feat: Azure get-well [COMP-806]#1315
Conversation
✅ Deploy Preview for seqera-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
justinegeffen
added
do not merge
justinegeffen
changed the base branch from
master
to
enterprise-26.1-documentation
Signed-off-by: Justine Geffen <justinegeffen@users.noreply.github.com>
Signed-off-by: Justine Geffen <justinegeffen@users.noreply.github.com>
Revert studios/add-studio.md to master version. The overview.md whitespace fixes are enforced by pre-commit hooks and remain as-is. Cloud changes ported to azure-getwell-cloud branch. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Restore custom-roles.md and roles.md to master versions. Cloud changes to be ported separately to azure-getwell-cloud branch. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…s/docs into justine-azure-get-well
Signed-off-by: Justine Geffen <justinegeffen@users.noreply.github.com>
Signed-off-by: Justine Geffen <justinegeffen@users.noreply.github.com>
|
@MichaelTansiniSeqera, this is good to review. |
| When you submit a pipeline to this compute environment, Nextflow will authenticate using the managed identity associated with the Azure Batch node it runs on, rather than relying on access keys. | ||
|
|
||
| :::caution | ||
| If a managed identity is misconfigured (e.g., invalid client ID or missing RBAC roles), the pipeline will fail with an explicit error. Seqera will not silently fall back to access key authentication. |
There was a problem hiding this comment.
@adamrtalbot or @jonmarti correct me if I'm wrong but we fall back to the Entra Service Principal if the MI is wrong, but we DON'T do that for access keys right? If so, we should make that clear here
There was a problem hiding this comment.
The fallback model is a bit subtler than "MI wrong → fall back to SP". Two layers behave differently:
Control plane (Platform → Azure Batch / Storage): whatever credential is configured (access keys or Entra service principal) is what Platform uses. The two are alternatives, not a runtime chain. Bad keys, invalid/expired client secrets, or missing RBAC all fail loudly with no silent fallback. Some features (VNet/subnet, managed identity assignment) require Entra because the underlying operation only accepts AAD tokens.
Data plane on the VM (Nextflow head + tasks → Storage / ACR):
| Credential | Head MI configured? | How the head VM authenticates |
|---|---|---|
| Access keys | n/a | Storage account key provisioned to the VM |
| Entra SP | No | SP credentials passed into the Nextflow config ⚠ secret on the VM |
| Entra SP | Yes | Short-lived token from the Azure metadata service (no creds on the VM) |
| Entra SP | Yes, but invalid / missing RBAC | Fails — no silent fallback to the SP at runtime |
So the existing caution is correct for runtime. What's worth adding is the config-time half , that's where the "fallback" really lives:
When a head managed identity is not configured, Platform passes the service principal credentials to the head job so it can authenticate to Azure services. The managed identity removes the long-lived secret from the compute node, so configuring it is recommended for production deployments. The same applies to the pool managed identity used by compute tasks.
There was a problem hiding this comment.
@jonmarti, I have updated the content - please could you review and LMK if you have any feedback. Thanks!
Document the disable/enable compute environment feature in the enterprise compute environment overview, mirroring the cloud docs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ty guidance - Fix swapped Tenant ID / Client ID field labels in the Entra credential instructions (Tenant ID maps to Directory (tenant) ID; Client ID maps to Application (client) ID). - Add Managed Identity Operator role assignment for the service principal, required to attach a managed identity to a Batch pool. - Rename Azure Batch Data Contributor to Azure Batch Contributor (the built-in role sufficient for management-plane pool creation). - Add AcrPull role guidance on the managed identity for ACR image pulls. - Document why managed identities require Entra credentials (management-plane pool creation only accepts AAD tokens). - Document the four managed identity fields (resource ID vs client ID, head vs worker pool) and how they work in single-pool and dual-pool topologies. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jonmarti
left a comment
jonmarti
left a comment
There was a problem hiding this comment.
LGTM, minor suggestions
| 1. In Azure, create a user-assigned managed identity. See [Manage user-assigned managed identities][azure-managed-identity] for detailed steps. Take note of both the **client ID** and the **resource ID** of the managed identity when you create it. | ||
| 2. Assign the following roles to the managed identity: | ||
| - **Storage Blob Data Contributor** on the Azure Storage account, so the pool VMs can read inputs and write outputs. | ||
| - **AcrPull** on any Azure Container Registry the pipeline pulls images from. Without thƒis role, container pulls fail when the pool VM authenticates via the managed identity. |
There was a problem hiding this comment.
| - **AcrPull** on any Azure Container Registry the pipeline pulls images from. Without thƒis role, container pulls fail when the pool VM authenticates via the managed identity. | |
| - **AcrPull** on any Azure Container Registry the pipeline pulls images from. Without this role, container pulls fail when the pool VM authenticates via the managed identity. |
| 1. Select **Review and Create**. | ||
| 1. Select **Create** to create the Azure Storage account. | ||
| 8. Select **Data protection**. | ||
| - Configure appropriate settings. All settings are supported Platform. |
There was a problem hiding this comment.
| - Configure appropriate settings. All settings are supported Platform. | |
| - Configure appropriate settings. All settings are supported by Platform. |
4 participants
Fixes: https://seqera.atlassian.net/browse/COMP-806.
Fixes: https://seqera.atlassian.net/browse/EDU-1058