Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Whenever an organization is created, we automatically allocate bucket folders in AWS S3 cloud storage to it:
Path for upload
Folder intended to store input case files.
Authorized user has view and upload privileges.
Path for download (32.0+)
This folder contains a partially annotated (excluding results of proprietary algorithms) VCF file per case.
Authorized user has view and download privileges.
Path for DRAGEN output (32.0+)
This folder contains DRAGEN output files.
Authorized user has view and download privileges.
To get access to your upload, download and DRAGEN output folders, you need to get a key pair consisting of an access key ID and a secret access key. Creating, deactivating, activating and deleting credentials is available for users with Manager and Manage S3 Credentials roles.
You can create and use up to two dynamic access keys at the same time.
When you require technical support, you have the option to generate a new key pair specifically for the troubleshooting process. After the issue has been resolved, you can delete the credentials to ensure security of your system.
The newly generated credentials will only be saved in AWS Identity and Access Management (IAM) and not in our database.
In Settings > Management > S3 Credentials, click on Create Access Key.
You can retrieve the secret access key only when you initially create the key pair. If you lose it, you have to create a new key pair. To immediately copy the secret access key to a secure location, use the Copy to clipboard button.
In Settings > Management > S3 Credentials, click on Deactivate in the corresponding key pair card.
In Settings > Management > S3 Credentials, click on Activate in the corresponding key pair card.
In Settings > Management > S3 Credentials, click on Delete in the corresponding key pair card. Only inactive key pairs can be deleted.
Log in to Emedgene and navigate to Settings in the upper right-hand corner of the page.
Click on the Management tab and then on Add Storage.
Choose Illumina BaseSpace storage type.
Fill Client Key, Client Secret and App Token as provided from BaseSpace (a description on how to get this information is provided below) and click Add storage to complete the setup.
Install BaseSpace CLI (Command Line Interface)
Follow the instructions on the BaseSpace CLI Installation Page if needed.
On BSSH, login to the workgroup you want to connect as the storage.
Once the BaseSpace CLI is installed, run the authentication command in the terminal.
The command will direct you to a link which requires to login.
After the authentication was completed successfully, find the access token in the config file.
The result should look like -
Populate the App_token with the accessToken value, and Server with the apiServer URL from the BSSH config file.
Client_key will be displayed in subsequent menus, so a descriptive name such as the workgroup name can be used.
Client_secret is unused when the App_token is available and can be set to "x".
Go to the BaseSpace developer portal and login.
Go to My Apps and click Create a new Application.
Fill details for the application and click on create an application.
Fill details and press save.
Go to My Apps and click on your new app. Then go to the credentials tab.
You will find the Client ID (Client Key), Client Secret and App Token to enter to Emedgene platform.
However, if you have an Enterprise account and you would like Emedgene managed DRAGEN solution to save the DRAGEN output files in your own bucket, reach out to techsupport@illumina.com and follow this steps:
Emedgene visualizes data in IGV directly from your AWS S3 bucket. In order to do it, you should enable CORS for the Emedgene application URLs.
Case Type | File Type | Expected effect |
---|---|---|
This feature is only related to saving Dragen output files in your own bucket when using Dragen through Emedgene (without ICA).
If you are looking to:
Import data from AWS S3 to Emedgene go to Manage data storages
Integrating any data storage to Emedgene go to Manage data storages
Download any data from Emedgene go to Manage S3 credentials
Bring your own bucket is only available for Enterprise level support accounts and require Illumina support for setup
Bring Your Own Bucket, also known as BYOK, enables you to control your DRAGEN file outputs.
Emedgene managed DRAGEN solution saves the DRAGEN output files in a detected AWS S3 bucket that you have access to using your S3 credentials.
However, if you have an Enterprise account and you would like Emedgene managed dragen solution to save the DRAGEN output files in your own bucket, reach out to techsupport@illumina.com and follow this steps:
Emedgene requires access to the root folder, which means a dedicated bucket might be appropriated.
Bucket policy should allow Emedgene user access to the bucket.
Example bucket policy:
Emedgene visualizes data in IGV directly from your AWS S3 bucket. In order to do it, you should enable CORS for the emedgene application URLs.
Example CORS policy:
We will require to run a case and validate the managed DRAGEN pipeline finish successfully and all features are available in the platform.
The BYOB solution means you managed your own data, meaning if you accidentally deleted or moved the data the integration with Emedgene might break. You are responsible for your DRP and data backup solutions.
If a customer enables an AWS S3 Lifecycle policy in order to archive or change the S3 tiers for different files, they might create an adverse effect on the platform.
Go to the google cloud Console.
Navigate to IAM & Admin - In the left sidebar, go to IAM & Admin > Service Accounts.
Create a New Service Account: Click on the "Create Service Account" button at the top.\
Fill in the Service Account Details:
Service account name: Give your service account a name.
