← Back to Home

Cloud Authorization Demo

Here we demo copying an object from an AWS S3 bucket to a Galaxy history. For this:

  • we copy the ENCFF001SNN.broadPeak.gz object from ENCODE's AWS S3 bucket;
  • to gain access to the ENCFF001SNN.broadPeak.gz object, we use a role created by the Galaxy project for the purpose of this demo;
  • we use a pre-bake branch of Galaxy with all the necessary configuration pre-setup.

For this demo, we first start a local Galaxy instance, then login to that instance, and define a cloud authorization record, which we will then use to copy the ENCFF001SNN.broadPeak.gz object.

You may take the following steps:

  1. Clone a pre-baked instance of Galaxy by running the following command in your terminal:

    mkdir ~/role_demo && cd ~/role_demo && git clone -b aws_demo_role https://github.com/vjalili/galaxy .
  2. Start Galaxy by running the following command:


    wait until you see the following message:

    serving on
  3. Login to your Galaxy instance by clicking on the Login or Register button, and then on the Sign in with Google button:


  4. Enter your Google credentials if required:


  5. Having signed-in with your Google credentials, you will be auto-redirected back to your local installation of Galaxy; then click on the User button and choose the Preferences menu item:


  6. From the preferences menu, choose the Manage Cloud Authorization option:


  7. Click on the Create New Authorization Key, and enter the following value for the Role ARN field, and click on the Save Key button.



  8. Click on the User button, and choose Preferences, and from the "User Preferences" menu, choose Manage API key:


  9. Click on the Create a new key, and copy API key:


  10. Keep the terminal running your Galaxy open, and open a new terminal and run the following command where [API KEY] is your API obtained at previous step:

    python get_object.py [API KEY]

    Running this command will return a list as the following which indicates that a Galaxy has create a job to download the ENCFF001SNN.broadPeak.gz object:

    vahid$ python get_object.py 76e948f7c9f858612abab98df7f75ddb
    [{u'update_time': u'2019-04-26T23:30:42.061336', u'uuid': u'a3404949-dbf3-4657-999d-11837e5c7f3f', u'deleted': False, u'id': u'1cd8e2f6b131e891', u'purgable': True, u'total_size': 0, u'state': u'queued', u'create_time': u'2019-04-26T23:30:42.002358', u'file_size': 0, u'purged': False}]
  11. At this point Galaxy has downloaded the object to your history:



The policy of the Authnz_demo_role role that we set this Galaxy instance to assume, is defined as the following:

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::encode-public/2008/11/24/034e3689-9903-4c86-9237-040f8f795b73/ENCFF001SNN.broadPeak.gz"

Accordingly, this role grants the local Galaxy instance with read access ("Action": "s3:GetObject") to only one object, i.e., arn:aws:s3:::encode-public/2008/11/24/034e3689-9903-4c86-9237-040f8f795b73/ENCFF001SNN.broadPeak.gz

Additionally, the trust relation of this role is defined as the following:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "Federated": "accounts.google.com"
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "accounts.google.com:aud": "893677542423-4t761afe33k3o9mu56u6p6p1ctk8o88f.apps.googleusercontent.com"

Accordingly, only the Galaxy instance with the OpenID Connect Audience ID 893677542423-4t761afe33k3o9mu56u6p6p1ctk8o88f.apps.googleusercontent.com that is registered with Google ("Federated": "accounts.google.com") can assume this role. See this page on how to register your Galaxy; however, for the purpose of this demo, the pre-baked Galaxy that you cloned is already registered with Google.