From 594977176a246b5ea80c37170ff08d26d43dbf00 Mon Sep 17 00:00:00 2001 From: Paolo Di Tommaso Date: Mon, 4 May 2026 17:02:06 +0200 Subject: [PATCH 01/10] docs(aws-cloud): document Seqera Intelligent Compute IAM permissions Add a new "Seqera Intelligent Compute" section to the AWS Cloud compute environment docs (cloud + enterprise) describing the optional capability that offloads Nextflow tasks to a Seqera-managed Amazon ECS cluster, and the additional IAM policy required to enable it. The policy mirrors the seqera-sched compute policy: every action that AWS allows to be scoped by ARN is restricted to the seqera-sched-* prefix, with the remaining Resource "*" entries reserved for AWS APIs that don't support resource-level permissions. --- platform-cloud/docs/compute-envs/aws-cloud.md | 196 ++++++++++++++++++ .../compute-envs/aws-cloud.md | 194 +++++++++++++++++ 2 files changed, 390 insertions(+) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index ecf633381..fc8a30d93 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -426,6 +426,202 @@ Use the IAM role ARN which Seqera must use for accessing your AWS resources in * Existing credentials created before March 2026 continue to work without changes. +## Seqera Intelligent Compute + +Seqera Intelligent Compute is an optional capability that, when enabled, executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. This lets the AWS Cloud compute environment scale beyond the resources of a single instance while preserving its fast startup behavior. + +When Seqera Intelligent Compute is enabled, Seqera provisions and manages all ECS infrastructure on your behalf — clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. + +### Additional IAM permissions + +Enabling Seqera Intelligent Compute requires an additional IAM policy on top of the [Required Platform IAM permissions](#required-platform-iam-permissions). Attach it to the same IAM user or role that Seqera uses to access your AWS account. + +Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions (for example, EC2 `Describe*`, ECR authorization tokens, or Cost Explorer). + +
+Seqera Intelligent Compute policy + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ECSScopedOperations", + "Effect": "Allow", + "Action": [ + "ecs:CreateCluster", + "ecs:DeleteCluster", + "ecs:DescribeClusters", + "ecs:ListTasks", + "ecs:PutClusterCapacityProviders", + "ecs:CreateCapacityProvider", + "ecs:DeleteCapacityProvider", + "ecs:DescribeCapacityProviders", + "ecs:DeregisterTaskDefinition", + "ecs:DescribeTaskDefinition", + "ecs:RunTask", + "ecs:StopTask", + "ecs:DescribeTasks", + "ecs:DescribeContainerInstances", + "ecs:TagResource" + ], + "Resource": "arn:aws:ecs:*:*:*/seqera-sched-*" + }, + { + "Sid": "ECSUnscopedOperations", + "Effect": "Allow", + "Action": [ + "ecs:RegisterTaskDefinition", + "ecs:ListTaskDefinitions", + "ecs:ListTaskDefinitionFamilies" + ], + "Resource": "*" + }, + { + "Sid": "IAMRoleManagement", + "Effect": "Allow", + "Action": [ + "iam:CreateRole", + "iam:GetRole", + "iam:DeleteRole", + "iam:PutRolePolicy", + "iam:DeleteRolePolicy", + "iam:ListRolePolicies", + "iam:AttachRolePolicy", + "iam:DetachRolePolicy", + "iam:ListAttachedRolePolicies", + "iam:CreateInstanceProfile", + "iam:GetInstanceProfile", + "iam:AddRoleToInstanceProfile", + "iam:ListInstanceProfilesForRole", + "iam:RemoveRoleFromInstanceProfile", + "iam:DeleteInstanceProfile" + ], + "Resource": [ + "arn:aws:iam::*:role/seqera-sched-*", + "arn:aws:iam::*:instance-profile/seqera-sched-*" + ] + }, + { + "Sid": "PassRoleToECS", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "arn:aws:iam::*:role/seqera-sched-*", + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "ecs-tasks.amazonaws.com", + "ecs.amazonaws.com", + "ec2.amazonaws.com" + ] + } + } + }, + { + "Sid": "CloudWatchLogs", + "Effect": "Allow", + "Action": [ + "logs:CreateLogGroup", + "logs:DeleteLogGroup", + "logs:PutRetentionPolicy", + "logs:DescribeLogStreams", + "logs:GetLogEvents", + "logs:TagResource" + ], + "Resource": "arn:aws:logs:*:*:log-group:/seqera/sched*" + }, + { + "Sid": "EC2NetworkDiscovery", + "Effect": "Allow", + "Action": [ + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeRouteTables", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeInstances", + "ec2:CreateSecurityGroup", + "ec2:CreateVpcEndpoint", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:DeleteSecurityGroup", + "ec2:CreateTags" + ], + "Resource": "*" + }, + { + "Sid": "ECRAccess", + "Effect": "Allow", + "Action": [ + "ecr:GetAuthorizationToken", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage" + ], + "Resource": "*" + }, + { + "Sid": "S3Access", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListAllMyBuckets" + ], + "Resource": "*" + }, + { + "Sid": "ASGEC2Operations", + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstanceTypes", + "ec2:CreateLaunchTemplate", + "ec2:DeleteLaunchTemplate", + "ec2:RunInstances" + ], + "Resource": "*" + }, + { + "Sid": "ASGManagement", + "Effect": "Allow", + "Action": [ + "autoscaling:CreateAutoScalingGroup", + "autoscaling:UpdateAutoScalingGroup", + "autoscaling:DeleteAutoScalingGroup", + "autoscaling:CreateOrUpdateTags" + ], + "Resource": "arn:aws:autoscaling:*:*:*/seqera-sched-*" + }, + { + "Sid": "ASGDescribe", + "Effect": "Allow", + "Action": "autoscaling:DescribeAutoScalingGroups", + "Resource": "*" + }, + { + "Sid": "SSMECSOptimizedAmi", + "Effect": "Allow", + "Action": "ssm:GetParameter", + "Resource": "arn:aws:ssm:*:*:parameter/aws/service/ecs/optimized-ami/*" + }, + { + "Sid": "CostExplorer", + "Effect": "Allow", + "Action": "ce:GetCostAndUsage", + "Resource": "*" + } + ] +} +``` + +