Service account ID: This will be automatically generated based on the name.
Description: Optionally, provide a description for the service account.
Click "Create and Continue".
example:\
Assign Roles to the Service Account:
In the Grant this service account access to project step, you’ll assign the necessary roles.
Grant these role:
"storage object viewer" (read-only access)
Create the Service Account:
After assigning the roles, click "Done".
Generate and Download a Key:
Find your newly created service account, click the three dots on the right, and select "Manage Keys".
Click Add Key > Create New Key and choose the JSON format.
Download the key and store it securely, as it is used for authentication in your code or applications.
Encode the key in base 64:
use python function: put this function and your json (here named json_file.json) in the same directory and run.\
save the output printed.
Add the above 3 values into the appropriate fields:
Client_credentials_base64: pasting the output of 8.
Bucket: the bucket name.
Path: for default, fill with / else, put your path in the bucket. Seperate directories with /
Download and install the Google Cloud SDK from the Google Cloud SDK Install page. LINK
Select Your Platform (Windows, macOS, or Linux), download and run.
Initialize and Authenticate with Google Cloud: In the Cloud SDK Shell/terminal, run:
gcloud init
This will open a browser window to authenticate your Google account. Follow the instructions to log in and select your project.
Set CORS Configuration via gcloud:
Create a JSON file (cors.json
) on your machine with the CORS rules.
Example\ it should look like:
notice:
origin: if using Illumina cloud:
https://host_name.emg.illumina.com
else, Emedgene cloud:
https://host_name.emedgene.com
Apply CORS Configuration to Your Bucket: run the next command.
gcloud storage buckets update gs://your-bucket-name --cors-file=cors.json
Verify the CORS Configuration:
gcloud storage buckets describe gs://your-bucket-name
To directly import files from your storage, link storage to your organization in Emedgene.
Note: to have access to data storage management, you must have Manager and Multiple Storage .
Click on the user initials or profile picture at the rightmost corner of the Top navigation panel to open the dropdown menu. Select Settings.
Select the Management tab. Under Storage is a list of currently linked storages. To add a new one press on Add Storage button.
Choose a Storage Type from:
Azure Data Lake;
Azure Blob;
AWS S3;
File Transport Protocol (FTP);
Secure File Transport Protocol (SFTP);
Illumina Basespace (BSSH);
Illumina Connected Analytics (ICA).
Fill in the required credentials.
Click on Add storage:
Check the connection to confirm that the storage is successfully linked.
To do this, find the storage in the Storage List and check the cloud icon next to its name: 1. If it's green, the connection is set correctly; 2. If it's red and strikethrough, something went wrong. Hover over the icon to see details.
In the Storage List press Manage on the right to the storage details.
In the Storage List press Delete on the right to the storage details.
Bring your own key is only available for Enterprise level support accounts and require Illumina support for setup
Bring Your Own Key (BYOK) is a security feature that allows clients to use their own encryption keys to protect their data. This ensures that clients maintain control over their encryption keys and, consequently, their data. Only Enterprise level support accounts can access this feature, and it requires assistance from Illumina support for setup.
Illumina supports integration with popular Key Management Services (KMS) such as Azure Key Vault and AWS KMS for managing your encryption keys. This integration allows clients to use their existing key management solutions for generating, storing, and managing their keys securely.
Azure Key Vault
is a cloud service that provides a secure way to store and manage sensitive information like API keys, passwords, and certificates. It offers robust features for key management, including key generation, storage, and lifecycle management.
AWS KMS
(KMS) allows you to create and control encryption keys used to encrypt your data across a wide range of AWS services and applications. It provides centralized management of encryption keys and integrates seamlessly with other AWS services.
These integrations ensure robust key management capabilities and enhance the security of your data through a combination of Illumina's BYOK feature and your preferred KMS provider.
Losing the encryption key means that all data encrypted with that key will be inaccessible. This can lead to permanent loss of access to crucial information. It is imperative that clients securely store and manage their keys to prevent such risks.
Emedgene’s API server will encrypt the client’s information before storing in Emedgene’s database and decrypt that information when needed (e.g. running the pipeline). The key vault is managed by the customer. The customer needs to provide the following information.
Please see below instructions on how to get or create it
Application Tokens:
Client Id
Client Secret
Tenant Id
The key information:
Key URL
Navigate to App registration
Register a new application, click “Register”
When you created the app, please copy Application (client) ID and Directory (tenant) ID
Go to Certificates and secrets (in the left menu)
Press “New client secret” and provide the “Value”
Please note the expiration date of the secret, as once expired it will impair our system.
