Setting up permissions for export jobs
Before you export files from a data store, you must grant HealthLake permission to access your output bucket in Amazon S3. To grant HealthLake access, you create an IAM service role for HealthLake, add a trust policy to the role to grant HealthLake assume role permissions, and attach a permissions policy to role that grants it to access to your Amazon S3 bucket.
If you already created a role for HealthLake in Setting up permissions for import jobs, you can reuse it and grant it the additional permissions for your export Amazon S3 bucket listed in this topic. To learn more about IAM roles and trust policies, see IAM Policies and Permissions.
Important
HealthLake SDK export requests using StartFHIRExportJob
API operation and FHIR REST API export requests
using StartFHIRExportJobWithPost
API operation have separate IAM actions. Each IAM action, SDK export
with StartFHIRExportJob
and FHIR REST API export with StartFHIRExportJobWithPost
, can
have allow/deny permissions handled separately. If you want both SDK and FHIR REST API exports to be restricted, make
sure to deny permissions for each IAM action. If you give users full access to HealthLake, no IAM user permissions changes are required.
The user or role that sets up permissions must have permission to create roles, create policies, and attach policies to roles. The following IAM policy grants these permissions.
{ "Version": "2012-10-17", "Statement": [{ "Action": ["iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy"], "Effect": "Allow", "Resource": "*" }, { "Action": "iam:PassRole" "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "healthlake.amazonaws.com" } } }] }
To set up export permissions
-
If haven't already, create a destination Amazon S3 bucket for the data you will export from your data store. The Amazon S3 bucket must be in the same AWS Region as the service, and Block Public Access must be turned on for all options. To learn more, see Using Amazon S3 block public access. An Amazon-owned or customer-owned KMS key must also be used for encryption. To learn more about using KMS keys, see Amazon Key Management Service.
-
If you haven't already, create a data access service role for HealthLake and give the HealthLake service permission to assume it with the following trust policy. HealthLake uses this to write the output Amazon S3 bucket. If you already created one in Setting up permissions for import jobs, you can reuse it and grant it permissions for your Amazon S3 bucket in the next step.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": ["healthlake.amazonaws.com"] }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "
your-account-id
" }, "ArnEquals": { "aws:SourceArn": "arn:aws:healthlake:us-west-2:account
:datastore/fhir/data store ID
" } } }] } -
Add a permissions policy to the data access role that allows it to access your output Amazon S3 bucket. Replace
amzn-s3-demo-bucket
with your bucket's name.{ "Version": "2012-10-17", "Statement": [{ "Action": [ "s3:ListBucket", "s3:GetBucketPublicAccessBlock", "s3:GetEncryptionConfiguration" ], "Resource": [ "arn:aws:s3:::
amzn-s3-demo-source-bucket
" ], "Effect": "Allow" }, { "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-logging-bucket
/*" ], "Effect": "Allow" }, { "Action": [ "kms:DescribeKey", "kms:GenerateDataKey*" ], "Resource": [ "arn:aws:kms:us-east-1:012345678910:key/d330e7fc-b56c-4216-a250-f4c43ef46e83" ], "Effect": "Allow" }] }