA)

arn:aws:iam::079623148045:role/ica_cac1_crossacct

Germany (EU)

arn:aws:iam::079623148045:role/ica_euc1_crossacct

India (IN)

arn:aws:iam::079623148045:role/ica_aps3_crossacct

Indonesia (ID)

arn:aws:iam::079623148045:role/ica_aps4_crossacct

Israel (IL)

arn:aws:iam::079623148045:role/ica_ilc1_crossacct

Japan (JP)

arn:aws:iam::079623148045:role/ica_apn1_crossacct

Singapore (SG)

arn:aws:iam::079623148045:role/ica_aps1_crossacct

South Korea (KR)

arn:aws:iam::079623148045:role/ica_apn2_crossacct

UK (GB)

arn:aws:iam::079623148045:role/ica_euw2_crossacct

United Arab Emirates (AE)

arn:aws:iam::079623148045:role/ica_mec1_crossacct

United States (US)

arn:aws:iam::079623148045:role/ica_use1_crossacct

Enable Copying Object Tags (optional)

You can enable copying object tags when performing Copy, Move, Archive and Unarchive Operations within the same account or across accounts when using your own S3 storage.

If you want to use copying of your tags,

Contact Illumina support to enable TaggingPermissionType on the ICA Storage Configuration record associated with the S3 bucket with Object tags.
Verify you have the required permission in your policies
- In the configuration above, the s3:GetObjectTagging and s3:PutObjectTagging are part of the IAM Policy.
- s3:GetObjectTagging and s3:PutObjectTagging are part of the S3 Bucket policy.
- For cross-account copy or move operations, s3:GetObjectTagging and s3:PutObjectTagging are included in the cross-account access bucket policy.

PreviousConnect AWS S3 Bucket NextIAM Role Method

Last updated 1 day ago

Was this helpful?

hashtag1 - Configure Bucket CORS Permission

hashtag2 - Create Data Access Permission - AWS IAM Policy

hashtagPermissions

hashtag(Optional) Set policy name to "illumina-ica-admin-policy"

hashtag3 - Create AWS IAM User

hashtag4. -Create AWS Access Key

hashtag5 - S3 Bucket Policy

hashtag6 - Block Public Access to S3 bucket (optional)

hashtag7 - Create ICA Storage Credential

hashtag8 - Enabling Cross-Account Access for Copy and Move Operations

hashtagEnable Copying Object Tags (optional)

1 - Configure Bucket CORS Permission

2 - Create Data Access Permission - AWS IAM Policy

Permissions

(Optional) Set policy name to "illumina-ica-admin-policy"

3 - Create AWS IAM User

4. -Create AWS Access Key

5 - S3 Bucket Policy

6 - Block Public Access to S3 bucket (optional)

7 - Create ICA Storage Credential

8 - Enabling Cross-Account Access for Copy and Move Operations

Enable Copying Object Tags (optional)