docs(aws-cloud): document Seqera Intelligent Compute IAM permissions

[pditommaso]

Summary

Add a new Seqera Intelligent Compute section to the AWS Cloud compute environment docs (cloud + enterprise), documenting the optional capability that offloads Nextflow tasks to a Seqera-managed Amazon ECS cluster, and the additional IAM policy required to enable it.

The new section explains:

• What Seqera Intelligent Compute does in the AWS Cloud compute environment context (offload tasks from the head EC2 instance to a managed ECS cluster, scaling beyond a single instance while keeping fast startup).
• That all managed AWS resources use the seqera-sched- prefix and are torn down automatically.
• The complete IAM policy (seqera-sched-compute-policy) that must be attached to the IAM user/role used by Seqera, in addition to the base AWS Cloud permissions.
• Which statements are scoped (every action AWS allows to scope by ARN is restricted to seqera-sched-* resources) and which remain Resource: "*" (AWS APIs that don't support resource-level permissions).
• Which statements are optional (ASGEC2Operations/ASGManagement for ASG-backed clusters, CostExplorer for Cost Analysis).

Files changed

• platform-cloud/docs/compute-envs/aws-cloud.md
• platform-enterprise_docs/compute-envs/aws-cloud.md

The new section is placed between AWS credential options / Required permissions and Managed Amazon Machine Image (AMI) in both docs.

Test plan

• Render preview locally and confirm the new section renders correctly (collapsible <details> block, JSON syntax highlighting, :::note admonition).
• Confirm in-page anchor #required-platform-iam-permissions (cloud) and #required-permissions (enterprise) resolve correctly from the new section's cross-link.
• Verify the JSON policy is valid and matches the canonical seqera-sched-compute-policy shipped with the scheduler.

[netlify]

✅ Deploy Preview for seqera-docs ready!

Name	Link
🔨 Latest commit	47c502e
🔍 Latest deploy log	https://app.netlify.com/projects/seqera-docs/deploys/6a069962be19b30007be8ec0
😎 Deploy Preview	https://deploy-preview-1382--seqera-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[pditommaso]

Has this been aligned to https://github.com/seqeralabs/sched/pull/344? there has been recent changes

[stefanoboriero]

It's not aligned with the change in the permission scoping and reshuffling of the permissions around statements, only has the one of the missing permissions as it was raised as missing in a previous comment here #1382 (comment). I will copy paste the new structure from the sched pr to this one

[stefanoboriero]

Done in 069690b

[christopher-hakkaart]

Very minor suggestions. Otherwise, it's looking good.

Note that this will only be added to Cloud and the next Enterprise release.

[stefanoboriero]

Awsome, I see @justinegeffen added a do-not-merge label, just letting you know from the engineering side this is good to go, documented permissions have been tested

[stefanoboriero]

Actually what to you think about moving this new section before the Create IAM policy section? Currently we have this page layout

1. Introduction & Limitation - we explain the rationale behind this CE
2. Supported Regions
3. Required IAM permission - here we explain the permissions for a Basic cloud CE
4. Instruction on how to create IAM policy - Agnostic of it being Basic or Intelligent
5. Instruction on how to create IAM user - Agnostic of it being Basic or Intelligent
6. Instruction on how to create IAM role - Agnostic of it being Basic or Intelligent
7. How credentials can be set in Platform
8. Intelligent compute section - what is it and what permissions required
9. AMI and advances options

Reading this top to bottom I feel like we're breaking the flow and jumping back and forth between topics, first we talk about IAM permission requirement for Platform, then instructions on how to create IAM resources, then back to other IAM requirements for Platform.

I'd put the Intelligent Compute section right after the Required Platform IAM ones, so we keep close the two parts where we talk about Platform requirements, and after that explain how to create IAM resources

[christopher-hakkaart]

@stefanoboriero - I see what you're getting at.

I've made a POC of a different structure here: #1411

Let me know what you think

[justinegeffen]

@stefanoboriero, thank you! Is this in Cloud prod and is it planned for 26.1?

[stefanoboriero]

@justinegeffen yes it's in Cloud prod (enabled for internal workspaces only for now) and scheduled to be included in enterprise 26.1

[justinegeffen]

@justinegeffen yes it's in Cloud prod (enabled for internal workspaces only for now) and scheduled to be included in enterprise 26.1

If it's internal workspaces only, should we merge this with a caveat or hold off until 26.1? I'm happy to merge but if customers can't use it we should let them know.

[gavinelder]

This IAM policy was missing

DescribeImages -> Required to get and validate the AMI.
Pass-role on the TowerForge created iam roles.

[christopher-hakkaart]

Gavins suggestions have been merged, and I have added admonitions to make it clear that it's private preview.