+ +:::note +- The `ASGEC2Operations` and `ASGManagement` statements are only required if you enable Auto Scaling Group-backed clusters (managed instances). They can be omitted for Fargate-only deployments. +- The `CostExplorer` statement is only required if you enable Cost Analysis. +::: + +Like the base AWS Cloud policy, you can attach this policy directly to the IAM user or to an IAM role that the user assumes. See [Create the IAM policy](#create-the-iam-policy) for the AWS Console steps. + ## Managed Amazon Machine Image (AMI) The AWS Cloud compute environment uses a public AMI maintained by Seqera, and the pipeline launch procedure assumes that some basic tooling is already present in the image itself. If you want to provide your own AMI, it must include at least the following: diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index 42a12402c..62d44fccc 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -231,6 +231,200 @@ The following permissions enable Seqera to populate values for dropdown fields. } ``` +## Seqera Intelligent Compute + +Seqera Intelligent Compute is an optional capability that, when enabled, executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. This lets the AWS Cloud compute environment scale beyond the resources of a single instance while preserving its fast startup behavior. + +When Seqera Intelligent Compute is enabled, Seqera provisions and manages all ECS infrastructure on your behalf — clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. + +### Additional IAM permissions + +Enabling Seqera Intelligent Compute requires the following IAM policy in addition to the [Required permissions](#required-permissions) listed above. Attach it to the same IAM user or role that Seqera uses to access your AWS account. + +Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions (for example, EC2 `Describe*`, ECR authorization tokens, or Cost Explorer). + +
+Seqera Intelligent Compute policy + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ECSScopedOperations", + "Effect": "Allow", + "Action": [ + "ecs:CreateCluster", + "ecs:DeleteCluster", + "ecs:DescribeClusters", + "ecs:ListTasks", + "ecs:PutClusterCapacityProviders", + "ecs:CreateCapacityProvider", + "ecs:DeleteCapacityProvider", + "ecs:DescribeCapacityProviders", + "ecs:DeregisterTaskDefinition", + "ecs:DescribeTaskDefinition", + "ecs:RunTask", + "ecs:StopTask", + "ecs:DescribeTasks", + "ecs:DescribeContainerInstances", + "ecs:TagResource" + ], + "Resource": "arn:aws:ecs:*:*:*/seqera-sched-*" + }, + { + "Sid": "ECSUnscopedOperations", + "Effect": "Allow", + "Action": [ + "ecs:RegisterTaskDefinition", + "ecs:ListTaskDefinitions", + "ecs:ListTaskDefinitionFamilies" + ], + "Resource": "*" + }, + { + "Sid": "IAMRoleManagement", + "Effect": "Allow", + "Action": [ + "iam:CreateRole", + "iam:GetRole", + "iam:DeleteRole", + "iam:PutRolePolicy", + "iam:DeleteRolePolicy", + "iam:ListRolePolicies", + "iam:AttachRolePolicy", + "iam:DetachRolePolicy", + "iam:ListAttachedRolePolicies", + "iam:CreateInstanceProfile", + "iam:GetInstanceProfile", + "iam:AddRoleToInstanceProfile", + "iam:ListInstanceProfilesForRole", + "iam:RemoveRoleFromInstanceProfile", + "iam:DeleteInstanceProfile" + ], + "Resource": [ + "arn:aws:iam::*:role/seqera-sched-*", + "arn:aws:iam::*:instance-profile/seqera-sched-*" + ] + }, + { + "Sid": "PassRoleToECS", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "arn:aws:iam::*:role/seqera-sched-*", + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "ecs-tasks.amazonaws.com", + "ecs.amazonaws.com", + "ec2.amazonaws.com" + ] + } + } + }, + { + "Sid": "CloudWatchLogs", + "Effect": "Allow", + "Action": [ + "logs:CreateLogGroup", + "logs:DeleteLogGroup", + "logs:PutRetentionPolicy", + "logs:DescribeLogStreams", + "logs:GetLogEvents", + "logs:TagResource" + ], + "Resource": "arn:aws:logs:*:*:log-group:/seqera/sched*" + }, + { + "Sid": "EC2NetworkDiscovery", + "Effect": "Allow", + "Action": [ + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeRouteTables", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeInstances", + "ec2:CreateSecurityGroup", + "ec2:CreateVpcEndpoint", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:DeleteSecurityGroup", + "ec2:CreateTags" + ], + "Resource": "*" + }, + { + "Sid": "ECRAccess", + "Effect": "Allow", + "Action": [ + "ecr:GetAuthorizationToken", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage" + ], + "Resource": "*" + }, + { + "Sid": "S3Access", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListAllMyBuckets" + ], + "Resource": "*" + }, + { + "Sid": "ASGEC2Operations", + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstanceTypes", + "ec2:CreateLaunchTemplate", + "ec2:DeleteLaunchTemplate", + "ec2:RunInstances" + ], + "Resource": "*" + }, + { + "Sid": "ASGManagement", + "Effect": "Allow", + "Action": [ + "autoscaling:CreateAutoScalingGroup", + "autoscaling:UpdateAutoScalingGroup", + "autoscaling:DeleteAutoScalingGroup", + "autoscaling:CreateOrUpdateTags" + ], + "Resource": "arn:aws:autoscaling:*:*:*/seqera-sched-*" + }, + { + "Sid": "ASGDescribe", + "Effect": "Allow", + "Action": "autoscaling:DescribeAutoScalingGroups", + "Resource": "*" + }, + { + "Sid": "SSMECSOptimizedAmi", + "Effect": "Allow", + "Action": "ssm:GetParameter", + "Resource": "arn:aws:ssm:*:*:parameter/aws/service/ecs/optimized-ami/*" + }, + { + "Sid": "CostExplorer", + "Effect": "Allow", + "Action": "ce:GetCostAndUsage", + "Resource": "*" + } + ] +} +``` + +
