Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Resource permissions

PDF
RSS
Focus mode
Resource permissions - AWS HealthOmics
Lake Formation permissionsAmazon ECR permissions

AWS HealthOmics creates and accesses resources in other services on your behalf when you run a job or create a store. In some cases, you need to configure permissions in other services to access resources or to allow HealthOmics to access them.

Lake Formation permissions

Before you use analytics features in HealthOmics, configure default database settings in Lake Formation.

To configure resource permissions in Lake Formation

  1. Open the Data catalog settings page in the Lake Formation console.

  2. Uncheck the IAM access control requirements for databases and tables under Default permissions for newly created databases and tables.

  3. Choose Save.

HealthOmics Analytics auto accepts data if your service policy has the correct RAM permissions, such as the following example. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "omics:*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ram:AcceptResourceShareInvitation",
        "ram:GetResourceShareInvitations"
      ],
      "Resource": "*"
    }
  ]
}

Amazon ECR permissions

Before the HealthOmics service can run a workflow in a container from your private Amazon ECR repository, you create a resource policy for the container. The policy grants permission for the HealthOmics service to use the container. You add this resource policy to each private repository referenced by the workflow.

Note

The private repository and the workflow must be in the same region.

The following sections describe the required policy configurations.

Create a resource policy for the Amazon ECR repository

Create a resource policy to allow the HealthOmics service to run a workflow using a container in the repository. The policy grants permission for the HealthOmics service principal to access the required Amazon ECR actions.

Follow these steps to create the policy:

  1. Open the private repositories page in the Amazon ECR console and select the repository you're granting access to.

  2. From the side bar navigation, select Permissions.

  3. Choose Edit JSON.

  4. Choose Add Statement.

  5. Add the following policy statement and then select Save Policy.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "omics workflow access",
            "Effect": "Allow",
            "Principal": {
                "Service": "omics.amazonaws.com"
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ]
        }
    ]
}

Amazon ECR repository policies for shared workflows

HealthOmics automatically allows a shared workflow to access the Amazon ECR repository while the workflow is running in the subscriber's account. You don't need to grant additional repository access for shared workflows.

By default, subscriber don’t have access to the Amazon ECR repository to use the underlying containers. Optionally, you can customize access to the Amazon ECR repository by adding condition keys to the repository's resource policy. The following sections provide example policies.

Restrict access to specific workflows

You can list individual workflows in a condition statement, so only these workflow can use containers in the repository. The SourceArn condition key specifies the ARN of the shared workflow. The following example grants permission for the specified workflow to use this repository. 

{
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "OmicsAccessPrincipal",
              "Effect": "Allow",
              "Principal": {
                  "Service": "omics.amazonaws.com"
              },
              "Action": [
                  "ecr:GetDownloadUrlForLayer",
                  "ecr:BatchGetImage",
                  "ecr:BatchCheckLayerAvailability"
              ]
          },
          "Condition": {
            "StringEquals": {
              "aws:SourceArn": "arn:aws:omics:us-east-1:1234678901:workflow/1234567"
            }
          }  
      ]
  }

Restrict access to specific accounts

You can list subscriber accounts in a condition statement, so that only these accounts have permission to use containers in the repository. The SourceAccount condition key specifies the AWS account of the subscriber. The following example grants permission for the specified account to use this repository.

{
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "OmicsAccessPrincipal",
              "Effect": "Allow",
              "Principal": {
                  "Service": "omics.amazonaws.com"
              },
              "Action": [
                  "ecr:GetDownloadUrlForLayer",
                  "ecr:BatchGetImage",
                  "ecr:BatchCheckLayerAvailability"
              ]
          },
          "Condition": {
            "StringEquals": {
              "aws:SourceAccount": "123456789012"
            }
          }  
      ]
  }

You can also deny Amazon ECR permissions to specific subscribers, as shown in the following example policy.

{
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "OmicsAccessPrincipal",
              "Effect": "Allow",
              "Principal": {
                  "Service": "omics.amazonaws.com"
              },
              "Action": [
                  "ecr:GetDownloadUrlForLayer",
                  "ecr:BatchGetImage",
                  "ecr:BatchCheckLayerAvailability"
              ]
          },
          "Condition": {
            "StringNotEquals": {
              "aws:SourceAccount": "123456789012"
            }
          }  
      ]
  }

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.