From 594977176a246b5ea80c37170ff08d26d43dbf00 Mon Sep 17 00:00:00 2001 From: Paolo Di Tommaso Date: Mon, 4 May 2026 17:02:06 +0200 Subject: [PATCH 01/21] docs(aws-cloud): document Seqera Intelligent Compute IAM permissions Add a new "Seqera Intelligent Compute" section to the AWS Cloud compute environment docs (cloud + enterprise) describing the optional capability that offloads Nextflow tasks to a Seqera-managed Amazon ECS cluster, and the additional IAM policy required to enable it. The policy mirrors the seqera-sched compute policy: every action that AWS allows to be scoped by ARN is restricted to the seqera-sched-* prefix, with the remaining Resource "*" entries reserved for AWS APIs that don't support resource-level permissions. --- platform-cloud/docs/compute-envs/aws-cloud.md | 196 ++++++++++++++++++ .../compute-envs/aws-cloud.md | 194 +++++++++++++++++ 2 files changed, 390 insertions(+) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index ecf633381..fc8a30d93 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -426,6 +426,202 @@ Use the IAM role ARN which Seqera must use for accessing your AWS resources in * Existing credentials created before March 2026 continue to work without changes. +## Seqera Intelligent Compute + +Seqera Intelligent Compute is an optional capability that, when enabled, executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. This lets the AWS Cloud compute environment scale beyond the resources of a single instance while preserving its fast startup behavior. + +When Seqera Intelligent Compute is enabled, Seqera provisions and manages all ECS infrastructure on your behalf — clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. + +### Additional IAM permissions + +Enabling Seqera Intelligent Compute requires an additional IAM policy on top of the [Required Platform IAM permissions](#required-platform-iam-permissions). Attach it to the same IAM user or role that Seqera uses to access your AWS account. + +Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions (for example, EC2 `Describe*`, ECR authorization tokens, or Cost Explorer). + +
+Seqera Intelligent Compute policy + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ECSScopedOperations", + "Effect": "Allow", + "Action": [ + "ecs:CreateCluster", + "ecs:DeleteCluster", + "ecs:DescribeClusters", + "ecs:ListTasks", + "ecs:PutClusterCapacityProviders", + "ecs:CreateCapacityProvider", + "ecs:DeleteCapacityProvider", + "ecs:DescribeCapacityProviders", + "ecs:DeregisterTaskDefinition", + "ecs:DescribeTaskDefinition", + "ecs:RunTask", + "ecs:StopTask", + "ecs:DescribeTasks", + "ecs:DescribeContainerInstances", + "ecs:TagResource" + ], + "Resource": "arn:aws:ecs:*:*:*/seqera-sched-*" + }, + { + "Sid": "ECSUnscopedOperations", + "Effect": "Allow", + "Action": [ + "ecs:RegisterTaskDefinition", + "ecs:ListTaskDefinitions", + "ecs:ListTaskDefinitionFamilies" + ], + "Resource": "*" + }, + { + "Sid": "IAMRoleManagement", + "Effect": "Allow", + "Action": [ + "iam:CreateRole", + "iam:GetRole", + "iam:DeleteRole", + "iam:PutRolePolicy", + "iam:DeleteRolePolicy", + "iam:ListRolePolicies", + "iam:AttachRolePolicy", + "iam:DetachRolePolicy", + "iam:ListAttachedRolePolicies", + "iam:CreateInstanceProfile", + "iam:GetInstanceProfile", + "iam:AddRoleToInstanceProfile", + "iam:ListInstanceProfilesForRole", + "iam:RemoveRoleFromInstanceProfile", + "iam:DeleteInstanceProfile" + ], + "Resource": [ + "arn:aws:iam::*:role/seqera-sched-*", + "arn:aws:iam::*:instance-profile/seqera-sched-*" + ] + }, + { + "Sid": "PassRoleToECS", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "arn:aws:iam::*:role/seqera-sched-*", + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "ecs-tasks.amazonaws.com", + "ecs.amazonaws.com", + "ec2.amazonaws.com" + ] + } + } + }, + { + "Sid": "CloudWatchLogs", + "Effect": "Allow", + "Action": [ + "logs:CreateLogGroup", + "logs:DeleteLogGroup", + "logs:PutRetentionPolicy", + "logs:DescribeLogStreams", + "logs:GetLogEvents", + "logs:TagResource" + ], + "Resource": "arn:aws:logs:*:*:log-group:/seqera/sched*" + }, + { + "Sid": "EC2NetworkDiscovery", + "Effect": "Allow", + "Action": [ + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeRouteTables", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeInstances", + "ec2:CreateSecurityGroup", + "ec2:CreateVpcEndpoint", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:DeleteSecurityGroup", + "ec2:CreateTags" + ], + "Resource": "*" + }, + { + "Sid": "ECRAccess", + "Effect": "Allow", + "Action": [ + "ecr:GetAuthorizationToken", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage" + ], + "Resource": "*" + }, + { + "Sid": "S3Access", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListAllMyBuckets" + ], + "Resource": "*" + }, + { + "Sid": "ASGEC2Operations", + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstanceTypes", + "ec2:CreateLaunchTemplate", + "ec2:DeleteLaunchTemplate", + "ec2:RunInstances" + ], + "Resource": "*" + }, + { + "Sid": "ASGManagement", + "Effect": "Allow", + "Action": [ + "autoscaling:CreateAutoScalingGroup", + "autoscaling:UpdateAutoScalingGroup", + "autoscaling:DeleteAutoScalingGroup", + "autoscaling:CreateOrUpdateTags" + ], + "Resource": "arn:aws:autoscaling:*:*:*/seqera-sched-*" + }, + { + "Sid": "ASGDescribe", + "Effect": "Allow", + "Action": "autoscaling:DescribeAutoScalingGroups", + "Resource": "*" + }, + { + "Sid": "SSMECSOptimizedAmi", + "Effect": "Allow", + "Action": "ssm:GetParameter", + "Resource": "arn:aws:ssm:*:*:parameter/aws/service/ecs/optimized-ami/*" + }, + { + "Sid": "CostExplorer", + "Effect": "Allow", + "Action": "ce:GetCostAndUsage", + "Resource": "*" + } + ] +} +``` + +
+ +:::note +- The `ASGEC2Operations` and `ASGManagement` statements are only required if you enable Auto Scaling Group-backed clusters (managed instances). They can be omitted for Fargate-only deployments. +- The `CostExplorer` statement is only required if you enable Cost Analysis. +::: + +Like the base AWS Cloud policy, you can attach this policy directly to the IAM user or to an IAM role that the user assumes. See [Create the IAM policy](#create-the-iam-policy) for the AWS Console steps. + ## Managed Amazon Machine Image (AMI) The AWS Cloud compute environment uses a public AMI maintained by Seqera, and the pipeline launch procedure assumes that some basic tooling is already present in the image itself. If you want to provide your own AMI, it must include at least the following: diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index 42a12402c..62d44fccc 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -231,6 +231,200 @@ The following permissions enable Seqera to populate values for dropdown fields. } ``` +## Seqera Intelligent Compute + +Seqera Intelligent Compute is an optional capability that, when enabled, executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. This lets the AWS Cloud compute environment scale beyond the resources of a single instance while preserving its fast startup behavior. + +When Seqera Intelligent Compute is enabled, Seqera provisions and manages all ECS infrastructure on your behalf — clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. + +### Additional IAM permissions + +Enabling Seqera Intelligent Compute requires the following IAM policy in addition to the [Required permissions](#required-permissions) listed above. Attach it to the same IAM user or role that Seqera uses to access your AWS account. + +Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions (for example, EC2 `Describe*`, ECR authorization tokens, or Cost Explorer). + +
