Configure Cloud Authorization for AWS
On this page we explain how to setup a role on AWS, and how to setup Galaxy to assume that role.
Step 1: Create an AWS Role
- Goto aws.amazon.com/iam/ and login with your AWS credentials.
- If not on IAM page, click on
Servicesbutton and typeIAMin the search textbox, and choose the shown option (see the following figure).
- On the AWS IAM page, goto
Rolestab and hitCreat rolebutton (see the following figure).
- Then click on the
Web identitybutton, and then chooseGooglefrom the dropdown of theIdentity provider, then enterAudience(theclient idas issued by Google when registering the Galaxy instance; see this page), and then click on theNext: Permissionsbutton (see the following figure).
- Type
s3in theFilter policiessearch textbox, and chooseAmazonS3FullAccess, then click onNext: Tagsbutton. (see the following figure). Alternatively, you can click on theCreate policybutton and define a custom policy for Galaxy.
- You may optionally add descriptive tags, then click on the
Next: Reviewbutton. - On the review page, enter a name for the role on the
Role nametextbox, then click on theCreate rolebutton. - Once the role is create, AWS shows the IAM roles page, click on the newly created role.
- Copy
Role ARN.
(You may also refer to AWS documentation on creating roles.)
Step 2: Setup Galaxy to Use an AWS Role
To setup Galaxy to use a role, you need to POST a payload as the following to
/api/cloud/authz API of Galaxy:
{
"authn_id": "...",
"provider": "aws",
"config": {
"role_arn": "arn:aws:iam::347162595075:role/test"
},
"description": "..."
}
You can obtain authn_id by submitting a GET request to the /api/authnz/ API.
**NOTE** that the "provider" of authentication referred to by the "authn_id" you choose, must be
Google (or any provider you chose when creating AWS role) and the audience ID of Galaxy instance
on which you are using this feature, must equal with audience you entered when creating the role.