+ +:::note +- The `ASGEC2Operations` and `ASGManagement` statements are only required if you enable Auto Scaling Group-backed clusters (managed instances). They can be omitted for Fargate-only deployments. +- The `CostExplorer` statement is only required if you enable Cost Analysis. +::: + ## Managed Amazon Machine Image (AMI) The AWS Cloud compute environment uses an AMI maintained by Seqera, and the pipeline launch procedure assumes that some basic tooling is already present in the image itself. If you want to provide your own AMI, it must include at least the following: From c9a838d294cf125cf6653495f2d2dca0aa5ec9a8 Mon Sep 17 00:00:00 2001 From: Paolo Di Tommaso Date: Mon, 4 May 2026 17:41:42 +0200 Subject: [PATCH 02/10] docs(aws-cloud): drop unused ec2:DeleteSecurityGroup from SIC policy The scheduler never calls DeleteSecurityGroup. The security group it manages has a static name (seqera-sched-ecs) shared across clusters in the region and is not torn down per-cluster. --- platform-cloud/docs/compute-envs/aws-cloud.md | 1 - platform-enterprise_docs/compute-envs/aws-cloud.md | 1 - 2 files changed, 2 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index fc8a30d93..8995e9eb1 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -543,7 +543,6 @@ Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sc "ec2:CreateSecurityGroup", "ec2:CreateVpcEndpoint", "ec2:AuthorizeSecurityGroupEgress", - "ec2:DeleteSecurityGroup", "ec2:CreateTags" ], "Resource": "*" diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index 62d44fccc..c7d66fccf 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -348,7 +348,6 @@ Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sc "ec2:CreateSecurityGroup", "ec2:CreateVpcEndpoint", "ec2:AuthorizeSecurityGroupEgress", - "ec2:DeleteSecurityGroup", "ec2:CreateTags" ], "Resource": "*" From ebeb859441f6c5a79c9fc4a6d3f9c738bdf9a182 Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Tue, 5 May 2026 21:50:41 +0200 Subject: [PATCH 03/10] Apply suggestion from @christopher-hakkaart Co-authored-by: Chris Hakkaart Signed-off-by: Justine Geffen --- platform-cloud/docs/compute-envs/aws-cloud.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 8995e9eb1..30ea8deb2 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -428,9 +428,9 @@ Existing credentials created before March 2026 continue to work without changes. ## Seqera Intelligent Compute -Seqera Intelligent Compute is an optional capability that, when enabled, executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. This lets the AWS Cloud compute environment scale beyond the resources of a single instance while preserving its fast startup behavior. +Seqera Intelligent Compute is an optional capability that executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. The AWS Cloud compute environment scales beyond the resources of a single instance while preserving its fast startup behavior. -When Seqera Intelligent Compute is enabled, Seqera provisions and manages all ECS infrastructure on your behalf — clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. +When you enable Seqera Intelligent Compute, Seqera provisions and manages all ECS infrastructure on your behalf, including clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. ### Additional IAM permissions From 24f118d9a07e1a1498223d25a898172a0e52c36c Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Tue, 5 May 2026 21:50:51 +0200 Subject: [PATCH 04/10] Apply suggestion from @christopher-hakkaart Co-authored-by: Chris Hakkaart Signed-off-by: Justine Geffen --- platform-cloud/docs/compute-envs/aws-cloud.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 30ea8deb2..b869c9ae9 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -434,9 +434,9 @@ When you enable Seqera Intelligent Compute, Seqera provisions and manages all EC ### Additional IAM permissions -Enabling Seqera Intelligent Compute requires an additional IAM policy on top of the [Required Platform IAM permissions](#required-platform-iam-permissions). Attach it to the same IAM user or role that Seqera uses to access your AWS account. +Enabling Seqera Intelligent Compute requires an additional IAM policy in addition to the [Required Platform IAM permissions](#required-platform-iam-permissions). Attach it to the same IAM user or role that Seqera uses to access your AWS account. -Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions (for example, EC2 `Describe*`, ECR authorization tokens, or Cost Explorer). +The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions, such as EC2 `Describe*`, ECR authorization tokens, and Cost Explorer.