+Seqera Intelligent Compute policy + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ECSScopedOperations", + "Effect": "Allow", + "Action": [ + "ecs:CreateCluster", + "ecs:DeleteCluster", + "ecs:DescribeClusters", + "ecs:ListTasks", + "ecs:PutClusterCapacityProviders", + "ecs:CreateCapacityProvider", + "ecs:DeleteCapacityProvider", + "ecs:DescribeCapacityProviders", + "ecs:DeregisterTaskDefinition", + "ecs:DescribeTaskDefinition", + "ecs:RunTask", + "ecs:StopTask", + "ecs:DescribeTasks", + "ecs:DescribeContainerInstances", + "ecs:TagResource" + ], + "Resource": "arn:aws:ecs:*:*:*/seqera-sched-*" + }, + { + "Sid": "ECSUnscopedOperations", + "Effect": "Allow", + "Action": [ + "ecs:RegisterTaskDefinition", + "ecs:ListTaskDefinitions", + "ecs:ListTaskDefinitionFamilies" + ], + "Resource": "*" + }, + { + "Sid": "IAMRoleManagement", + "Effect": "Allow", + "Action": [ + "iam:CreateRole", + "iam:GetRole", + "iam:DeleteRole", + "iam:PutRolePolicy", + "iam:DeleteRolePolicy", + "iam:ListRolePolicies", + "iam:AttachRolePolicy", + "iam:DetachRolePolicy", + "iam:ListAttachedRolePolicies", + "iam:CreateInstanceProfile", + "iam:GetInstanceProfile", + "iam:AddRoleToInstanceProfile", + "iam:ListInstanceProfilesForRole", + "iam:RemoveRoleFromInstanceProfile", + "iam:DeleteInstanceProfile" + ], + "Resource": [ + "arn:aws:iam::*:role/seqera-sched-*", + "arn:aws:iam::*:instance-profile/seqera-sched-*" + ] + }, + { + "Sid": "PassRoleToECS", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "arn:aws:iam::*:role/seqera-sched-*", + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "ecs-tasks.amazonaws.com", + "ecs.amazonaws.com", + "ec2.amazonaws.com" + ] + } + } + }, + { + "Sid": "CloudWatchLogs", + "Effect": "Allow", + "Action": [ + "logs:CreateLogGroup", + "logs:DeleteLogGroup", + "logs:PutRetentionPolicy", + "logs:DescribeLogStreams", + "logs:GetLogEvents", + "logs:TagResource" + ], + "Resource": "arn:aws:logs:*:*:log-group:/seqera/sched*" + }, + { + "Sid": "EC2NetworkDiscovery", + "Effect": "Allow", + "Action": [ + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeRouteTables", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeInstances", + "ec2:CreateSecurityGroup", + "ec2:CreateVpcEndpoint", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:DeleteSecurityGroup", + "ec2:CreateTags" + ], + "Resource": "*" + }, + { + "Sid": "ECRAccess", + "Effect": "Allow", + "Action": [ + "ecr:GetAuthorizationToken", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage" + ], + "Resource": "*" + }, + { + "Sid": "S3Access", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListAllMyBuckets" + ], + "Resource": "*" + }, + { + "Sid": "ASGEC2Operations", + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstanceTypes", + "ec2:CreateLaunchTemplate", + "ec2:DeleteLaunchTemplate", + "ec2:RunInstances" + ], + "Resource": "*" + }, + { + "Sid": "ASGManagement", + "Effect": "Allow", + "Action": [ + "autoscaling:CreateAutoScalingGroup", + "autoscaling:UpdateAutoScalingGroup", + "autoscaling:DeleteAutoScalingGroup", + "autoscaling:CreateOrUpdateTags" + ], + "Resource": "arn:aws:autoscaling:*:*:*/seqera-sched-*" + }, + { + "Sid": "ASGDescribe", + "Effect": "Allow", + "Action": "autoscaling:DescribeAutoScalingGroups", + "Resource": "*" + }, + { + "Sid": "SSMECSOptimizedAmi", + "Effect": "Allow", + "Action": "ssm:GetParameter", + "Resource": "arn:aws:ssm:*:*:parameter/aws/service/ecs/optimized-ami/*" + }, + { + "Sid": "CostExplorer", + "Effect": "Allow", + "Action": "ce:GetCostAndUsage", + "Resource": "*" + } + ] +} +``` + +
+ +:::note +- The `ASGEC2Operations` and `ASGManagement` statements are only required if you enable Auto Scaling Group-backed clusters (managed instances). They can be omitted for Fargate-only deployments. +- The `CostExplorer` statement is only required if you enable Cost Analysis. +::: + ## Managed Amazon Machine Image (AMI) The AWS Cloud compute environment uses an AMI maintained by Seqera, and the pipeline launch procedure assumes that some basic tooling is already present in the image itself. If you want to provide your own AMI, it must include at least the following: From c9a838d294cf125cf6653495f2d2dca0aa5ec9a8 Mon Sep 17 00:00:00 2001 From: Paolo Di Tommaso Date: Mon, 4 May 2026 17:41:42 +0200 Subject: [PATCH 02/21] docs(aws-cloud): drop unused ec2:DeleteSecurityGroup from SIC policy The scheduler never calls DeleteSecurityGroup. The security group it manages has a static name (seqera-sched-ecs) shared across clusters in the region and is not torn down per-cluster. --- platform-cloud/docs/compute-envs/aws-cloud.md | 1 - platform-enterprise_docs/compute-envs/aws-cloud.md | 1 - 2 files changed, 2 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index fc8a30d93..8995e9eb1 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -543,7 +543,6 @@ Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sc "ec2:CreateSecurityGroup", "ec2:CreateVpcEndpoint", "ec2:AuthorizeSecurityGroupEgress", - "ec2:DeleteSecurityGroup", "ec2:CreateTags" ], "Resource": "*" diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index 62d44fccc..c7d66fccf 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -348,7 +348,6 @@ Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sc "ec2:CreateSecurityGroup", "ec2:CreateVpcEndpoint", "ec2:AuthorizeSecurityGroupEgress", - "ec2:DeleteSecurityGroup", "ec2:CreateTags" ], "Resource": "*" From ebeb859441f6c5a79c9fc4a6d3f9c738bdf9a182 Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Tue, 5 May 2026 21:50:41 +0200 Subject: [PATCH 03/21] Apply suggestion from @christopher-hakkaart Co-authored-by: Chris Hakkaart Signed-off-by: Justine Geffen --- platform-cloud/docs/compute-envs/aws-cloud.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 8995e9eb1..30ea8deb2 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -428,9 +428,9 @@ Existing credentials created before March 2026 continue to work without changes. ## Seqera Intelligent Compute -Seqera Intelligent Compute is an optional capability that, when enabled, executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. This lets the AWS Cloud compute environment scale beyond the resources of a single instance while preserving its fast startup behavior. +Seqera Intelligent Compute is an optional capability that executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. The AWS Cloud compute environment scales beyond the resources of a single instance while preserving its fast startup behavior. -When Seqera Intelligent Compute is enabled, Seqera provisions and manages all ECS infrastructure on your behalf — clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. +When you enable Seqera Intelligent Compute, Seqera provisions and manages all ECS infrastructure on your behalf, including clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. ### Additional IAM permissions From 24f118d9a07e1a1498223d25a898172a0e52c36c Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Tue, 5 May 2026 21:50:51 +0200 Subject: [PATCH 04/21] Apply suggestion from @christopher-hakkaart Co-authored-by: Chris Hakkaart Signed-off-by: Justine Geffen --- platform-cloud/docs/compute-envs/aws-cloud.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 30ea8deb2..b869c9ae9 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -434,9 +434,9 @@ When you enable Seqera Intelligent Compute, Seqera provisions and manages all EC ### Additional IAM permissions -Enabling Seqera Intelligent Compute requires an additional IAM policy on top of the [Required Platform IAM permissions](#required-platform-iam-permissions). Attach it to the same IAM user or role that Seqera uses to access your AWS account. +Enabling Seqera Intelligent Compute requires an additional IAM policy in addition to the [Required Platform IAM permissions](#required-platform-iam-permissions). Attach it to the same IAM user or role that Seqera uses to access your AWS account. -Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions (for example, EC2 `Describe*`, ECR authorization tokens, or Cost Explorer). +The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions, such as EC2 `Describe*`, ECR authorization tokens, and Cost Explorer.
