DRAGEN Cloud Licensing

Credential based authentication is required for users that run DRAGEN on the cloud with the Bring-Your-Own-License (BYOL) model. DRAGEN must have access to the DRAGEN License server at runtime, license.dragen.illumina.com.

To verify connectivity to the license server, you can query the healthcheck endpoint which will return a 200 status code and a small JSON body if successful.

curl https://license.dragen.illumina.com/healthcheck/version
{"version":"<server version>"}

Running DRAGEN Cloud BYOL with Credential Licensing

BYOL users must provide credentials to DRAGEN at runtime, using one of two options.

Providing Credentials via License Credentials File

The suggested method for specifying your credentials is through a file passed in to DRAGEN at runtime. The file can be pointed to using the option --lic-credentials <path to file>. This method provides a more secure way to pass credentials, which avoids accidental credentials leaks from command line console logs.

The License Credentials File should be formatted as follows;

credentials-1=<username>
credentials-2=<password>

Note: when using the License Credentials file, a default license server domain will be used based off the version of DRAGEN being used;

• DRAGEN 4.4 and above: https://license.dragen.illumina.com

• DRAGEN 4.3 and earlier: https://license.edicogenome.com

  • If you wish to override this behavior, you can add the credentials-3 option to the credentials file. Note, do not specify the protocol (i.e. https).

  Copy

  credentials-3=license.dragen.illumina.com

Providing Credentials via Command Line

Alternatively, you can simply provide your credentials over the command line using the option --lic-server <license server URL with credentials>.

The license server URL should be formatted as follows;

https://<username>:<password>@license.dragen.illumina.com

Instance Identity

DRAGEN Cloud runs access the local instance identity document via the Instance Metadata Service to be used with credential authentication. It uses the IPv4 local address. If access to the local address is not allowed, authentication will fail.

Alternately, the user may save the instance identity document(s) and point DRAGEN to use them instead, if the user does not want to allow applications to access this service. The instance identity document(s) only need to be saved once per account and region, and those files can be re-used subsequently. This is achieved using the command line option --lic-instance-id-location <instance identity folder>.

AWS Instance Metadata Service (IMDSv1/IMDSv2)

DRAGEN supports both AWS IMDSv1, and the more secure AWS IMDSv2. AWS IMDSv2 must be enabled on the AWS instance, otherwise, IMDSv1 is used by default. DRAGEN software will automatically detect the IMDS version in use and adapt its behavior accordingly.

Notes

• Currently, input streaming from an S3 bucket is supported only with IMDSv1.

• IDMSv2 is only supported in DRAGEN versions 4.3 and above.

Saving the IMDSv1 document:

curl -v -H Metadata:true --noproxy "*" "http://169.254.169.254/latest/dynamic/instance-identity/pkcs7" -o /opt/instance-identity/pkcs7
curl -v -H Metadata:true --noproxy "*" "http://169.254.169.254/latest/dynamic/instance-identity/document" -o /opt/instance-identity/document
cp /opt/instance-identity/pkcs7 /opt/instance-identity/signature

Saving the IDMSv2 document:

curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 300" -H "X-aws-ec2-metadata-token: required" --noproxy "*" "http://169.254.169.254/latest/api/token"
curl -H "X-aws-ec2-metadata-token: <your-token>" --noproxy "*" "http://169.254.169.254/latest/dynamic/instance-identity/document"
curl -H "X-aws-ec2-metadata-token: <your-token>" --noproxy "*" "http://169.254.169.254/latest/dynamic/instance-identity/signature"
curl -H "X-aws-ec2-metadata-token: <your-token>" --noproxy "*" "http://169.254.169.254/latest/dynamic/instance-identity/pkcs7"

The instance identity folder must contain three files, respectively named pkcs7, signature, and document.

Azure Instance Metadata Service (IMDS)

Saving the IDMS document:

curl -v -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2020-09-01" -o /opt/instance-identity/instance
curl -v -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/attested/document?api-version=2020-09-01" -o /opt/instance-identity/document

The instance identity folder must contain two files, respectively named instance and document.