Seqera Intelligent Compute policy From 141b8cf977bac170bc2f3f5be1da58daa18639d3 Mon Sep 17 00:00:00 2001 From: Stefano Boriero Date: Fri, 8 May 2026 14:07:17 +0200 Subject: [PATCH 05/10] Update platform-cloud/docs/compute-envs/aws-cloud.md Co-authored-by: Chris Hakkaart Signed-off-by: Stefano Boriero --- platform-cloud/docs/compute-envs/aws-cloud.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index b869c9ae9..24bb24125 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -615,8 +615,8 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The
:::note -- The `ASGEC2Operations` and `ASGManagement` statements are only required if you enable Auto Scaling Group-backed clusters (managed instances). They can be omitted for Fargate-only deployments. -- The `CostExplorer` statement is only required if you enable Cost Analysis. +- The `ASGEC2Operations` and `ASGManagement` statements are required only if you enable Auto Scaling Group-backed clusters (managed instances). Omit them for Fargate-only deployments. +- The `CostExplorer` statement is required only if you enable Cost Analysis. ::: Like the base AWS Cloud policy, you can attach this policy directly to the IAM user or to an IAM role that the user assumes. See [Create the IAM policy](#create-the-iam-policy) for the AWS Console steps. From a74da83412c2ec85e73599253b8bcec89e37c588 Mon Sep 17 00:00:00 2001 From: Stefano Boriero Date: Fri, 8 May 2026 14:15:53 +0200 Subject: [PATCH 06/10] feat: add optional permissions to create service linked role --- platform-cloud/docs/compute-envs/aws-cloud.md | 12 ++++++++++++ platform-enterprise_docs/compute-envs/aws-cloud.md | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 24bb24125..33911b94e 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -596,6 +596,17 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The "Action": "autoscaling:DescribeAutoScalingGroups", "Resource": "*" }, + { + "Sid": "CreateECSServiceLinkedRole", + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "arn:aws:iam::*:role/aws-service-role/ecs-compute.amazonaws.com/AWSServiceRoleForECSCompute", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": "ecs-compute.amazonaws.com" + } + } + }, { "Sid": "SSMECSOptimizedAmi", "Effect": "Allow", @@ -616,6 +627,7 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The :::note - The `ASGEC2Operations` and `ASGManagement` statements are required only if you enable Auto Scaling Group-backed clusters (managed instances). Omit them for Fargate-only deployments. +- The `CreateECSServiceLinkedRole` is required only if the Service Role is not already created. - The `CostExplorer` statement is required only if you enable Cost Analysis. ::: diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index c7d66fccf..623b5e9d6 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -401,6 +401,17 @@ Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sc "Action": "autoscaling:DescribeAutoScalingGroups", "Resource": "*" }, + { + "Sid": "CreateECSServiceLinkedRole", + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "arn:aws:iam::*:role/aws-service-role/ecs-compute.amazonaws.com/AWSServiceRoleForECSCompute", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": "ecs-compute.amazonaws.com" + } + } + }, { "Sid": "SSMECSOptimizedAmi", "Effect": "Allow", @@ -421,6 +432,7 @@ Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sc :::note - The `ASGEC2Operations` and `ASGManagement` statements are only required if you enable Auto Scaling Group-backed clusters (managed instances). They can be omitted for Fargate-only deployments. +- The `CreateECSServiceLinkedRole` is required only if the Service Role is not already created. - The `CostExplorer` statement is only required if you enable Cost Analysis. ::: From d87de68c8b83a1d92919c11b54f219581f99d8ff Mon Sep 17 00:00:00 2001 From: Stefano Boriero Date: Fri, 8 May 2026 14:18:35 +0200 Subject: [PATCH 07/10] chore: align changes between cloud and enterprise --- platform-enterprise_docs/compute-envs/aws-cloud.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index 623b5e9d6..f7df7d3aa 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -233,15 +233,15 @@ The following permissions enable Seqera to populate values for dropdown fields. ## Seqera Intelligent Compute -Seqera Intelligent Compute is an optional capability that, when enabled, executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. This lets the AWS Cloud compute environment scale beyond the resources of a single instance while preserving its fast startup behavior. +Seqera Intelligent Compute is an optional capability that executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. The AWS Cloud compute environment scales beyond the resources of a single instance while preserving its fast startup behavior. -When Seqera Intelligent Compute is enabled, Seqera provisions and manages all ECS infrastructure on your behalf — clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. +When you enable Seqera Intelligent Compute, Seqera provisions and manages all ECS infrastructure on your behalf, including clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. ### Additional IAM permissions -Enabling Seqera Intelligent Compute requires the following IAM policy in addition to the [Required permissions](#required-permissions) listed above. Attach it to the same IAM user or role that Seqera uses to access your AWS account. +Enabling Seqera Intelligent Compute requires an additional IAM policy in addition to the [Required Platform IAM permissions](#required-platform-iam-permissions). Attach it to the same IAM user or role that Seqera uses to access your AWS account. -Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions (for example, EC2 `Describe*`, ECR authorization tokens, or Cost Explorer). +The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions, such as EC2 `Describe*`, ECR authorization tokens, and Cost Explorer.