Seqera Intelligent Compute policy From 141b8cf977bac170bc2f3f5be1da58daa18639d3 Mon Sep 17 00:00:00 2001 From: Stefano Boriero Date: Fri, 8 May 2026 14:07:17 +0200 Subject: [PATCH 05/21] Update platform-cloud/docs/compute-envs/aws-cloud.md Co-authored-by: Chris Hakkaart Signed-off-by: Stefano Boriero --- platform-cloud/docs/compute-envs/aws-cloud.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index b869c9ae9..24bb24125 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -615,8 +615,8 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The
:::note -- The `ASGEC2Operations` and `ASGManagement` statements are only required if you enable Auto Scaling Group-backed clusters (managed instances). They can be omitted for Fargate-only deployments. -- The `CostExplorer` statement is only required if you enable Cost Analysis. +- The `ASGEC2Operations` and `ASGManagement` statements are required only if you enable Auto Scaling Group-backed clusters (managed instances). Omit them for Fargate-only deployments. +- The `CostExplorer` statement is required only if you enable Cost Analysis. ::: Like the base AWS Cloud policy, you can attach this policy directly to the IAM user or to an IAM role that the user assumes. See [Create the IAM policy](#create-the-iam-policy) for the AWS Console steps. From a74da83412c2ec85e73599253b8bcec89e37c588 Mon Sep 17 00:00:00 2001 From: Stefano Boriero Date: Fri, 8 May 2026 14:15:53 +0200 Subject: [PATCH 06/21] feat: add optional permissions to create service linked role --- platform-cloud/docs/compute-envs/aws-cloud.md | 12 ++++++++++++ platform-enterprise_docs/compute-envs/aws-cloud.md | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 24bb24125..33911b94e 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -596,6 +596,17 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The "Action": "autoscaling:DescribeAutoScalingGroups", "Resource": "*" }, + { + "Sid": "CreateECSServiceLinkedRole", + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "arn:aws:iam::*:role/aws-service-role/ecs-compute.amazonaws.com/AWSServiceRoleForECSCompute", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": "ecs-compute.amazonaws.com" + } + } + }, { "Sid": "SSMECSOptimizedAmi", "Effect": "Allow", @@ -616,6 +627,7 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The :::note - The `ASGEC2Operations` and `ASGManagement` statements are required only if you enable Auto Scaling Group-backed clusters (managed instances). Omit them for Fargate-only deployments. +- The `CreateECSServiceLinkedRole` is required only if the Service Role is not already created. - The `CostExplorer` statement is required only if you enable Cost Analysis. ::: diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index c7d66fccf..623b5e9d6 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -401,6 +401,17 @@ Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sc "Action": "autoscaling:DescribeAutoScalingGroups", "Resource": "*" }, + { + "Sid": "CreateECSServiceLinkedRole", + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "arn:aws:iam::*:role/aws-service-role/ecs-compute.amazonaws.com/AWSServiceRoleForECSCompute", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": "ecs-compute.amazonaws.com" + } + } + }, { "Sid": "SSMECSOptimizedAmi", "Effect": "Allow", @@ -421,6 +432,7 @@ Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sc :::note - The `ASGEC2Operations` and `ASGManagement` statements are only required if you enable Auto Scaling Group-backed clusters (managed instances). They can be omitted for Fargate-only deployments. +- The `CreateECSServiceLinkedRole` is required only if the Service Role is not already created. - The `CostExplorer` statement is only required if you enable Cost Analysis. ::: From d87de68c8b83a1d92919c11b54f219581f99d8ff Mon Sep 17 00:00:00 2001 From: Stefano Boriero Date: Fri, 8 May 2026 14:18:35 +0200 Subject: [PATCH 07/21] chore: align changes between cloud and enterprise --- platform-enterprise_docs/compute-envs/aws-cloud.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index 623b5e9d6..f7df7d3aa 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -233,15 +233,15 @@ The following permissions enable Seqera to populate values for dropdown fields. ## Seqera Intelligent Compute -Seqera Intelligent Compute is an optional capability that, when enabled, executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. This lets the AWS Cloud compute environment scale beyond the resources of a single instance while preserving its fast startup behavior. +Seqera Intelligent Compute is an optional capability that executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. The AWS Cloud compute environment scales beyond the resources of a single instance while preserving its fast startup behavior. -When Seqera Intelligent Compute is enabled, Seqera provisions and manages all ECS infrastructure on your behalf — clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. +When you enable Seqera Intelligent Compute, Seqera provisions and manages all ECS infrastructure on your behalf, including clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. ### Additional IAM permissions -Enabling Seqera Intelligent Compute requires the following IAM policy in addition to the [Required permissions](#required-permissions) listed above. Attach it to the same IAM user or role that Seqera uses to access your AWS account. +Enabling Seqera Intelligent Compute requires an additional IAM policy in addition to the [Required Platform IAM permissions](#required-platform-iam-permissions). Attach it to the same IAM user or role that Seqera uses to access your AWS account. -Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions (for example, EC2 `Describe*`, ECR authorization tokens, or Cost Explorer). +The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions, such as EC2 `Describe*`, ECR authorization tokens, and Cost Explorer.
Seqera Intelligent Compute policy @@ -431,7 +431,7 @@ Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sc
:::note -- The `ASGEC2Operations` and `ASGManagement` statements are only required if you enable Auto Scaling Group-backed clusters (managed instances). They can be omitted for Fargate-only deployments. +- The `ASGEC2Operations` and `ASGManagement` statements are required only if you enable Auto Scaling Group-backed clusters (managed instances). Omit them for Fargate-only deployments. - The `CreateECSServiceLinkedRole` is required only if the Service Role is not already created. - The `CostExplorer` statement is only required if you enable Cost Analysis. ::: From 069690b3522c3db0eaff717263cda811c2495748 Mon Sep 17 00:00:00 2001 From: Stefano Boriero Date: Fri, 8 May 2026 17:08:05 +0200 Subject: [PATCH 08/21] chore: align with scheduler permission updates --- platform-cloud/docs/compute-envs/aws-cloud.md | 35 +++++++++++-------- .../compute-envs/aws-cloud.md | 35 +++++++++++-------- 2 files changed, 40 insertions(+), 30 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 33911b94e..b4f70c39f 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -452,13 +452,10 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The "ecs:CreateCluster", "ecs:DeleteCluster", "ecs:DescribeClusters", - "ecs:ListTasks", "ecs:PutClusterCapacityProviders", "ecs:CreateCapacityProvider", "ecs:DeleteCapacityProvider", "ecs:DescribeCapacityProviders", - "ecs:DeregisterTaskDefinition", - "ecs:DescribeTaskDefinition", "ecs:RunTask", "ecs:StopTask", "ecs:DescribeTasks", @@ -472,8 +469,11 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The "Effect": "Allow", "Action": [ "ecs:RegisterTaskDefinition", + "ecs:DeregisterTaskDefinition", + "ecs:DescribeTaskDefinition", "ecs:ListTaskDefinitions", - "ecs:ListTaskDefinitionFamilies" + "ecs:ListTaskDefinitionFamilies", + "ecs:ListTasks" ], "Resource": "*" }, @@ -517,6 +517,22 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The } } }, + { + "Sid": "ServiceLinkedRoles", + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "arn:aws:iam::*:role/aws-service-role/*", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": [ + "ecs.amazonaws.com", + "ecs-compute.amazonaws.com", + "autoscaling.amazonaws.com", + "spot.amazonaws.com" + ] + } + } + }, { "Sid": "CloudWatchLogs", "Effect": "Allow", @@ -596,17 +612,6 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The "Action": "autoscaling:DescribeAutoScalingGroups", "Resource": "*" }, - { - "Sid": "CreateECSServiceLinkedRole", - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:aws:iam::*:role/aws-service-role/ecs-compute.amazonaws.com/AWSServiceRoleForECSCompute", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": "ecs-compute.amazonaws.com" - } - } - }, { "Sid": "SSMECSOptimizedAmi", "Effect": "Allow", diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index f7df7d3aa..ed569588b 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -257,13 +257,10 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The "ecs:CreateCluster", "ecs:DeleteCluster", "ecs:DescribeClusters", - "ecs:ListTasks", "ecs:PutClusterCapacityProviders", "ecs:CreateCapacityProvider", "ecs:DeleteCapacityProvider", "ecs:DescribeCapacityProviders", - "ecs:DeregisterTaskDefinition", - "ecs:DescribeTaskDefinition", "ecs:RunTask", "ecs:StopTask", "ecs:DescribeTasks", @@ -277,8 +274,11 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The "Effect": "Allow", "Action": [ "ecs:RegisterTaskDefinition", + "ecs:DeregisterTaskDefinition", + "ecs:DescribeTaskDefinition", "ecs:ListTaskDefinitions", - "ecs:ListTaskDefinitionFamilies" + "ecs:ListTaskDefinitionFamilies", + "ecs:ListTasks" ], "Resource": "*" }, @@ -322,6 +322,22 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The } } }, + { + "Sid": "ServiceLinkedRoles", + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "arn:aws:iam::*:role/aws-service-role/*", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": [ + "ecs.amazonaws.com", + "ecs-compute.amazonaws.com", + "autoscaling.amazonaws.com", + "spot.amazonaws.com" + ] + } + } + }, { "Sid": "CloudWatchLogs", "Effect": "Allow", @@ -401,17 +417,6 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The "Action": "autoscaling:DescribeAutoScalingGroups", "Resource": "*" }, - { - "Sid": "CreateECSServiceLinkedRole", - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:aws:iam::*:role/aws-service-role/ecs-compute.amazonaws.com/AWSServiceRoleForECSCompute", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": "ecs-compute.amazonaws.com" - } - } - }, { "Sid": "SSMECSOptimizedAmi", "Effect": "Allow", From 91588e8b2c49afbcdce24ff628f5e5aeca8c0f81 Mon Sep 17 00:00:00 2001 From: Stefano Boriero Date: Mon, 11 May 2026 09:02:05 +0200 Subject: [PATCH 09/21] Apply suggestions from code review Co-authored-by: Chris Hakkaart Signed-off-by: Stefano Boriero --- platform-cloud/docs/compute-envs/aws-cloud.md | 2 +- platform-enterprise_docs/compute-envs/aws-cloud.