Retrieving License Information using dragen_lic

There are two options for retrieving information for your licenses using the packaged dragen_lic tool. Examples for each one are below.

• Basic Output (i.e. no additional arguments). This is the recommended method to view license information by a human user as the output is more readable.

• JSON Output (i.e. using the -j flag). This is the recommended method to view license information by a machine user as the output is already in a machine readable JSON format.

Note: Just like running DRAGEN as noted above, you must specify your credentials using the --lic-credentials or --lic-server command line options.

Note: Retrieving license information using the dragen_lic tool is only supported on DRAGEN 4.4 and above.

$ dragen_lic --lic-credentials my_credentials.cfg

User: <username>
DRAGEN Version: <DRAGEN version>
Time: <time>

DRAGEN Core:
    Status: Active
    Used: 68.0 Gbases since 2023-Dec-05
    Quota: 100250 Gbases
    Expiry: 2024-Feb-13
    Includes; Genome, JointGenotype, CNV, Somatic, Transcriptome License(s)

Compression:
    Status: Active - !!! EXPIRING IN LESS THAN 30 DAYS !!!
    Used: 0 Gbases since 2024-Jan-12
    Quota: Unlimited
    Expiry: 2024-Feb-13

$ dragen_lic --lic-credentials my_credentials.cfg -j

{"dragen_boards":[{"user":"<username>","installed_licenses":{"Compression":[{"expiry":"2025-Mar-19","quota_limit":100250,"start":"2023-Dec-01","status":"Active","units":"Gbases","used":5223}],"TSO500Combined":[{"expiry":"2050-Jan-01","quota_limit":-1,"start":"2022-Jul-13","status":"Active","units":"Gbases","used":23518284}],"TSO500_HRD":[{"expiry":"2024-Feb-13","quota_limit":-1,"start":"2021-Oct-13","status":"Active","units":"Gbases","used":0}],"Dragen_Core":[{"expiry":"2024-Feb-13","includes":{"CNV":{"expiration":"2025-Mar-19","status":"Active"},"Genome":{"expiration":"2024-Feb-13","status":"Active"},"JointGenotype":{"expiration":"2025-Mar-19","status":"Active"},"Somatic":{"expiration":"2025-Mar-19","status":"Active"},"Transcriptome":{"expiration":"2025-Mar-19","status":"Active"}},"quota_limit":-1,"start":"2023-Oct-14","status":"Active","units":"Gbases","used":79708}]}}],"generated":"<ISO time>"}

Retrieving License Information using API endpoint

Alternatively, you can retrieve license information using our License Server endpoint specified below without the use of DRAGEN. License information is returned in a JSON format.

GET request to https://license.dragen.illumina.com/api/v2/query_quota. Your user credentials must be provided as a Basic Authorization header. An example of this using the curl tool is shown below.

curl https://license.dragen.illumina.com/api/v2/query_quota --user <username>:<password>

{"user": "<username>", "credential_expiration": "<date>", "generated": "<date>", "licenses": [{"pipeline": "Compression", "start": "2024-12-02T00:00:00Z", "expiration": "2025-03-02T00:00:00Z", "quota_limit": 2.5, "usage": 0, "units": "Tbases"}, {"pipeline": "Genome", "start": "2024-12-02T00:00:00Z", "expiration": "2025-03-02T00:00:00Z", "quota_limit": 2.5, "usage": 0.727295399, "units": "Tbases"}], "per-pipeline-licenses": true, "message": "Active Licenses Found"}

Usage Reporting

Usage reporting is a key component of the DRAGEN Licensing infrastructure. After each individual run, usage data will automatically be uploaded to Illumina's License server. Usage data entails the following information for each individual run

• run date

• run duration

• licensing quota consumed (number of bases) in that run

• run status

• software version used for the run.

• instance identity document