Seqera Intelligent Compute policy @@ -431,7 +431,7 @@ Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sc
:::note -- The `ASGEC2Operations` and `ASGManagement` statements are only required if you enable Auto Scaling Group-backed clusters (managed instances). They can be omitted for Fargate-only deployments. +- The `ASGEC2Operations` and `ASGManagement` statements are required only if you enable Auto Scaling Group-backed clusters (managed instances). Omit them for Fargate-only deployments. - The `CreateECSServiceLinkedRole` is required only if the Service Role is not already created. - The `CostExplorer` statement is only required if you enable Cost Analysis. ::: From 069690b3522c3db0eaff717263cda811c2495748 Mon Sep 17 00:00:00 2001 From: Stefano Boriero Date: Fri, 8 May 2026 17:08:05 +0200 Subject: [PATCH 08/10] chore: align with scheduler permission updates --- platform-cloud/docs/compute-envs/aws-cloud.md | 35 +++++++++++-------- .../compute-envs/aws-cloud.md | 35 +++++++++++-------- 2 files changed, 40 insertions(+), 30 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 33911b94e..b4f70c39f 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -452,13 +452,10 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The "ecs:CreateCluster", "ecs:DeleteCluster", "ecs:DescribeClusters", - "ecs:ListTasks", "ecs:PutClusterCapacityProviders", "ecs:CreateCapacityProvider", "ecs:DeleteCapacityProvider", "ecs:DescribeCapacityProviders", - "ecs:DeregisterTaskDefinition", - "ecs:DescribeTaskDefinition", "ecs:RunTask", "ecs:StopTask", "ecs:DescribeTasks", @@ -472,8 +469,11 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The "Effect": "Allow", "Action": [ "ecs:RegisterTaskDefinition", + "ecs:DeregisterTaskDefinition", + "ecs:DescribeTaskDefinition", "ecs:ListTaskDefinitions", - "ecs:ListTaskDefinitionFamilies" + "ecs:ListTaskDefinitionFamilies", + "ecs:ListTasks" ], "Resource": "*" }, @@ -517,6 +517,22 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The } } }, + { + "Sid": "ServiceLinkedRoles", + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "arn:aws:iam::*:role/aws-service-role/*", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": [ + "ecs.amazonaws.com", + "ecs-compute.amazonaws.com", + "autoscaling.amazonaws.com", + "spot.amazonaws.com" + ] + } + } + }, { "Sid": "CloudWatchLogs", "Effect": "Allow", @@ -596,17 +612,6 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The "Action": "autoscaling:DescribeAutoScalingGroups", "Resource": "*" }, - { - "Sid": "CreateECSServiceLinkedRole", - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:aws:iam::*:role/aws-service-role/ecs-compute.amazonaws.com/AWSServiceRoleForECSCompute", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": "ecs-compute.amazonaws.com" - } - } - }, { "Sid": "SSMECSOptimizedAmi", "Effect": "Allow", diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index f7df7d3aa..ed569588b 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -257,13 +257,10 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The "ecs:CreateCluster", "ecs:DeleteCluster", "ecs:DescribeClusters", - "ecs:ListTasks", "ecs:PutClusterCapacityProviders", "ecs:CreateCapacityProvider", "ecs:DeleteCapacityProvider", "ecs:DescribeCapacityProviders", - "ecs:DeregisterTaskDefinition", - "ecs:DescribeTaskDefinition", "ecs:RunTask", "ecs:StopTask", "ecs:DescribeTasks", @@ -277,8 +274,11 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The "Effect": "Allow", "Action": [ "ecs:RegisterTaskDefinition", + "ecs:DeregisterTaskDefinition", + "ecs:DescribeTaskDefinition", "ecs:ListTaskDefinitions", - "ecs:ListTaskDefinitionFamilies" + "ecs:ListTaskDefinitionFamilies", + "ecs:ListTasks" ], "Resource": "*" }, @@ -322,6 +322,22 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The } } }, + { + "Sid": "ServiceLinkedRoles", + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "arn:aws:iam::*:role/aws-service-role/*", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": [ + "ecs.amazonaws.com", + "ecs-compute.amazonaws.com", + "autoscaling.amazonaws.com", + "spot.amazonaws.com" + ] + } + } + }, { "Sid": "CloudWatchLogs", "Effect": "Allow", @@ -401,17 +417,6 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The "Action": "autoscaling:DescribeAutoScalingGroups", "Resource": "*" }, - { - "Sid": "CreateECSServiceLinkedRole", - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:aws:iam::*:role/aws-service-role/ecs-compute.amazonaws.com/AWSServiceRoleForECSCompute", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": "ecs-compute.amazonaws.com" - } - } - }, { "Sid": "SSMECSOptimizedAmi", "Effect": "Allow", From 91588e8b2c49afbcdce24ff628f5e5aeca8c0f81 Mon Sep 17 00:00:00 2001 From: Stefano Boriero Date: Mon, 11 May 2026 09:02:05 +0200 Subject: [PATCH 09/10] Apply suggestions from code review Co-authored-by: Chris Hakkaart Signed-off-by: Stefano Boriero --- platform-cloud/docs/compute-envs/aws-cloud.md | 2 +- platform-enterprise_docs/compute-envs/aws-cloud.