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index b4f70c39f..6ea0f5b71 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -434,7 +434,7 @@ When you enable Seqera Intelligent Compute, Seqera provisions and manages all EC ### Additional IAM permissions -Enabling Seqera Intelligent Compute requires an additional IAM policy in addition to the [Required Platform IAM permissions](#required-platform-iam-permissions). Attach it to the same IAM user or role that Seqera uses to access your AWS account. +To enable Seqera Intelligent Compute, attach an additional IAM policy (beyond the [Required Platform IAM permissions](#required-platform-iam-permissions)) to the same IAM user or role that Seqera uses to access your AWS account. The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions, such as EC2 `Describe*`, ECR authorization tokens, and Cost Explorer. diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index ed569588b..265058a7b 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -239,7 +239,7 @@ When you enable Seqera Intelligent Compute, Seqera provisions and manages all EC ### Additional IAM permissions -Enabling Seqera Intelligent Compute requires an additional IAM policy in addition to the [Required Platform IAM permissions](#required-platform-iam-permissions). Attach it to the same IAM user or role that Seqera uses to access your AWS account. +To enable Seqera Intelligent Compute, attach an additional IAM policy (beyond the [Required Platform IAM permissions](#required-platform-iam-permissions)) to the same IAM user or role that Seqera uses to access your AWS account. The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions, such as EC2 `Describe*`, ECR authorization tokens, and Cost Explorer. From c9d1495b24cf095f2e37d2261b8f9b355e76f7d7 Mon Sep 17 00:00:00 2001 From: Chris Hakkaart Date: Wed, 13 May 2026 08:32:16 +1200 Subject: [PATCH 10/21] Restrucutre aws-cloud to include Seqera Intelligent Compute (#1411) * Restrucutre aws-cloud to include Seqera Intelligent Compute * [automated] Fix code formatting * Apply suggestion from @justinegeffen Signed-off-by: Justine Geffen --------- Signed-off-by: Justine Geffen Signed-off-by: Chris Hakkaart Co-authored-by: Seqera Docs Bot Co-authored-by: Justine Geffen --- platform-cloud/docs/compute-envs/aws-cloud.md | 321 +++++++++--------- 1 file changed, 166 insertions(+), 155 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 3f1f360f5..239a39b1e 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -25,9 +25,9 @@ The AWS Cloud compute environment addresses these pain points with: This type of compute environment is best suited to run Studios and small to medium-sized pipelines. It offers more predictable compute pricing, given the fixed instance types. It spins up a standalone EC2 instance and executes a Nextflow pipeline or Studio session with a local executor on the EC2 machine. At the end of the execution, the instance is terminated. -## Limitations - -- The Nextflow pipeline will run entirely on a single EC2 instance. If the instance does not have sufficient resources, the pipeline execution will fail. For this reason, the number of tasks Nextflow can execute in parallel is limited by the number of cores of the instance type selected. If you need more computing resources, you must create a new compute environment with a larger instance type. This makes the compute environment less suited for larger, more complex pipelines. +:::caution Limitations +The Nextflow pipeline will run entirely on a single EC2 instance. If the instance does not have sufficient resources, the pipeline execution will fail. For this reason, the number of tasks Nextflow can execute in parallel is limited by the number of cores of the instance type selected. If you need more computing resources, you must create a new compute environment with a larger instance type. This makes the compute environment less suited for larger, more complex pipelines. +::: ## Supported regions @@ -56,7 +56,31 @@ The following regions are currently supported: - `us-west-1` - `us-west-2` -## Required Platform IAM permissions +## Seqera Intelligent Compute + +Seqera Intelligent Compute is an optional capability that executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. The AWS Cloud compute environment scales beyond the resources of a single instance while preserving its fast startup behavior. + +When you enable Seqera Intelligent Compute, Seqera provisions and manages all ECS infrastructure on your behalf, including clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. + +If you enable this capability, you must attach the additional permissions described in [Seqera Intelligent Compute permissions](#seqera-intelligent-compute-permissions) below. + +## Managed Amazon Machine Image (AMI) + +The AWS Cloud compute environment uses a public AMI maintained by Seqera, and the pipeline launch procedure assumes that some basic tooling is already present in the image itself. If you want to provide your own AMI, it must include at least the following: + +- Docker engine, configured to run at startup. +- CloudWatch agent. +- The ability to shut down with the `shutdown` command. If this is missing, EC2 instances will keep running and accumulate additional costs. + +### Release cadence and software updates + +The AMI is based on the [Amazon Linux 2023 image](https://docs.aws.amazon.com/linux/al2023/ug/what-is-amazon-linux.html). System package versions are pinned for each specific Amazon Linux 2023 version. Seqera subscribes to the [AWS SNS topic](https://docs.aws.amazon.com/linux/al2023/ug/receive-update-notification.html) to receive Amazon Linux 2023 update notifications. When updates are available, this triggers a new Seqera AMI release built on the latest image, which includes system package updates and security patches. + +## Setup + +To use the AWS Cloud compute environment, grant Seqera Platform access to your AWS account. Create an IAM policy with the permissions Platform needs, then attach it to either an IAM user (for long-lived access keys) or an IAM role (for assumed-role credentials) depending on which credential type suits your security model. + +### Required Platform IAM permissions To create and launch pipelines, explore buckets with Data Explorer or run Studio sessions with the AWS Cloud compute environment, an IAM user with specific permissions must be provided. Some permissions are mandatory for the compute environment to be created and function correctly, while others are optional and used for example to provide list of values to pick from in the Platform UI. @@ -170,7 +194,7 @@ A permissive and broad policy with all the required permissions is provided here -### Compute environment creation +#### Compute environment creation The following permissions are required to provision resources in the AWS account. Only IAM roles that will be assumed by the EC2 instance must be provisioned: @@ -202,7 +226,7 @@ The following permissions are required to provision resources in the AWS account } ``` -### Compute environment validation +#### Compute environment validation The following permissions are required to validate the compute environment at creation time. Seqera validates the input provided and that the resource ARNs exist in the target AWS account: @@ -220,7 +244,7 @@ The following permissions are required to validate the compute environment at cr } ``` -### Pipeline and Studio session management +#### Pipeline and Studio session management The following permissions are required to launch pipelines, run Studio sessions, fetch live execution logs from CloudWatch, download logs from S3, and stop the execution: @@ -255,7 +279,7 @@ The following permissions are required to launch pipelines, run Studio sessions, } ``` -### Compute environment termination and resource disposal +#### Compute environment termination and resource disposal The following permissions are required to remove resources created by Seqera when the compute environment is deleted: @@ -280,7 +304,7 @@ The following permissions are required to remove resources created by Seqera whe } ``` -### Optional permissions +#### Optional permissions The following permissions enable Seqera to populate values for dropdown fields. If missing, the input fields will not be auto-populated but can still be manually entered. Though optional, these permissions are recommended for a smoother and less error-prone user experience: @@ -318,144 +342,7 @@ Platform can retrieve the EC2 instance console output to detect errors in the us ## Create the IAM policy -The policy above must be created in the AWS account where the AWS Batch resources need to be created. - -1. Open the [AWS IAM console](https://console.aws.amazon.com/iam) in the account where you want to create the AWS Batch resources. -1. From the left navigation menu, select **Policies** under **Access management**. -1. Select **Create policy**. -1. On the **Policy editor** section, select the **JSON** tab. -1. Following the instructions detailed in the [IAM permissions breakdown section](#required-platform-iam-permissions) replace the default text in the policy editor area under the **JSON** tab with a policy adapted to your use case, then select **Next**. -1. Enter a name and description for the policy on the **Review and create** page, then select **Create policy**. - -## IAM user creation - -Seqera requires an Identity and Access Management (IAM) User to create and manage AWS Batch resources in your AWS account. We recommend creating a separate IAM policy rather than an IAM User inline policy, as the latter only allows 2048 characters, which may not be sufficient for all the required permissions. - -In certain scenarios, for example when multiple users need to access the same AWS account and provision AWS Batch resources, an IAM role with the required permissions can be created instead, and the IAM user can assume that role when accessing AWS resources, as detailed in the [IAM role creation (optional)](#iam-role-creation-optional) section. - -Depending whether you choose to let Seqera automatically create the required AWS Batch resources in your account, or prefer to set them up manually, the IAM user must have specific permissions as detailed in the [Required Platform IAM permissions](#required-platform-iam-permissions) section. Alternatively, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources, as detailed in the [IAM role creation (optional)](#iam-role-creation-optional) section. - -### Create an IAM user - -1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Users** in the left navigation menu, then select **Create User** at the top right of the page. -1. Enter a name for your user (e.g., _seqera_) and select **Next**. -1. Under **Permission options**, select **Attach policies directly**, then search for and select the policy created above, and select **Next**. - * If you prefer to make the IAM user assume a role to manage AWS resources (see the [IAM role creation (optional)](#iam-role-creation-optional) section), create a policy with the following content (edit the AWS principal with the ARN of the role created) and