# DRAGEN Cloud FPGA BYOL

Credential based authentication is required for users that run DRAGEN on the cloud with the Bring-Your-Own-License (BYOL) model. DRAGEN must have access to the DRAGEN License server at runtime, license.dragen.illumina.com.

To verify connectivity to the license server, you can query the healthcheck endpoint which will return a 200 status code and a small JSON body if successful.

```
curl https://license.dragen.illumina.com/healthcheck/version --header 'Content-Type: application/json'
{"version":"<server version>"}
```

## Running DRAGEN Cloud BYOL with Credential Licensing

BYOL users must provide credentials to DRAGEN at runtime, using one of two options.

### Providing Credentials via License Credentials File

The suggested method for specifying your credentials is through a file passed in to DRAGEN at runtime. The file can be pointed to using the option `--lic-credentials <path to file>` or an environment variable containing the path to this file, `DRAGEN_LICENSE_CREDENTIALS_FILE`. This method provides a more secure way to pass credentials, which avoids accidental credentials leaks from command line console logs.

The License Credentials File should be formatted as follows;

```
credentials-1=<username>
credentials-2=<password>
```

Notes:

* The option `--lic-credentials` is only supported in DRAGEN versions 4.2+.
* The environment variable `DRAGEN_LICENSE_CREDENTIALS_FILE` is only supported in DRAGEN versions 4.5+.
* When using DRAGEN 4.5+, an S3 path can be provided to retrieve the file such that it is not needed on the local instance, see the Networked Streaming portion of the user guide for more information.

Domain Note: when using the License Credentials file, a default license server domain will be used based off the version of DRAGEN being used;

* DRAGEN 4.4 and above: <https://license.dragen.illumina.com>
* DRAGEN 4.3 and earlier: <https://license.edicogenome.com>

  * If you wish to override this behavior, you can add the credentials-3 option to the credentials file. Note, do not specify the protocol (i.e. https).

  ```
  credentials-3=license.dragen.illumina.com
  ```

### Providing Credentials via Command Line

Alternatively, you can simply provide your credentials over the command line using the option `--lic-server <license server URL with credentials>`.

The license server URL should be formatted as follows;

```
https://<username>:<password>@license.dragen.illumina.com
```

## Retrieving License Information and usage using dragen\_lic

There are two options for retrieving information and usage for your licenses using the packaged dragen\_lic tool. Examples for each one are below.

* Basic Output (i.e. no additional arguments). This is the recommended method to view license information by a human user as the output is more readable.
* JSON Output (i.e. using the -j flag). This is the recommended method to view license information by a machine user as the output is already in a machine readable JSON format.

**Note**: Just like running DRAGEN as noted above, you must specify your credentials using the `--lic-credentials` or `--lic-server` command line options.

Note: Retrieving license information using the dragen\_lic tool is only supported on DRAGEN 4.4 and above.

```
$ dragen_lic --lic-credentials my_credentials.cfg
```

```
User: <username>
DRAGEN Version: <DRAGEN version>
Time: <time>

DRAGEN Core:
    Status: Active
    Used: 68.0 Gbases since 2023-Dec-05
    Quota: 100250 Gbases
    Expiry: 2024-Feb-13
    Includes; Genome, JointGenotype, CNV, Somatic, Transcriptome License(s)

Compression:
    Status: Active - !!! EXPIRING IN LESS THAN 30 DAYS !!!
    Used: 0 Gbases since 2024-Jan-12
    Quota: Unlimited
    Expiry: 2024-Feb-13
```

```
$ dragen_lic --lic-credentials my_credentials.cfg -j
```

```
{"dragen_boards":[{"user":"<username>","installed_licenses":{"Compression":[{"expiry":"2025-Mar-19","quota_limit":100250,"start":"2023-Dec-01","status":"Active","units":"Gbases","used":5223}],"TSO500Combined":[{"expiry":"2050-Jan-01","quota_limit":-1,"start":"2022-Jul-13","status":"Active","units":"Gbases","used":23518284}],"TSO500_HRD":[{"expiry":"2024-Feb-13","quota_limit":-1,"start":"2021-Oct-13","status":"Active","units":"Gbases","used":0}],"Dragen_Core":[{"expiry":"2024-Feb-13","includes":{"CNV":{"expiration":"2025-Mar-19","status":"Active"},"Genome":{"expiration":"2024-Feb-13","status":"Active"},"JointGenotype":{"expiration":"2025-Mar-19","status":"Active"},"Somatic":{"expiration":"2025-Mar-19","status":"Active"},"Transcriptome":{"expiration":"2025-Mar-19","status":"Active"}},"quota_limit":-1,"start":"2023-Oct-14","status":"Active","units":"Gbases","used":79708}]}}],"generated":"<ISO time>"}
```

## Retrieving License Information and usage using API endpoint

Alternatively, you can retrieve license information and usage using our License Server endpoint specified below without the use of DRAGEN. License information is returned in a JSON format.