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index b4f70c39f..6ea0f5b71 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -434,7 +434,7 @@ When you enable Seqera Intelligent Compute, Seqera provisions and manages all EC ### Additional IAM permissions -Enabling Seqera Intelligent Compute requires an additional IAM policy in addition to the [Required Platform IAM permissions](#required-platform-iam-permissions). Attach it to the same IAM user or role that Seqera uses to access your AWS account. +To enable Seqera Intelligent Compute, attach an additional IAM policy (beyond the [Required Platform IAM permissions](#required-platform-iam-permissions)) to the same IAM user or role that Seqera uses to access your AWS account. The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions, such as EC2 `Describe*`, ECR authorization tokens, and Cost Explorer. diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index ed569588b..265058a7b 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -239,7 +239,7 @@ When you enable Seqera Intelligent Compute, Seqera provisions and manages all EC ### Additional IAM permissions -Enabling Seqera Intelligent Compute requires an additional IAM policy in addition to the [Required Platform IAM permissions](#required-platform-iam-permissions). Attach it to the same IAM user or role that Seqera uses to access your AWS account. +To enable Seqera Intelligent Compute, attach an additional IAM policy (beyond the [Required Platform IAM permissions](#required-platform-iam-permissions)) to the same IAM user or role that Seqera uses to access your AWS account. The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions, such as EC2 `Describe*`, ECR authorization tokens, and Cost Explorer. From ee81a5280bce2665e8efa6907056a172ab47c8d7 Mon Sep 17 00:00:00 2001 From: Stefano Boriero Date: Mon, 11 May 2026 12:54:53 +0200 Subject: [PATCH 10/10] feat: add CloudFormation template for AWS Cloud compute environment IAM setup Introduces a CloudFormation template that provisions the IAM user, role, and policies required for the Seqera Platform AWS Cloud compute environment, with optional Seqera Intelligent Compute support gated by a parameter. Groups manual and programmatic IAM setup under a new "IAM resource provisioning" section, with CLI commands, parameter and output reference tables, and a collapsible template block. Co-Authored-By: Claude Sonnet 4.6 --- platform-cloud/docs/compute-envs/aws-cloud.md | 377 ++++++++++++------ .../docs/compute-envs/template.yaml | 277 +++++++++++++ 2 files changed, 522 insertions(+), 132 deletions(-) create mode 100644 platform-cloud/docs/compute-envs/template.yaml diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 6ea0f5b71..663f1138c 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -295,137 +295,6 @@ The following permissions enable Seqera to populate values for dropdown fields. } ``` -## Create the IAM policy - -The policy above must be created in the AWS account where the AWS Batch resources need to be created. - -1. Open the [AWS IAM console](https://console.aws.amazon.com/iam) in the account where you want to create the AWS Batch resources. -1. From the left navigation menu, select **Policies** under **Access management**. -1. Select **Create policy**. -1. On the **Policy editor** section, select the **JSON** tab. -1. Following the instructions detailed in the [IAM permissions breakdown section](#required-platform-iam-permissions) replace the default text in the policy editor area under the **JSON** tab with a policy adapted to your use case, then select **Next**. -1. Enter a name and description for the policy on the **Review and create** page, then select **Create policy**. - -## IAM user creation - -Seqera requires an Identity and Access Management (IAM) User to create and manage AWS Batch resources in your AWS account. We recommend creating a separate IAM policy rather than an IAM User inline policy, as the latter only allows 2048 characters, which may not be sufficient for all the required permissions. - -In certain scenarios, for example when multiple users need to access the same AWS account and provision AWS Batch resources, an IAM role with the required permissions can be created instead, and the IAM user can assume that role when accessing AWS resources, as detailed in the [IAM role creation (optional)](#iam-role-creation-optional) section. - -Depending whether you choose to let Seqera automatically create the required AWS Batch resources in your account, or prefer to set them up manually, the IAM user must have specific permissions as detailed in the [Required Platform IAM permissions](#required-platform-iam-permissions) section. Alternatively, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources, as detailed in the [IAM role