Amazon function list required to run Omicsoft On Cloud
From Array Suite Wiki
Example policy statement
For OmicSoft Server to perform cloud-based NGS analysis, you will need to define certain "AIM" permissions, through the AWS console at https://aws.amazon.com.
- Create the policy below, making sure to specify a real bucket (not ***s3folderExampleUseYourBucketName***)
- Create a new AMI user
- Create a new role
- Then attach the same policy to the role AND to the user.
- Copy the AccessKey/SecretKey the new user and InstanceProfileArn from role to configure the Cloud section of ArrayServer.cfg configuration file.
- Create a keypair (keypair to launch instances) named "Omicsoft.Launching".
- Keep this Omicsoft.Launching.PEM file in a safe place!
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ArrayServerEC2",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"iam:ListInstanceProfiles",
"iam:ListRolePolicies",
"ec2:Describe*",
"ec2:AttachVolume",
"ec2:CreateVolume",
"ec2:CreateTags",
"ec2:GetConsoleOutput",
"ec2:ModifyInstanceAttribute",
"ec2:RequestSpotInstances",
"ec2:CancelSpotInstanceRequests",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DetachVolume",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": [
"*"
]
},
{
"Sid": "ArrayServerSQS",
"Effect": "Allow",
"Action": [
"sqs:ChangeMessageVisibility",
"sqs:CreateQueue",
"sqs:DeleteMessage",
"sqs:DeleteQueue",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListQueues"
],
"Resource": "*"
},
{
"Sid": "AllowGroupToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndHomeListingOfOmicsoftBucket",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject*",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::s3folderExampleUseYourBucketName",
"arn:aws:s3:::s3folderExampleUseYourBucketName/*"
]
}
]
}Amazon S3
- GetBucketLocation
- ListBuckets
- PutBucket
- DeleteBucket
- GetBucketLocation
- PutObject
- ListObjects
- DeleteObject
- DeleteObjects
- CopyObject
- GetObjectMetadata
- GetObject
- TransferUtilityUpload
- TransferUtilityDownload
- InitiateMultipartUpload
- UploadPart
- CompleteMultipartUpload
- AbortMultipartUpload
Both ArrayServer machine and EC2 instances are using keypairs to access S3 bucket folders.
Amazon EC2
All below are required:
- DescribeAvailabilityZones
- DescribeRegions
- DescribeVolumes
- DeleteVolume
- DeleteVolumes
- CreateVolume
- AttachVolume
- RunInstances
- TerminateInstances
- StopInstances
- StartInstances
- DescribeInstances
- DescribeInstanceStatus
- GetConsoleOutput
- DescribeKeyPairs
- CreateKeyPair (if this is not possible, Omicsoft.Launching must be created and .pem file must be downloaded/saved in a secure place)
- DescribeTags
- CreateTags
- DeleteTags
- ModifyInstanceAttribute
Amazon EC2/IAM
The following are optional if InstanceProfileArn is provided.
- ListInstanceProfiles
- ListRoles
- ListRolePolicies
- PutRolePolicy
- CreateRole
- CreateInstanceProfile
- AddRoleToInstanceProfile
Amazon SQS
- ListQueues
- SendMessage
- ReceiveMessage
- CreateQueue
- DeleteQueue
- DeleteMessage