attach it to the IAM user: - - ```json - { - "Sid": "AssumeRoleToManageBatchResources", - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam:::role/", - "Condition": { - "StringEquals": { - "sts:ExternalId": "" - } - } - } - ``` -1. On the last page, review the user details and select **Create user**. - -The user has now been created. The most up-to-date instructions for creating an IAM user can be found in the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html). - -### Obtain IAM user credentials - -To get the credentials needed to connect Seqera to your AWS account, follow these steps: - -1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Users** in the left navigation menu, then select the newly created user from the users table. -1. Select the **Security credentials** tab, then select **Create access key** under the **Access keys** section. -1. In the **Use case** dialog that appears, select **Command line interface (CLI)**, then tick the confirmation checkbox at the bottom to acknowledge that you want to proceed creating an access key, and select **Next**. -1. Optionally provide a description for the access key, like the reason for creating it, then select **Create access key**. -1. Save the **Access key** and **Secret access key** in a secure location as you will need to provide them when creating credentials in Seqera. - -## IAM role creation (optional) - -Rather than attaching permissions directly to the IAM user, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources. This is useful when multiple IAM users are used to access the same AWS account: this way the actual permissions to operate on the resources are only granted to a single centralized role. - -1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Roles** in the left navigation menu, then select **Create role** at the top right of the page. -1. Select **Custom trust policy** as the type of trusted entity, provide the following policy and edit the AWS principal with the ARN of the IAM user created in the [IAM user creation](#iam-user-creation) section, then select **Next**. - ```json - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": [ - "arn:aws:iam:::user/" - ] - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "sts:ExternalId": "" - } - } - } - ] - } - ``` -1. On the **Permissions** page, search for and select the policy created in the [IAM user creation](#iam-user-creation) section, then select **Next**. -1. Give the role a name and optionally a description, review the details of the role, optionally provide tags to help you identify the role, then select **Create role**. - -Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section. - -:::note -Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in your IAM trust policy (`sts:ExternalId`). -::: - -### Role-based trust policy example (Seqera Cloud) - -For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "sts:ExternalId": "" - } - } - }, - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" - }, - "Action": "sts:TagSession" - } - ] -} -``` - -## AWS credential options - -AWS credentials can be configured in two ways: - -- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional. -- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save. - -Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. - -Existing credentials created before March 2026 continue to work without changes. - -## Seqera Intelligent Compute - -Seqera Intelligent Compute is an optional capability that executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. The AWS Cloud compute environment scales beyond the resources of a single instance while preserving its fast startup behavior. - -When you enable Seqera Intelligent Compute, Seqera provisions and manages all ECS infrastructure on your behalf, including clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. - -### Additional IAM permissions - -To enable Seqera Intelligent Compute, attach an additional IAM policy (beyond the [Required Platform IAM permissions](#required-platform-iam-permissions)) to the same IAM user or role that Seqera uses to access your AWS account. +If you've enabled [Seqera Intelligent Compute](#seqera-intelligent-compute), attach the following additional policy to the same IAM user or role that Seqera uses to access your AWS account. The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions, such as EC2 `Describe*`, ECR authorization tokens, and Cost Explorer. @@ -657,19 +544,143 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The - The `CostExplorer` statement is required only if you enable Cost Analysis. ::: -Like the base AWS Cloud policy, you can attach this policy directly to the IAM user or to an IAM role that the user assumes. See [Create the IAM policy](#create-the-iam-policy) for the AWS Console steps. +### Create the IAM policy -## Managed Amazon Machine Image (AMI) +The policy above must be created in the AWS account where the AWS Cloud resources need to be created. -The AWS Cloud compute environment uses a public AMI maintained by Seqera, and the pipeline launch procedure assumes that some basic tooling is already present in the image itself. If you want to provide your own AMI, it must include at least the following: +1. Open the [AWS IAM console](https://console.aws.amazon.com/iam) in the account where you want to create the AWS Batch resources. +1. From the left navigation menu, select **Policies** under **Access management**. +1. Select **Create policy**. +1. On the **Policy editor** section, select the **JSON** tab. +1. Following the instructions detailed in the [IAM permissions breakdown section](#required-platform-iam-permissions) replace the default text in the policy editor area under the **JSON** tab with a policy adapted to your use case, then select **Next**. +1. Enter a name and description for the policy on the **Review and create** page, then select **Create policy**. -- Docker engine, configured to run at startup. -- CloudWatch agent. -- The ability to shut down with the `shutdown` command. If this is missing, EC2 instances will keep running and accumulate additional costs. +If you are also enabling Seqera Intelligent Compute, repeat these steps to create a second policy using the [Seqera Intelligent Compute permissions](#seqera-intelligent-compute-permissions) JSON. -### Release cadence and software updates +### AWS credential options -The AMI is based on the [Amazon Linux 2023 image](https://docs.aws.amazon.com/linux/al2023/ug/what-is-amazon-linux.html). System package versions are pinned for each specific Amazon Linux 2023 version. Seqera subscribes to the [AWS SNS topic](https://docs.aws.amazon.com/linux/al2023/ug/receive-update-notification.html) to receive Amazon Linux 2023 update notifications. When updates are available, this triggers a new Seqera AMI release built on the latest image, which includes system package updates and security patches. +Before creating an IAM user or role, decide how Seqera will authenticate to your AWS account. AWS credentials can be configured in two ways: + +- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional. +- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save. + +Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. + +Existing credentials created before March 2026 continue to work without changes. + +The next two sections cover the AWS-side setup for each option: + +- For **key-based credentials**, follow [IAM user creation](#iam-user-creation) to create a user and obtain access keys. +- For **role-based credentials**, follow both [IAM user creation](#iam-user-creation) (for the assuming principal) and [IAM role creation (optional)](#iam-role-creation-optional) to create the role Seqera will assume. + +### IAM user creation + +Seqera requires an Identity and Access Management (IAM) User to create and manage AWS Batch resources in your AWS account. We recommend creating a separate IAM policy rather than an IAM User inline policy, as the latter only allows 2048 characters, which may not be sufficient for all the required permissions. + +In certain scenarios, for example when multiple users need to access the same AWS account and provision AWS Batch resources, an IAM role with the required permissions can be created instead, and the IAM user can assume that role when accessing AWS resources, as detailed in the [IAM role creation (optional)](#iam-role-creation-optional) section. + +Depending whether you choose to let Seqera automatically create the required AWS Batch resources in your account, or prefer to set them up manually, the IAM user must have specific permissions as detailed in the [Required Platform IAM permissions](#required-platform-iam-permissions) section. Alternatively, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources, as detailed in the [IAM role creation (optional)](#iam-role-creation-optional) section. + +#### Create an IAM user + +1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Users** in the left navigation menu, then select **Create User** at the top right of the page. +1. Enter a name for your user (e.g., _seqera_) and select **Next**. +1. Under **Permission options**, select **Attach policies directly**, then search for and select the policy created above, and select **Next**. + * If you prefer to make the IAM user assume a role to manage AWS resources (see the [IAM role creation (optional)](#iam-role-creation-optional) section), create a policy with the following content (edit the AWS principal with the ARN of the role created) and attach it to the IAM user: + + ```json + { + "Sid": "AssumeRoleToManageBatchResources", + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "arn:aws:iam:::role/", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + } + ``` +1. On the last page, review the user details and select **Create user**. + +The user has now been created. The most up-to-date instructions for creating an IAM user can be found in the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html). + +#### Obtain IAM user credentials + +To get the credentials needed to connect Seqera to your AWS account, follow these steps: + +1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Users** in the left navigation menu, then select the newly created user from the users table. +1. Select the **Security credentials** tab, then select **Create access key** under the **Access keys** section. +1. In the **Use case** dialog that appears, select **Command line interface (CLI)**, then tick the confirmation checkbox at the bottom to acknowledge that you want to proceed creating an access key, and select **Next**. +1. Optionally provide a description for the access key, like the reason for creating it, then select **Create access key**. +1. Save the **Access key** and **Secret access key** in a secure location as you will need to provide them when creating credentials in Seqera. + +### IAM role creation (optional) + +Rather than attaching permissions directly to the IAM user, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources. This