Press New Key (Create key vault)
Specify key vault name, region (ie. East US) and pricing tier
Click “Next” to Access Policies
Press “Add access policy” and set Key permissions:
Key Management Operations: -
Cryptographic Operations: Decrypt, Encrypt, Unwrap Key, Wrap Key
Then set Secret permissions:
Secret Permission: Get
Select principal: select the application you created before (in Create a new Application step)
Finish with “Review + create”
Navigate to the newly created Key vault
Select keys on the left side, select the key
Select the current version and copy “Key Identifier” https://<key-vault-name>.vault.azure.net/keys/<key-name>/<key-version>\
Description is coming soon.
Please reach out to tech-support@illumina.com to get help with this setup.
Emedgene’s API server will encrypt the client’s information before storing in Emedgene’s database and decrypt that information when needed (e.g. running the pipeline). The key vault is managed by the client, and Emedgene will only be provided with access to encrypt/decrypt functions in that key vault. This guarantees that the clients controls access to the information.
Illustration of data flow when creating a case in Emedgene platform:
Illustration of data flow when reading a case data from Emedgene platform:
A preliminary step to this solution is having a key vault owned by the client, and a key that Emedgene is given access to.
The client will create an access policy in the key vault of type “Application” and provide the matching key and secret to Emedgene. The access policy must contain permissions to perform encrypt and decrypt actions.
In order for Emedgene to integrate with the key, depending on the key vault provider, the client needs to provide the following information:
Client Id
Client Secret
Tenant Id
Key vault name
Key name
Since some of our platform search capabilities run directly on the DB, we can’t directly search any data that is encrypted. To overcome this, we will implement a hashing search functionality as follows.
The case data will still be fully encrypted in the DB as it is today
Specific fields we want to make “searchable” - as defined by the customer, we will save their hash value alongside the encrypted data.
Hashing will be done using SHA-256, and will include a secure random generated salt of 32 characters, which will be added to the value.
The salt is unique and will not be used anywhere else in the platform.
When the user enters a string to search, we will hash that value using all the salt values, and search those hash values.
Illustration of data flow when searching in Emedgene platform:
Illustration of data flow when creating a case with searchable field in Emedgene platform:
\
Case Type | File Type | Expected effect |
---|---|---|
If data is deleted or moved from the customer's storage, it might adversely affect the case. To learn more about possible consequences, check out this table:
FASTQ
FASTQ/BAM/CRAM (input)
Reanalysis will fail (will be fixed)
FASTQ
CRAM (Output)
Reanalysis will fail
FASTQ
VCFs
Reanalysis will fail
FASTQ
CSV, etc
Reanalysis will fail
VCF
BAM/CRAM (visualizations)
Visualization will fail
VCF
VCF (input)
Reanalysis will fail
VCF
CSV, etc
Reanalysis will fail (will be fixed)
FASTQ
FASTQ/BAM/CRAM (input)
Reanalysis will fail (will be fixed)
FASTQ
CRAM (Output)
Reanalysis will fail
FASTQ
VCFs
Reanalysis will fail
FASTQ
CSV, etc
Reanalysis will fail
VCF
BAM/CRAM (visualizations)
Visualization will fail
VCF
VCF (input)
Reanalysis will fail
VCF
CSV, etc
Reanalysis will fail
(will be fixed)
Before you proceed to this article, make sure you understand data storage management basics.
In Settings > Management Tab, add or edit the required credentials: CLIENT_ID
, CLIENT_SECRET
, TENANT_ID
, and ACCOUNT_URL
.
See the table below to learn where to look for them in your Azure account.
In Microsoft Entra ID, click on App registrations.
Select New registration.
Fill the name of the application & press "register."
You got to the registered app page: (CLIENT_ID
/ TENANT_ID
) From this you can retrieve: Application ID and Tenant ID. Both are marked in the screenshot.
Press "Certificates & secrets"
Press on "New Client secret"
Fill the "Description" and change expires to 12 months. (or according to your organization policy), than press "Add"
8. Get the CLIENT_SECRET
from this page.
Give this App registration roles and read access to the relevant Blob.
Go to Azure Storage accounts
Get into the relevant Storage account
Press on "containers"
Press on the relevant container
Press on "Properties"
Copy the ACCOUNT_URL
\
Errors for bad connections can be found in CloudWatch on particular FRY log stream
Search for: BlobApi, BlobFs, azure.
Emedgene Setting | Corresponidng client (Azure) Setting |
---|---|
CLIENT_ID
application_id.
Format: ########-####-####-####-############
(letters/numbers)
CLIENT_SECRET
Value of the client_secret tuple (Value, Secret ID).
Format: #####-#######-######-######
(letters/digits/special chars)
TENANT_ID
ID of the tenant.
Format: ########-####-####-####-############
(letters/numbers)
ACCOUNT_NAME
An arbitrary name that the customer must supply to define the ACCOUNT_URL.
Format: string
CONTAINER_NAME
An arbitrary name that the customer must supply to define the ACCOUNT_URL.
Format: string
ACCOUNT_URL
The account_url of the Azure account.
Format: https://account_name.blob.core.windows.net/container_name