creation (optional)](#iam-role-creation-optional) section. - -### Create an IAM user - -1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Users** in the left navigation menu, then select **Create User** at the top right of the page. -1. Enter a name for your user (e.g., _seqera_) and select **Next**. -1. Under **Permission options**, select **Attach policies directly**, then search for and select the policy created above, and select **Next**. - * If you prefer to make the IAM user assume a role to manage AWS resources (see the [IAM role creation (optional)](#iam-role-creation-optional) section), create a policy with the following content (edit the AWS principal with the ARN of the role created) and attach it to the IAM user: - - ```json - { - "Sid": "AssumeRoleToManageBatchResources", - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam:::role/", - "Condition": { - "StringEquals": { - "sts:ExternalId": "" - } - } - } - ``` -1. On the last page, review the user details and select **Create user**. - -The user has now been created. The most up-to-date instructions for creating an IAM user can be found in the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html). - -### Obtain IAM user credentials - -To get the credentials needed to connect Seqera to your AWS account, follow these steps: - -1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Users** in the left navigation menu, then select the newly created user from the users table. -1. Select the **Security credentials** tab, then select **Create access key** under the **Access keys** section. -1. In the **Use case** dialog that appears, select **Command line interface (CLI)**, then tick the confirmation checkbox at the bottom to acknowledge that you want to proceed creating an access key, and select **Next**. -1. Optionally provide a description for the access key, like the reason for creating it, then select **Create access key**. -1. Save the **Access key** and **Secret access key** in a secure location as you will need to provide them when creating credentials in Seqera. - -## IAM role creation (optional) - -Rather than attaching permissions directly to the IAM user, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources. This is useful when multiple IAM users are used to access the same AWS account: this way the actual permissions to operate on the resources are only granted to a single centralized role. - -1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Roles** in the left navigation menu, then select **Create role** at the top right of the page. -1. Select **Custom trust policy** as the type of trusted entity, provide the following policy and edit the AWS principal with the ARN of the IAM user created in the [IAM user creation](#iam-user-creation) section, then select **Next**. - ```json - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": [ - "arn:aws:iam:::user/" - ] - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "sts:ExternalId": "" - } - } - } - ] - } - ``` -1. On the **Permissions** page, search for and select the policy created in the [IAM user creation](#iam-user-creation) section, then select **Next**. -1. Give the role a name and optionally a description, review the details of the role, optionally provide tags to help you identify the role, then select **Create role**. - -Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section. - -:::note -Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in your IAM trust policy (`sts:ExternalId`). -::: - -### Role-based trust policy example (Seqera Cloud) - -For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "sts:ExternalId": "" - } - } - }, - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" - }, - "Action": "sts:TagSession" - } - ] -} -``` - -## AWS credential options - -AWS credentials can be configured in two ways: - -- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional. -- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save. - -Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. - -Existing credentials created before March 2026 continue to work without changes. - ## Seqera Intelligent Compute Seqera Intelligent Compute is an optional capability that executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. The AWS Cloud compute environment scales beyond the resources of a single instance while preserving its fast startup behavior. @@ -636,7 +505,251 @@ The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The - The `CostExplorer` statement is required only if you enable Cost Analysis. ::: -Like the base AWS Cloud policy, you can attach this policy directly to the IAM user or to an IAM role that the user assumes. See [Create the IAM policy](#create-the-iam-policy) for the AWS Console steps. +Like the base AWS Cloud policy, you can attach this policy directly to the IAM user or to an IAM role that the user assumes. See [IAM resource provisioning](#iam-resource-provisioning) for setup instructions. + +## IAM resource provisioning + +You can provision the required IAM resources manually via the AWS Console or automatically using a CloudFormation template. + +### Manual provisioning + +#### Create the IAM policy + +The policy above must be created in the AWS account where the AWS Batch