Question

Read bam/cram file with IGV from aws s3

4

Entering edit mode

2.8 years ago

quentin54520 ▴ 120

Hi all,

We store our alignment files on aws s3. I would like to be able to open them with IGV without needing to download them completely, but I can't find an optimal solution.

If I get a pre-signed url it works but it's not convenient.

I try to follow this but I can't do it at all. I think the problem comes from the configuration file at the end, I don't know exactly what is needed or not. Knowing that we do not have a connection by google, I would just like to use our aws identifiers. When i click on login on igv and add my longin and password i receive a "succes" answer; but then nothing happen on igv, the menu "amazon --> Load from s3 bucket is still inaccessible.

i use this json (i replace the XXXX by the corresponding value):

   {
   "apiKey": "",

   "project_id": "igv",

   "auth_provider": "Amazon",
   "aws_region": "us-east-1",
   "scope": "email",
   "redirect_uris": [
     "http://localhost:60151/oauthCallback"
   ],

   "client_id": "XXXXXX",
   "client_secret": "XXXXX",
   "authorization_endpoint": "XXXXXX",
   "token_endpoint": "XXXX",
   "aws_cognito_pool_id": "XXXX",
   "aws_cognito_fed_pool_id": "",
   "aws_cognito_role_arn": "XXXXX"
}

s3 IGV aws amazon • 4.8k views

ADD COMMENT • link 2.4 years ago by quentin54520 ▴ 120

1

Entering edit mode

It's been on my roadmap to upgrade our current solution to using federated access. For now, we have all the alignments stored in a public S3 bucket but restrict access to certain IP addresses and VPC endpoints. It works for both IGV (end-users need to be connected via VPN) and our internal genome browser.

To limit access on S3 buckets: https://aws.amazon.com/premiumsupport/knowledge-center/block-s3-traffic-vpc-ip/

ADD REPLY • link 2.8 years ago by Eric Lim ★ 2.2k

0

Entering edit mode

May want to ask this on IGV support forum: https://groups.google.com/g/igv-help

ADD REPLY • link 2.8 years ago by GenoMax 147k

3

Entering edit mode

2.8 years ago

Roman Valls Guimerà ▴ 620

Author of IGV's AWS S3+Cognito support here... can you elaborate on what's failing for you (share some error messages from IGV's console when running it from cmdline)?

The success message is a good sign...Did you follow the steps in:

https://umccr.org/blog/igv-amazon-backend-setup/

Make sure you review the S3 policies (paste it over here), that's a common error: working auth yet insufficient S3 perms.

The JSON you shared looks incomplete, here's our working example for our org:

https://github.com/umccr/infrastructure/tree/master/cdk/apps/igv/config/backend/dev

Also, there's the frontend docs too over here:

https://umccr.org/blog/igv-amazon-frontend-setup/

Hope that helps!

ADD COMMENT • link 2.8 years ago by Roman Valls Guimerà ▴ 620

0

Entering edit mode

Thank you for your reply,

Yes i follow all the steps of this link.

For the json i don't know what to put on "aws_cognito_fed_pool_id" or "auth_provider_x509_cert_url" is i don't want to used federated acces, but just from the aws cognito user.

The error of IGV after click on "amazon --> Login, add the login and password, i come back to igv and i get :

INFO [2022-01-20T17:50:03,629] [CommandListener.java:186]  GET /oauthCallback?code=30eceb29-f186-4837-b19f-791ee492c6a1&state=94093997-bbaa-4a01-b4b1-93b9dabcde18 HTTP/1.1
ERROR [2022-01-20T17:50:03,673] [OAuthProvider.java:242]  java.net.UnknownHostException: igv-laporte-team.igv-laporte-team.auth.us-east-1.amazoncognito.com
INFO [2022-01-20T17:50:04,280] [CommandListener.java:186]  GET /favicon.ico HTTP/1.1

The S3 iam role is :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "IGVCognitoAuthedUsersProd",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket"
            ]
        },
        {
            "Sid": "IGVListBuckets",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "mobileanalytics:PutEvents",
                "cognito-sync:*",
                "cognito-identity:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

ADD REPLY • link 2.8 years ago by quentin54520 ▴ 120

0

Entering edit mode

ERROR [2022-01-20T17:50:03,673] [OAuthProvider.java:242] java.net.UnknownHostException: igv-laporte-team.igv-laporte-team.auth.us-east-1.amazoncognito.com

This hostname repetition, igv-laporte-team.igv-laporte-team. ... should be just one of those, can you double check the configs for that one?