GET request to <https://license.dragen.illumina.com/api/v2/query\\_quota>. Your user credentials must be provided as a Basic Authorization header. An example of this using the curl tool is shown below.

```
curl https://license.dragen.illumina.com/api/v2/query_quota --user <username>:<password>
```

```
{"user": "<username>", "credential_expiration": "<date>", "generated": "<date>", "licenses": [{"pipeline": "Compression", "start": "2024-12-02T00:00:00Z", "expiration": "2025-03-02T00:00:00Z", "quota_limit": 2.5, "usage": 0, "units": "Tbases"}, {"pipeline": "Genome", "start": "2024-12-02T00:00:00Z", "expiration": "2025-03-02T00:00:00Z", "quota_limit": 2.5, "usage": 0.727295399, "units": "Tbases"}], "per-pipeline-licenses": true, "message": "Active Licenses Found"}
```

## Instance Identity

DRAGEN Cloud runs access the local instance identity document via the Instance Metadata Service to be used with credential authentication. It uses the IPv4 local address. If access to the local address is not allowed, authentication will fail.

Alternately, the user may save the instance identity document(s) and point DRAGEN to use them instead, if the user does not want to allow applications to access this service. The instance identity document(s) only need to be saved once per account and region, and those files can be re-used subsequently. The files will need to be saved to a folder, see below for more details. Once the folder is prepared, it can be provided to DRAGEN using one of two options, the DRAGEN option `--lic-instance-id-location <instance identity folder>` or the environment variable `DRAGEN_LIC_INSTANCE_IDENTITY` which provides the path to the folder.

### AWS Instance Metadata Service (IMDSv1/IMDSv2)

[AWS Instance Metadata Service Information](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html)

DRAGEN supports both AWS IMDSv1, and the more secure AWS IMDSv2. AWS IMDSv2 must be enabled on the AWS instance, otherwise, IMDSv1 is used by default. DRAGEN software will automatically detect the IMDS version in use and adapt its behavior accordingly.

**Notes**

* Currently, input streaming from an S3 bucket is supported only with IMDSv1.
* IDMSv2 is only supported in DRAGEN versions 4.3 and above.
* If using IDMSv2 and running DRAGEN in a container, you may need to [increase the default](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-existing-instances.html#modify-PUT-response-hop-limit) hop count to be at least 2.

Saving the IMDSv1 document:

```
curl -v -H Metadata:true --noproxy "*" "http://169.254.169.254/latest/dynamic/instance-identity/pkcs7" -o /opt/instance-identity/pkcs7
curl -v -H Metadata:true --noproxy "*" "http://169.254.169.254/latest/dynamic/instance-identity/document" -o /opt/instance-identity/document
cp /opt/instance-identity/pkcs7 /opt/instance-identity/signature
```

Saving the IDMSv2 document:

```
curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 300" -H "X-aws-ec2-metadata-token: required" --noproxy "*" "http://169.254.169.254/latest/api/token"
curl -H "X-aws-ec2-metadata-token: <your-token>" --noproxy "*" "http://169.254.169.254/latest/dynamic/instance-identity/document"
curl -H "X-aws-ec2-metadata-token: <your-token>" --noproxy "*" "http://169.254.169.254/latest/dynamic/instance-identity/signature"
curl -H "X-aws-ec2-metadata-token: <your-token>" --noproxy "*" "http://169.254.169.254/latest/dynamic/instance-identity/pkcs7"
```

The instance identity folder must contain three files, respectively named `pkcs7`, `signature`, and `document`.

### Azure Instance Metadata Service (IMDS)

[Azure Instance Metadata Service Information](https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service)

Saving the IDMS document:

```
curl -v -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2020-09-01" -o /opt/instance-identity/instance
curl -v -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/attested/document?api-version=2020-09-01" -o /opt/instance-identity/document
```

The instance identity folder must contain two files, respectively named `instance` and `document`.

## Run information collected

Run information is a key component of the DRAGEN Licensing infrastructure. For each individual run, the following information is collected by Illumina;

* date
* duration
* run status
* software version
* data quality
* licensing quota consumed (number of bases)
* instance identity