is useful when multiple IAM users are used to access the same AWS account: this way the actual permissions to operate on the resources are only granted to a single centralized role. + +1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Roles** in the left navigation menu, then select **Create role** at the top right of the page. +1. Select **Custom trust policy** as the type of trusted entity, provide the following policy and edit the AWS principal with the ARN of the IAM user created in the [IAM user creation](#iam-user-creation) section, then select **Next**. + ```json + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": [ + "arn:aws:iam:::user/" + ] + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + } + ] + } + ``` +1. On the **Permissions** page, search for and select the policy created in the [IAM user creation](#iam-user-creation) section, then select **Next**. +1. Give the role a name and optionally a description, review the details of the role, optionally provide tags to help you identify the role, then select **Create role**. + +Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section. + +:::note +Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in your IAM trust policy (`sts:ExternalId`). +::: + +#### Role-based trust policy example (Seqera Cloud) + +For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + }, + "Action": "sts:TagSession" + } + ] +} +``` ## Advanced options From dfa53955d88b700770f3035671583a16cb1794a5 Mon Sep 17 00:00:00 2001 From: Chris Hakkaart Date: Wed, 13 May 2026 08:42:25 +1200 Subject: [PATCH 11/21] Apply suggestion from @christopher-hakkaart Signed-off-by: Chris Hakkaart --- platform-cloud/docs/compute-envs/aws-cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 239a39b1e..afc4cdb12 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -58,7 +58,7 @@ The following regions are currently supported: ## Seqera Intelligent Compute -Seqera Intelligent Compute is an optional capability that executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. The AWS Cloud compute environment scales beyond the resources of a single instance while preserving its fast startup behavior. +Seqera Intelligent Compute is a next-generation compute and scheduling service that runs large-scale Nextflow pipelines on a Seqera-managed Amazon ECS cluster, scaling beyond a single instance while preserving the fast startup of the AWS Cloud compute environment When you enable Seqera Intelligent Compute, Seqera provisions and manages all ECS infrastructure on your behalf, including clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. From 70d81baf51bd4c698c9b52de1167838c6187e3c3 Mon Sep 17 00:00:00 2001 From: Chris Hakkaart Date: Thu, 14 May 2026 12:04:49 +1200 Subject: [PATCH 12/21] Apply suggestions from code review Co-authored-by: Gavin Signed-off-by: Chris Hakkaart --- platform-cloud/docs/compute-envs/aws-cloud.md | 34 +++++++++++-------- .../compute-envs/aws-cloud.md | 32 +++++++++-------- 2 files changed, 37 insertions(+), 29 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index afc4cdb12..700174f69 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -410,21 +410,24 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The "arn:aws:iam::*:instance-profile/seqera-sched-*" ] }, - { - "Sid": "PassRoleToECS", - "Effect": "Allow", - "Action": "iam:PassRole", - "Resource": "arn:aws:iam::*:role/seqera-sched-*", - "Condition": { - "StringEquals": { - "iam:PassedToService": [ - "ecs-tasks.amazonaws.com", - "ecs.amazonaws.com", - "ec2.amazonaws.com" - ] - } - } - }, + { + "Sid": "PassRoleToECS", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": [ + "arn:aws:iam::*:role/seqera-sched-*", + "arn:aws:iam::*:role/TowerForge-*" + ], + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "ecs-tasks.amazonaws.com", + "ecs.amazonaws.com", + "ec2.amazonaws.com" + ] + } + } + }, { "Sid": "ServiceLinkedRoles", "Effect": "Allow", @@ -458,6 +461,7 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The "Sid": "EC2NetworkDiscovery", "Effect": "Allow", "Action": [ + "ec2:DescribeImages", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index 265058a7b..7c9413d8e 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -307,21 +307,24 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The "arn:aws:iam::*:instance-profile/seqera-sched-*" ] }, - { - "Sid": "PassRoleToECS", - "Effect": "Allow", - "Action": "iam:PassRole", - "Resource": "arn:aws:iam::*:role/seqera-sched-*", - "Condition": { - "StringEquals": { - "iam:PassedToService": [ - "ecs-tasks.amazonaws.com", - "ecs.amazonaws.com", - "ec2.amazonaws.com" - ] - } + { + "Sid": "PassRoleToECS", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": [ + "arn:aws:iam::*:role/seqera-sched-*", + "arn:aws:iam::*:role/TowerForge-*" + ], + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "ecs-tasks.amazonaws.com", + "ecs.amazonaws.com", + "ec2.amazonaws.com" + ] } - }, + } + }, { "Sid": "ServiceLinkedRoles", "Effect": "Allow", @@ -355,6 +358,7 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The "Sid": "EC2NetworkDiscovery", "Effect": "Allow", "Action": [ + "ec2:DescribeImages", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", From 4024e2c8e899e14c54c245a0933c899439bb7683 Mon Sep 17 00:00:00 2001 From: Chris Hakkaart Date: Thu, 14 May 2026 12:05:07 +1200 Subject: [PATCH 13/21] Update platform-cloud/docs/compute-envs/aws-cloud.md Co-authored-by: Gavin Signed-off-by: Chris Hakkaart --- platform-cloud/docs/compute-envs/aws-cloud.md | 1 + 1 file changed, 1 insertion(+) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 700174f69..a2c42fb3b 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -460,6 +460,7 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The { "Sid": "EC2NetworkDiscovery", "Effect": "Allow", + "Action": [ "Action": [ "ec2:DescribeImages", "ec2:DescribeVpcs", From ed2d01b203442446d81642e913a9ab9f49d7f465 Mon Sep 17 00:00:00 2001 From: Christopher Hakkaart Date: Thu, 14 May 2026 12:15:13 +1200 Subject: [PATCH 14/21] Add Private Access admonition with link --- platform-cloud/docs/compute-envs/aws-cloud.md | 4 ++++ platform-enterprise_docs/compute-envs/aws-cloud.md | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 7cdbafcfa..3686863a3 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -58,6 +58,10 @@ The following regions are currently supported: ## Seqera Intelligent Compute +:::info[Private preview] +Seqera Intelligent Compute is in Private preview. [Contact us](https://seqera.io/intelligent-compute/) to request access. +::: + Seqera Intelligent Compute is a next-generation compute and scheduling service that runs large-scale Nextflow pipelines on a Seqera-managed Amazon ECS cluster, scaling beyond a single instance while preserving the fast startup of the AWS Cloud compute environment When you enable Seqera Intelligent Compute, Seqera provisions and manages all ECS infrastructure on your behalf, including clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index 7c9413d8e..64d519c4f 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -233,6 +233,10 @@ The following permissions enable Seqera to populate values for dropdown fields. ## Seqera Intelligent Compute +:::info[Private preview] +Seqera Intelligent Compute is in Private preview. [Contact us](https://seqera.io/intelligent-compute/) to request access. +::: + Seqera Intelligent Compute is an optional capability that executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. The AWS Cloud compute environment scales beyond the resources of a single instance while preserving its fast startup behavior. When you enable Seqera Intelligent Compute, Seqera provisions and manages all ECS infrastructure on your behalf, including clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. From 695c48ba089bf5ccdae7124da489e0a18a18d2b8 Mon Sep 17 00:00:00 2001 From: Christopher Hakkaart Date: Thu, 14 May 2026 12:17:55 +1200 Subject: [PATCH 15/21] Add Private Access admonition with link --- platform-cloud/docs/compute-envs/aws-cloud.md | 6 +++++- platform-enterprise_docs/compute-envs/aws-cloud.md | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 3686863a3..4aeaa7eb1 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -59,7 +59,7 @@ The following regions are currently supported: ## Seqera Intelligent Compute :::info[Private preview] -Seqera Intelligent Compute is in Private preview. [Contact us](https://seqera.io/intelligent-compute/) to request access. +Seqera Intelligent Compute is in private preview. [Contact us](https://seqera.io/intelligent-compute/) to request access. ::: Seqera Intelligent Compute is a next-generation compute and scheduling service that runs large-scale Nextflow pipelines on a Seqera-managed Amazon ECS cluster, scaling beyond a single instance while preserving the fast startup of the AWS Cloud compute environment @@ -399,6 +399,10 @@ If you manage your own EC2 instance role (rather than letting Seqera create it a ## Create the IAM policy +:::info[Private preview] +Seqera Intelligent Compute is in private preview. [Contact us](https://seqera.io/intelligent-compute/) to request access. +::: + If you've enabled [Seqera Intelligent Compute](#seqera-intelligent-compute), attach the following additional policy to the same IAM user or role that Seqera uses to access your AWS account. The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions, such as EC2 `Describe*`, ECR authorization tokens, and Cost Explorer. diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index 64d519c4f..c63f2d53c 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -234,7 +234,7 @@ The following permissions enable Seqera to populate values for dropdown fields. ## Seqera Intelligent Compute :::info[Private preview] -Seqera Intelligent Compute is in Private preview. [Contact us](https://seqera.io/intelligent-compute/) to request access. +Seqera Intelligent Compute is in private preview. [Contact us](https://seqera.io/intelligent-compute/) to request access. ::: Seqera Intelligent Compute is an optional capability that executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. The AWS Cloud compute environment scales beyond the resources of a single instance while preserving its fast startup behavior. @@ -243,6 +243,10 @@ When you enable Seqera Intelligent Compute, Seqera provisions and manages all EC ### Additional IAM permissions +:::info[Private preview] +Seqera Intelligent Compute is in private preview. [Contact us](https://seqera.io/intelligent-compute/) to request access. +::: + To enable Seqera Intelligent Compute, attach an additional IAM policy (beyond the [Required Platform IAM permissions](#required-platform-iam-permissions)) to the same IAM user or role that Seqera uses to access your AWS account. The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions, such as EC2 `Describe*`, ECR authorization tokens, and Cost Explorer. From 7c7802ec069ad0921ec92703621e16d9ee52583b Mon Sep 17 00:00:00 2001 From: Christopher Hakkaart Date: Fri, 15 May 2026 14:00:03 +1200 Subject: [PATCH 16/21] Move admonition --- platform-cloud/docs/compute-envs/aws-cloud.md | 6 +++--- platform-enterprise_docs/compute-envs/aws-cloud.md | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 4aeaa7eb1..3cb39a44c 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -602,13 +602,13 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The } ``` - +Some statements in the policy above are conditional and can be omitted depending on your deployment: -:::note - The `ASGEC2Operations` and `ASGManagement` statements are required only if you enable Auto Scaling Group-backed clusters (managed instances). Omit them for Fargate-only deployments. - The `CreateECSServiceLinkedRole` is required only if the Service Role is not already created. - The `CostExplorer` statement is required only if you enable Cost Analysis. -::: + + ### Create the IAM policy diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index c63f2d53c..86881883a 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -445,13 +445,13 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The } ``` - +Some statements in the policy above are conditional and can be omitted depending on your deployment: -:::note - The `ASGEC2Operations` and `ASGManagement` statements are required only if you enable Auto Scaling Group-backed clusters (managed instances). Omit them for Fargate-only deployments. - The `CreateECSServiceLinkedRole` is required only if the Service Role is not already created. - The `CostExplorer` statement is only required if you enable Cost Analysis. -::: + + ## Managed Amazon Machine Image (AMI) From 60ce5c959b6c12028983c8424d7908e3f255673a Mon Sep 17 00:00:00 2001 From: Christopher Hakkaart Date: Fri, 15 May 2026 14:29:52 +1200 Subject: [PATCH 17/21] Fix link --- platform-cloud/docs/compute-envs/aws-cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 3cb39a44c..ef0c3763e 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -66,7 +66,7 @@ Seqera Intelligent Compute is a next-generation compute and scheduling service t When you enable Seqera Intelligent Compute, Seqera provisions and manages all ECS infrastructure on your behalf, including clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. -If you enable this capability, you must attach the additional permissions described in [Seqera Intelligent Compute permissions](#seqera-intelligent-compute-permissions) below. +If you enable Seqera Intelligent Compute, you must attach the additional permissions described [Create the IAM policy](#create-the-iam-policy). ## Managed Amazon Machine Image (AMI) From 32523f106da862f8dfd78c68fced346640876102 Mon Sep 17 00:00:00 2001 From: Christopher Hakkaart Date: Fri, 15 May 2026 14:59:55 +1200 Subject: [PATCH 18/21] Final reshuffle headings --- platform-cloud/docs/compute-envs/aws-cloud.md | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index ef0c3763e..58ae86504 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -66,7 +66,7 @@ Seqera Intelligent Compute is a next-generation compute and scheduling service t When you enable Seqera Intelligent Compute, Seqera provisions and manages all ECS infrastructure on your behalf, including clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. -If you enable Seqera Intelligent Compute, you must attach the additional permissions described [Create the IAM policy](#create-the-iam-policy). +If you enable Seqera Intelligent Compute, you must attach the additional permissions described in [Seqera Intelligent Compute permissions](#seqera-intelligent-compute-permissions). ## Managed Amazon Machine Image (AMI) @@ -84,7 +84,7 @@ The AMI is based on the [Amazon Linux 2023 image](https://docs.aws.amazon.com/li To use the AWS Cloud compute environment, grant Seqera Platform access to your AWS account. Create an IAM policy with the permissions Platform needs, then attach it to either an IAM user (for long-lived access keys) or an IAM role (for assumed-role credentials) depending on which credential type suits your security model. -### Required Platform IAM permissions +### IAM permissions To create and launch pipelines, explore buckets with Data Explorer or run Studio sessions with the AWS Cloud compute environment, an IAM user with specific permissions must be provided. Some permissions are mandatory for the compute environment to be created and function correctly, while others are optional and used for example to provide list of values to pick from in the Platform UI. @@ -93,7 +93,7 @@ Permissions can be attached directly to an [IAM user](#iam-user-creation), or to A permissive and broad policy with all the required permissions is provided here for a quick start. However, follow the principle of least privilege and only grant the necessary permissions for your use case, as shown in the following sections.
-Full permissive policy (For reference) +Full permissive policy (for reference) ```json { @@ -349,7 +349,7 @@ The following permissions enable Seqera to populate values for dropdown fields. } ``` -### Userdata script error detection (optional) +#### Userdata script error detection (optional) Platform can retrieve the EC2 instance console output to detect errors in the userdata script that bootstraps the VM during instance startup. If the userdata script fails, Platform surfaces the failure as a warning on the workflow. Without this permission, userdata script failures are not detected and no warning is shown. @@ -364,7 +364,7 @@ Platform can retrieve the EC2 instance console output to detect errors in the us } ``` -### Data lineage (optional) +#### Data lineage (optional) If you enable [data lineage](../data/data-lineage) in your workspace, add the following permissions to your Platform integration credentials to create the queue infrastructure and bucket notifications used by the lineage service: @@ -397,7 +397,7 @@ If you enable [data lineage](../data/data-lineage) in your workspace, add the fo If you manage your own EC2 instance role (rather than letting Seqera create it automatically), see [Manual AWS Batch configuration](../enterprise/advanced-topics/manual-aws-batch-setup#create-an-ec2-instance-role) for the additional S3 policy to attach to that role. -## Create the IAM policy +#### Seqera Intelligent Compute permissions :::info[Private preview] Seqera Intelligent Compute is in private preview. [Contact us](https://seqera.io/intelligent-compute/) to request access. @@ -618,7 +618,7 @@ The policy above must be created in the AWS account where the AWS Cloud resource 1. From the left navigation menu, select **Policies** under **Access management**. 1. Select **Create policy**. 1. On the **Policy editor** section, select the **JSON** tab. -1. Following the instructions detailed in the [IAM permissions breakdown section](#required-platform-iam-permissions) replace the default text in the policy editor area under the **JSON** tab with a policy adapted to your use case, then select **Next**. +1. Following the instructions detailed in the [IAM permissions breakdown section](#iam-permissions) replace the default text in the policy editor area under the **JSON** tab with a policy adapted to your use case, then select **Next**. 1. Enter a name and description for the policy on the **Review and create** page, then select **Create policy**. If you are also enabling Seqera Intelligent Compute, repeat these steps to create a second policy using the [Seqera Intelligent Compute permissions](#seqera-intelligent-compute-permissions) JSON. @@ -645,10 +645,12 @@ Seqera requires an Identity and Access Management (IAM) User to create and manag In certain scenarios, for example when multiple users need to access the same AWS account and provision AWS Batch resources, an IAM role with the required permissions can be created instead, and the IAM user can assume that role when accessing AWS resources, as detailed in the [IAM role creation (optional)](#iam-role-creation-optional) section. -Depending whether you choose to let Seqera automatically create the required AWS Batch resources in your account, or prefer to set them up manually, the IAM user must have specific permissions as detailed in the [Required Platform IAM permissions](#required-platform-iam-permissions) section. Alternatively, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources, as detailed in the [IAM role creation (optional)](#iam-role-creation-optional) section. +Depending whether you choose to let Seqera automatically create the required AWS Batch resources in your account, or prefer to set them up manually, the IAM user must have specific permissions as detailed in the [IAM permissions](#iam-permissions) section. Alternatively, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources, as detailed in the [IAM role creation (optional)](#iam-role-creation-optional) section. #### Create an IAM user +To create an IAM user: + 1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Users** in the left navigation menu, then select **Create User** at the top right of the page. 1. Enter a name for your user (e.g., _seqera_) and select **Next**. 1. Under **Permission options**, select **Attach policies directly**, then search for and select the policy created above, and select **Next**. @@ -673,7 +675,7 @@ The user has now been created. The most up-to-date instructions for creating an #### Obtain IAM user credentials -To get the credentials needed to connect Seqera to your AWS account, follow these steps: +To get the credentials needed to connect Seqera to your AWS account: 1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Users** in the left navigation menu, then select the newly created user from the users table. 1. Select the **Security credentials** tab, then select **Create access key** under the **Access keys** section. @@ -683,7 +685,7 @@ To get the credentials needed to connect Seqera to your AWS account, follow thes ### IAM role creation (optional) -Rather than attaching permissions directly to the IAM user, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources. This is useful when multiple IAM users are used to access the same AWS account: this way the actual permissions to operate on the resources are only granted to a single centralized role. +Rather than attaching permissions directly to the IAM user, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources. This is useful when multiple IAM users are used to access the same AWS account. This way the permissions to operate on the resources are only granted to a single centralized role. 1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Roles** in the left navigation menu, then select **Create role** at the top right of the page. 1. Select **Custom trust policy** as the type of trusted entity, provide the following policy and edit the AWS principal with the ARN of the IAM user created in the [IAM user creation](#iam-user-creation) section, then select **Next**. From 10e881f8c4b4ff1eebb6cabceeedbc4b29c36fe5 Mon Sep 17 00:00:00 2001 From: Christopher Hakkaart Date: Fri, 15 May 2026 15:28:43 +1200 Subject: [PATCH 19/21] Move headings down a level --- platform-cloud/docs/compute-envs/aws-cloud.md | 20 ++++++++----------- 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 58ae86504..176f0336a 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -610,7 +610,7 @@ Some statements in the policy above are conditional and can be omitted depending