Also make sure you download the .json.gz oauth-config file I pointed above and compare it with yours.

ADD REPLY • link 2.8 years ago by Roman Valls Guimerà ▴ 620

0

Entering edit mode

i managed this error but now i'm able to see my list of bucket but when i choose a cram file and click on load i get an error :

Unexpected error: null (Service: S3, Status Code: 403, Request ID: null, Extended Request ID: s27xAGqHihSGR+CZw+v5gQO9bO5r2XflepSrLWflIr4UBODw7ktoUYmxMBVWeiJ9aSGx+PZYV84=). See igv.log for more details

The complete log of igv :

INFO [2022-01-21T17:56:16,381] [MessageUtils.java:76]  <html>Unexpected error: null (Service: S3, Status Code: 403, Request ID: null, Extended Request ID: s27xAGqHihSGR+CZw+v5gQO9bO5r2XflepSrLWflIr4UBODw7ktoUYmxMBVWeiJ9aSGx+PZYV84=).<br>See igv.log for more details
ERROR [2022-01-21T17:56:16,384] [LongRunningTask.java:75]  Exception running task
software.amazon.awssdk.services.s3.model.S3Exception: null (Service: S3, Status Code: 403, Request ID: null, Extended Request ID: s27xAGqHihSGR+CZw+v5gQO9bO5r2XflepSrLWflIr4UBODw7ktoUYmxMBVWeiJ9aSGx+PZYV84=)
    at software.amazon.awssdk.protocols.xml.internal.unmarshall.AwsXmlPredicatedResponseHandler.handleErrorResponse(AwsXmlPredicatedResponseHandler.java:156) ~[aws-xml-protocol-2.15.9.jar:?]
    at software.amazon.awssdk.protocols.xml.internal.unmarshall.AwsXmlPredicatedResponseHandler.handleResponse(AwsXmlPredicatedResponseHandler.java:106) ~[aws-xml-protocol-2.15.9.jar:?]
    at software.amazon.awssdk.protocols.xml.internal.unmarshall.AwsXmlPredicatedResponseHandler.handle(AwsXmlPredicatedResponseHandler.java:84) ~[aws-xml-protocol-2.15.9.jar:?]
    at software.amazon.awssdk.protocols.xml.internal.unmarshall.AwsXmlPredicatedResponseHandler.handle(AwsXmlPredicatedResponseHandler.java:42) ~[aws-xml-protocol-2.15.9.jar:?]
    at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler$Crc32ValidationResponseHandler.handle(AwsSyncClientHandler.java:94) ~[aws-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.handler.BaseClientHandler.lambda$successTransformationResponseHandler$5(BaseClientHandler.java:229) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.execute(HandleResponseStage.java:40) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.execute(HandleResponseStage.java:30) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptTimeoutTrackingStage.execute(ApiCallAttemptTimeoutTrackingStage.java:73) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptTimeoutTrackingStage.execute(ApiCallAttemptTimeoutTrackingStage.java:42) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.stages.TimeoutExceptionHandlingStage.execute(TimeoutExceptionHandlingStage.java:77) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.stages.TimeoutExceptionHandlingStage.execute(TimeoutExceptionHandlingStage.java:39) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptMetricCollectionStage.execute(ApiCallAttemptMetricCollectionStage.java:50) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptMetricCollectionStage.execute(ApiCallAttemptMetricCollectionStage.java:36) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage.execute(RetryableStage.java:64) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage.execute(RetryableStage.java:34) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.StreamManagingStage.execute(StreamManagingStage.java:56) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.StreamManagingStage.execute(StreamManagingStage.java:36) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.executeWithTimer(ApiCallTimeoutTrackingStage.java:80) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.execute(ApiCallTimeoutTrackingStage.java:60) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.execute(ApiCallTimeoutTrackingStage.java:42) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallMetricCollectionStage.execute(ApiCallMetricCollectionStage.java:48) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallMetricCollectionStage.execute(ApiCallMetricCollectionStage.java:31) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:37) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:26) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.http.AmazonSyncHttpClient$RequestExecutionBuilderImpl.execute(AmazonSyncHttpClient.java:193) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.invoke(BaseSyncClientHandler.java:133) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.doExecute(BaseSyncClientHandler.java:159) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:112) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:167) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:94) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45) ~[sdk-core-2.15.9.jar:?]
    at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:55) ~[aws-core-2.15.9.jar:?]
    at software.amazon.awssdk.services.s3.DefaultS3Client.headObject(DefaultS3Client.java:4875) ~[s3-2.15.9.jar:?]
    at org.broad.igv.util.AmazonUtils.getObjectMetadata(AmazonUtils.java:211) ~[igv.jar:?]
    at org.broad.igv.util.AmazonUtils.isObjectAccessible(AmazonUtils.java:252) ~[igv.jar:?]
    at org.broad.igv.aws.S3LoadDialog.lambda$loadButtonActionPerformed$0(S3LoadDialog.java:106) ~[igv.jar:?]
    at org.broad.igv.util.LongRunningTask.call(LongRunningTask.java:72) [igv.jar:?]
    at java.util.concurrent.FutureTask.run(Unknown Source) [?:?]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:?]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:?]
    at java.lang.Thread.run(Unknown Source) [?:?]

