feat(jobs): permissions precisions

Author: thomas-tacquet

pages/iam/reference-content/permission-sets.mdx

@@ -65,7 +65,7 @@ Below is a list of the permission sets available at Scaleway.
 | FunctionsFullAccess          | Full access to create, read, list, edit and delete Functions                          |
 | MessagingAndQueuingReadOnly  | List and read access to Messaging                                             |
 | MessagingAndQueuingFullAccess | Full access to create, read, list, edit and delete Messaging                          |
-| ServerlessJobsFullAccess     | Full access to create, read, list, edit and delete job definition/run |
+| ServerlessJobsFullAccess     | Full access to create, read, list, edit and delete job definition/run. To start a job, in some conditions permissions to Registry and Secret Manager can be required. |
 | ServerlessJobsReadOnly       | List and read access to job definition/run |
 | ServerlessSQLDatabaseReadOnly| List and read access to Serverless SQL Database |
 | ServerlessSQLDatabaseReadWrite| List, read and write access to Serverless SQL Database. Includes data and table structure edition. Does not include permissions to create databases or edit settings |

pages/serverless-jobs/how-to/create-job.mdx

@@ -49,13 +49,13 @@ Scaleway's Serverless Jobs allows you to create jobs from several container [reg
 <Tabs>
     <TabsTab label="Data">
     1. Declare [environment variables](/serverless-jobs/concepts/#environment-variables) you want to inject into your job. For each environment variable, click **+Add variable** and enter the key/value pair.
-    2. Add [secrets references](/serverless-functions/concepts/#secrets) for your Job. Secret references are environment variables fetched from [Scaleway Secret Manager](/secret-manager/) that are injected into your job, but the values are not retained or displayed by Scaleway after initial validation. 
+    2. Add [secrets references](/serverless-functions/concepts/#secrets) for your Job. Secret references are environment variables fetched from [Scaleway Secret Manager](/secret-manager/) that are injected into your job, but the values are not retained or displayed by Scaleway after initial validation.
           <Message type="note">
           Encode your environment variables and secrets to `base64` if they are too large, and contain carriage returns.
           </Message>
     </TabsTab>
     <TabsTab label="Storage">
-    - Customize the ephemeral storage for your job according to your requirements. The data stored in your job is not retained once it is finished. 
+    - Customize the ephemeral storage for your job according to your requirements. The data stored in your job is not retained once it is finished.
     </TabsTab>
     <TabsTab label="Execution">
     1. Add a **startup command** to your job. It will be executed every time your job is run.
@@ -114,13 +114,13 @@ Private external container registries are currently not supported.
 <Tabs>
     <TabsTab label="Data">
     1. Declare [environment variables](/serverless-jobs/concepts/#environment-variables) you want to inject into your job. For each environment variable, click **+Add variable** and enter the key/value pair.
-    2. Add [secrets references](/serverless-functions/concepts/#secrets) for your Job. Secret references are environment variables fetched from [Scaleway Secret Manager](/secret-manager/) that are injected into your job, but the values are not retained or displayed by Scaleway after initial validation. 
+    2. Add [secrets references](/serverless-functions/concepts/#secrets) for your Job. Secret references are environment variables fetched from [Scaleway Secret Manager](/secret-manager/) that are injected into your job, but the values are not retained or displayed by Scaleway after initial validation.
           <Message type="note">
           Encode your environment variables and secrets to `base64` if they are too large, and contain carriage returns.
           </Message>
     </TabsTab>
     <TabsTab label="Storage">
-    - Customize the ephemeral storage for your job according to your requirements. The data stored in your job is not retained once it is finished. 
+    - Customize the ephemeral storage for your job according to your requirements. The data stored in your job is not retained once it is finished.
     </TabsTab>
     <TabsTab label="Execution">
     1. Add a **startup command** to your job. It will be executed every time your job is run.

pages/serverless-jobs/how-to/run-job.mdx

@@ -49,8 +49,18 @@ The **Job runs** section contains basic monitoring information for your jobs:
     - A start date and an end date
     - The duration of the job execution
 
+## Permissions and product dependencies
+
+Depending some settings Serverless Jobs can rely on different products like:
+- **Secret Manager**: to securly inject data into Jobs
+- **Container Registry**: to store images of Jobs
+
+Starting a Job Definition with product dependencies using IAM policies can fail if some permissions are not definied properly.
+
+If the Job Definition uses an image from **Container Registry**, add `ContainerRegistryReadOnly` permission.
+
+If the Job Definition consumes data from **Secret Manager**; add `SecretManagerSecretAccess` permission.
+
 <Message type="tip">
   Use [Cockpit](/cockpit/quickstart/) for in-depth monitoring of the activity of your serverless jobs.
 </Message>
-
-

pages/serverless-jobs/troubleshooting/job-in-error-state.mdx

@@ -15,4 +15,6 @@ My job run is in an error state.
 
 - Make sure that you have built your image for an `amd64` architecture, as `arm64` is not supported. See the [Architecture](/serverless-jobs/reference-content/jobs-limitations/#architecture) documentation for more information.
 
-- Make sure that your deployment does not exceed the limitations of [Serverless Jobs](/serverless-jobs/reference-content/jobs-limitations/).
+- Make sure that your deployment does not exceed the limitations of [Serverless Jobs](/serverless-jobs/reference-content/jobs-limitations/).
+
+- Make sure to use the correct permissions when other products are involved [Permission dependencies](/serverless-jobs/how-to/run-job/#permissions-and-product-dependencies)