-### Create the IAM policy +### IAM policy The policy above must be created in the AWS account where the AWS Cloud resources need to be created. @@ -623,7 +623,7 @@ The policy above must be created in the AWS account where the AWS Cloud resource If you are also enabling Seqera Intelligent Compute, repeat these steps to create a second policy using the [Seqera Intelligent Compute permissions](#seqera-intelligent-compute-permissions) JSON. -### AWS credential options +### AWS credentials Before creating an IAM user or role, decide how Seqera will authenticate to your AWS account. AWS credentials can be configured in two ways: @@ -639,7 +639,7 @@ The next two sections cover the AWS-side setup for each option: - For **key-based credentials**, follow [IAM user creation](#iam-user-creation) to create a user and obtain access keys. - For **role-based credentials**, follow both [IAM user creation](#iam-user-creation) (for the assuming principal) and [IAM role creation (optional)](#iam-role-creation-optional) to create the role Seqera will assume. -### IAM user creation +#### IAM user creation Seqera requires an Identity and Access Management (IAM) User to create and manage AWS Batch resources in your AWS account. We recommend creating a separate IAM policy rather than an IAM User inline policy, as the latter only allows 2048 characters, which may not be sufficient for all the required permissions. @@ -647,9 +647,7 @@ In certain scenarios, for example when multiple users need to access the same AW Depending whether you choose to let Seqera automatically create the required AWS Batch resources in your account, or prefer to set them up manually, the IAM user must have specific permissions as detailed in the [IAM permissions](#iam-permissions) section. Alternatively, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources, as detailed in the [IAM role creation (optional)](#iam-role-creation-optional) section. -#### Create an IAM user - -To create an IAM user: +##### Create an IAM user 1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Users** in the left navigation menu, then select **Create User** at the top right of the page. 1. Enter a name for your user (e.g., _seqera_) and select **Next**. @@ -673,9 +671,7 @@ To create an IAM user: The user has now been created. The most up-to-date instructions for creating an IAM user can be found in the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html). -#### Obtain IAM user credentials - -To get the credentials needed to connect Seqera to your AWS account: +##### Obtain IAM user credentials 1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Users** in the left navigation menu, then select the newly created user from the users table. 1. Select the **Security credentials** tab, then select **Create access key** under the **Access keys** section. @@ -683,7 +679,7 @@ To get the credentials needed to connect Seqera to your AWS account: 1. Optionally provide a description for the access key, like the reason for creating it, then select **Create access key**. 1. Save the **Access key** and **Secret access key** in a secure location as you will need to provide them when creating credentials in Seqera. -### IAM role creation (optional) +#### IAM role creation (optional) Rather than attaching permissions directly to the IAM user, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources. This is useful when multiple IAM users are used to access the same AWS account. This way the permissions to operate on the resources are only granted to a single centralized role. @@ -710,7 +706,7 @@ Rather than attaching permissions directly to the IAM user, you can create an IA ] } ``` -1. On the **Permissions** page, search for and select the policy created in the [IAM user creation](#iam-user-creation) section, then select **Next**. +1. On the **Permissions** page, search for and select the policy created in the [IAM policy](#iam-policy) section, then select **Next**. 1. Give the role a name and optionally a description, review the details of the role, optionally provide tags to help you identify the role, then select **Create role**. Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section. @@ -719,7 +715,7 @@ Multiple users can be specified in the trust policy by adding more ARNs to the ` Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in your IAM trust policy (`sts:ExternalId`). ::: -#### Role-based trust policy example (Seqera Cloud) +##### Role-based trust policy example (Seqera Cloud) For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation: From 177fd720fff8da19b1d0c0bc2f7ad412f82fbdba Mon Sep 17 00:00:00 2001 From: Christopher Hakkaart Date: Fri, 15 May 2026 15:51:54 +1200 Subject: [PATCH 20/21] Revert changes --- platform-cloud/docs/compute-envs/aws-cloud.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 176f0336a..4d08e9269 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -4,6 +4,8 @@ description: "Instructions to set up an AWS Cloud CE in Seqera Platform" date created: "2025-05-15" last updated: "2026-05-05" tags: [cloud, vm, amazon, compute-environment] +toc_min_heading_level: 2 +toc_max_heading_level: 4 --- :::note @@ -84,7 +86,7 @@ The AMI is based on the [Amazon Linux 2023 image](https://docs.aws.amazon.com/li To use the AWS Cloud compute environment, grant Seqera Platform access to your AWS account. Create an IAM policy with the permissions Platform needs, then attach it to either an IAM user (for long-lived access keys) or an IAM role (for assumed-role credentials) depending on which credential type suits your security model. -### IAM permissions +### Required Platform IAM permissions To create and launch pipelines, explore buckets with Data Explorer or run Studio sessions with the AWS Cloud compute environment, an IAM user with specific permissions must be provided. Some permissions are mandatory for the compute environment to be created and function correctly, while others are optional and used for example to provide list of values to pick from in the Platform UI. @@ -610,7 +612,7 @@ Some statements in the policy above are conditional and can be omitted depending -### IAM policy +### Create the IAM policy The policy above must be created in the AWS account where the AWS Cloud resources need to be created. @@ -618,12 +620,12 @@ The policy above must be created in the AWS account where the AWS Cloud resource 1. From the left navigation menu, select **Policies** under **Access management**. 1. Select **Create policy**. 1. On the **Policy editor** section, select the **JSON** tab. -1. Following the instructions detailed in the [IAM permissions breakdown section](#iam-permissions) replace the default text in the policy editor area under the **JSON** tab with a policy adapted to your use case, then select **Next**. +1. Following the instructions detailed in the [IAM permissions breakdown section](#required-platform-iam-permissions) replace the default text in the policy editor area under the **JSON** tab with a policy adapted to your use case, then select **Next**. 1. Enter a name and description for the policy on the **Review and create** page, then select **Create policy**. If you are also enabling Seqera Intelligent Compute, repeat these steps to create a second policy using the [Seqera Intelligent Compute permissions](#seqera-intelligent-compute-permissions) JSON. -### AWS credentials +### AWS credential options Before creating an IAM user or role, decide how Seqera will authenticate to your AWS account. AWS credentials can be configured in two ways: @@ -645,7 +647,7 @@ Seqera requires an Identity and Access Management (IAM) User to create and manag In certain scenarios, for example when multiple users need to access the same AWS account and provision AWS Batch resources, an IAM role with the required permissions can be created instead, and the IAM user can assume that role when accessing AWS resources, as detailed in the [IAM role creation (optional)](#iam-role-creation-optional) section. -Depending whether you choose to let Seqera automatically create the required AWS Batch resources in your account, or prefer to set them up manually, the IAM user must have specific permissions as detailed in the [IAM permissions](#iam-permissions) section. Alternatively, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources, as detailed in the [IAM role creation (optional)](#iam-role-creation-optional) section. +Depending whether you choose to let Seqera automatically create the required AWS Batch resources in your account, or prefer to set them up manually, the IAM user must have specific permissions as detailed in the [Required Platform IAM permissions](#required-platform-iam-permissions) section. Alternatively, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources, as detailed in the [IAM role creation (optional)](#iam-role-creation-optional) section. ##### Create an IAM user @@ -706,7 +708,7 @@ Rather than attaching permissions directly to the IAM user, you can create an IA ] } ``` -1. On the **Permissions** page, search for and select the policy created in the [IAM policy](#iam-policy) section, then select **Next**. +1. On the **Permissions** page, search for and select the policy created in the [IAM user creation](#iam-user-creation) section, then select **Next**. 1. Give the role a name and optionally a description, review the details of the role, optionally provide tags to help you identify the role, then select **Create role**. Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section. From 47c502e617c310ccb7587e6244b92260c8ded781 Mon Sep 17 00:00:00 2001 From: Christopher Hakkaart Date: Fri, 15 May 2026 15:56:04 +1200 Subject: [PATCH 21/21] Missed one --- platform-cloud/docs/compute-envs/aws-cloud.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 4d08e9269..03b11e90b 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -685,6 +685,8 @@ The user has now been created. The most up-to-date instructions for creating an Rather than attaching permissions directly to the IAM user, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources. This is useful when multiple IAM users are used to access the same AWS account. This way the permissions to operate on the resources are only granted to a single centralized role. +##### Create an IAM role + 1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Roles** in the left navigation menu, then select **Create role** at the top right of the page. 1. Select **Custom trust policy** as the type of trusted entity, provide the following policy and edit the AWS principal with the ARN of the IAM user created in the [IAM user creation](#iam-user-creation) section, then select **Next**. ```json