Google / Amazon menus not visible, S3 access not working

[francois-a]

Hi,

I'm having trouble accessing BAMs on s3, with both the Mac desktop and web apps. On the desktop app, the Google and Amazon menu aren't visible (I tested multiple versions, including 2.18.4). The credentials in ~/.aws/credentials work, and I can access the BAMs using samtools for example.

When I try to load a BAM with the desktop app, I get the following error

Error loading s3://redacted/redacted.bam: Unable to load credentials from any of the providers in the chain AwsCredentialsProviderChain(credentialsProviders=[SystemPropertyCredentialsProvider(), EnvironmentVariableCredentialsProvider(), WebIdentityTokenCredentialsProvider(), ProfileCredentialsProvider(profileName=default, profileFile=ProfileFile(sections=[])), ContainerCredentialsProvider(), InstanceProfileCredentialsProvider()]) : [SystemPropertyCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., EnvironmentVariableCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., WebIdentityTokenCredentialsProvider(): Either the environment variable AWS_WEB_IDENTITY_TOKEN_FILE or the javaproperty aws.webIdentityTokenFile must be set., ProfileCredentialsProvider(profileName=default, profileFile=ProfileFile(sections=[])): Profile file contained no credentials for profile 'default': ProfileFile(sections=[]), ContainerCredentialsProvider(): Cannot fetch credentials from container - neither AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variables are set., InstanceProfileCredentialsProvider(): Failed to load credentials from IMDS.]

[jrobinso]

This is a known issue introduced in release 2.18.2. We have a fix but its not been released. In the interim you can either (1) use 2.18.1, or (2) use the development snapshot build. You can download 2.18.1 from the archive

https://data.broadinstitute.org/igv/projects/downloads/2.18/

The development snapshot is available at

https://igv.org/doc/desktop/#DownloadSnapshot/

Note the special instructions if you are on a Mac

The webapp does not support S3 credentials, a web application has no access to your disk, including of course ~/.aws

[jrobinso]

Duplicate of #1598

[francois-a]

Thanks — it doesn't work for me with 2.18.1 either (menus not visible, and loading from an S3 URL gives the error above).

[jrobinso]

The fact that the Amazon menu does not appear implies that IGV could not read the credentials file. It relies on the AWS SDK to do this, which looks in various places including, on my Mac, in ~/.aws/credentials. Could you look in the IGV log file, located in the "igv" folder in your home directory, and see if there are any errors? The file name is usually igv0.log.

The Google menu does not appear by default, you have to enable it in the preferences.

[francois-a]

Here's the error from the log:

SEVERE [Oct 24,2024 12:11] [IGV] org.broad.igv.exceptions.DataLoadException: Unable to load credentials from any of the providers in the chain AwsCredentialsProviderChain(credentialsProviders=[SystemPropertyCredentialsProvider(), EnvironmentVariableCredentialsProvider(), WebIdentityTokenCredentialsProvider(), ProfileCredentialsProvider(profileName=default, profileFile=ProfileFile(profiles=[Profile(name=default, properties=[sso_session, sso_region, aws_access_key_id, aws_session_token, sso_registration_scopes, aws_secret_access_key, sso_role_name, region, sso_start_url, sso_account_id])])), ContainerCredentialsProvider(), InstanceProfileCredentialsProvider()]) : [SystemPropertyCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., EnvironmentVariableCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., WebIdentityTokenCredentialsProvider(): Either the environment variable AWS_WEB_IDENTITY_TOKEN_FILE or the javaproperty aws.webIdentityTokenFile must be set., ProfileCredentialsProvider(profileName=default, profileFile=ProfileFile(profiles=[Profile(name=default, properties=[sso_session, sso_region, aws_access_key_id, aws_session_token, sso_registration_scopes, aws_secret_access_key, sso_role_name, region, sso_start_url, sso_account_id])])): java.nio.file.NoSuchFileException: /Users/francois/.aws/sso/cache/8e7c27591e6cf06e4cdb68a0e6a19fda88924b14.json, ContainerCredentialsProvider(): Cannot fetch credentials from container - neither AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variables are set., InstanceProfileCredentialsProvider(): Unable to load credentials from service endpoint.]

I'm using sso, and have both ~/.aws/config and ~/.aws/credentials.

[jrobinso]

This might be the cause, but I am not enough of an AWS expert to know what to do about it. However it is a clue

Either the environment variable AWS_WEB_IDENTITY_TOKEN_FILE or the javaproperty aws.webIdentityTokenFile must be set.

Do you have an oauth provisioning profile set (in the IGV preferences)? You should not, if using ~/.aws/credentials.

[jrobinso]

Actually I don't think the AWS_WEB_IDENTITY_TOKEN_FILE is the real issue here, it shouldn't even get that far if it successfully read ~/.aws/credentials for the access key. It would read this on startup.

[jrobinso]

Apologies for the train of messages, I am far from an AWS expert, but you might be using an Amazon option (SSO) that IGV does not support. The authentication options are repeated below from the IGV readme, (1) setting access key and secret in ~/.aws/credentials, and (2) configuring Cognito as described in the link.

Authenticated access using s3:// urls is supported by either (1) enabling OAuth access with Cognito using the UMCCR contributed AWS configuration option, or (2) setting AWS credentials and region information as described here and here.

For more details on using Cognito for OAuth access, see the UMCCR documentation on the backend and frontend for a provisioning URL step by step guide.

[jrobinso]

These instructions might be relevant

https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/setup.html

[francois-a]

If ~/.aws/credentials is available, is anything else needed? This is also what I'm using to view the same BAMs with samtools, which hasn't been an issue.

[francois-a]

Figured it out — it seems like the sso information in ~/.aws/config was the problem. Simplifying it to the following worked:

[default]
region = us-east-2

[jrobinso]

I was just about to suggest that.

From the instructions posted above, when using SSO it looks like you have to sign in from the command line with SSO before accessing with Java (IGV).

I have no idea what samtools is doing, it is probably ignoring SSO configuration altogether and just accessing .aws/credentials directly.

[jrobinso]

Is it possible there is an error in your original .aws/config? If samtools just ignores the SSO option this would explain how it worked. The real test would be can you access the files via SSO from the command line.

[francois-a]

I don't think so — CLI access worked fine. I only needed ~/.aws/credentials for samtools.

[jrobinso]

OK, well once again instructions for using SSO with Java programs are here: https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/setup.html. This section on signing in from the CLI is especially interesting, its seems a bit strange to me but worth a try: https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/setup.html#setup-login-sso