ADD REPLY • link 2.8 years ago by quentin54520 ▴ 120

0

Entering edit mode

Oh this time the issue was the IAM, now it's work ! Thanks you so much

The only point that i found strange is that after the first login, if i restart my computer i can log in without enter my password. It's normal ? I made a mistake in the configuration ?

ADD REPLY • link 2.8 years ago by quentin54520 ▴ 120

0

Entering edit mode

Great to hear!

What was the problem with IAM? Can you describe how you solved that a bit more?

If you haven't closed IGV or if your computer's OS session management restores processes as they were, yes, the temporal access creds are stored within IGV's process memory.

ADD REPLY • link 2.8 years ago by Roman Valls Guimerà ▴ 620

0

Entering edit mode

Thanks for you assistance Roman, as always. Just a reminder that you can always open an issue at https://github.com/igvteam/igv/issues. I personally don't have time to scan biostars regularly.

ADD REPLY • link 2.8 years ago by Jim Robinson ▴ 300

0

Entering edit mode

First I had a problem of misunderstanding what is "aws_cognito_fed_pool_id" now it's fixed. The only difference with your config file is that I left "auth_provider_x509_cert_url" empty.

For the iam role i forgot the second line in the the field "ressource" of the sid "IGVCognitoAuthedUsersProd" .

Another point that has nothing to do with the error: I left the configuration file on my computer rather than putting it in a public bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "IGVCognitoAuthedUsersProd",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::mybucket/*"
            ]
        },
        {
            "Sid": "IGVListBuckets",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "mobileanalytics:PutEvents",
                "cognito-sync:*",
                "cognito-identity:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

ADD REPLY • link 2.8 years ago by quentin54520 ▴ 120

score 2 · Accepted Answer · 2022-07-02

if people come across this post here is some new information:

The last version of igv (2.13.0) add a native support for s3. You just have to get your credentials (programmatic acces) acces key and secret Key, put your credentials files in the good directory (usually it's ~/.aws/credentials ) and now you can click on the Amazon tab in IGV to load your files.