resources need to be created. + +1. Open the [AWS IAM console](https://console.aws.amazon.com/iam) in the account where you want to create the AWS Batch resources. +1. From the left navigation menu, select **Policies** under **Access management**. +1. Select **Create policy**. +1. On the **Policy editor** section, select the **JSON** tab. +1. Following the instructions detailed in the [IAM permissions breakdown section](#required-platform-iam-permissions) replace the default text in the policy editor area under the **JSON** tab with a policy adapted to your use case, then select **Next**. +1. Enter a name and description for the policy on the **Review and create** page, then select **Create policy**. + +#### IAM user creation + +Seqera requires an Identity and Access Management (IAM) User to create and manage AWS Batch resources in your AWS account. We recommend creating a separate IAM policy rather than an IAM User inline policy, as the latter only allows 2048 characters, which may not be sufficient for all the required permissions. + +In certain scenarios, for example when multiple users need to access the same AWS account and provision AWS Batch resources, an IAM role with the required permissions can be created instead, and the IAM user can assume that role when accessing AWS resources, as detailed in the [IAM role creation (optional)](#iam-role-creation-optional) section. + +Depending whether you choose to let Seqera automatically create the required AWS Batch resources in your account, or prefer to set them up manually, the IAM user must have specific permissions as detailed in the [Required Platform IAM permissions](#required-platform-iam-permissions) section. Alternatively, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources, as detailed in the [IAM role creation (optional)](#iam-role-creation-optional) section. + +##### Create an IAM user + +1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Users** in the left navigation menu, then select **Create User** at the top right of the page. +1. Enter a name for your user (e.g., _seqera_) and select **Next**. +1. Under **Permission options**, select **Attach policies directly**, then search for and select the policy created above, and select **Next**. + * If you prefer to make the IAM user assume a role to manage AWS resources (see the [IAM role creation (optional)](#iam-role-creation-optional) section), create a policy with the following content (edit the AWS principal with the ARN of the role created) and attach it to the IAM user: + + ```json + { + "Sid": "AssumeRoleToManageBatchResources", + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "arn:aws:iam:::role/", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + } + ``` +1. On the last page, review the user details and select **Create user**. + +The user has now been created. The most up-to-date instructions for creating an IAM user can be found in the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html). + +##### Obtain IAM user credentials + +To get the credentials needed to connect Seqera to your AWS account, follow these steps: + +1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Users** in the left navigation menu, then select the newly created user from the users table. +1. Select the **Security credentials** tab, then select **Create access key** under the **Access keys** section. +1. In the **Use case** dialog that appears, select **Command line interface (CLI)**, then tick the confirmation checkbox at the bottom to acknowledge that you want to proceed creating an access key, and select **Next**. +1. Optionally provide a description for the access key, like the reason for creating it, then select **Create access key**. +1. Save the **Access key** and **Secret access key** in a secure location as you will need to provide them when creating credentials in Seqera. + +#### IAM role creation (optional) + +Rather than attaching permissions directly to the IAM user, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources. This is useful when multiple IAM users are used to access the same AWS account: this way the actual permissions to operate on the resources are only granted to a single centralized role. + +1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Roles** in the left navigation menu, then select **Create role** at the top right of the page. +1. Select **Custom trust policy** as the type of trusted entity, provide the following policy and edit the AWS principal with the ARN of the IAM user created in the [IAM user creation](#iam-user-creation) section, then select **Next**. + ```json + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": [ + "arn:aws:iam:::user/" + ] + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + } + ] + } + ``` +1. On the **Permissions** page, search for and select the policy created in the [IAM user creation](#iam-user-creation) section, then select **Next**. +1. Give the role a name and optionally a description, review the details of the role, optionally provide tags to help you identify the role, then select **Create role**. + +Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section. + +:::note +Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in your IAM trust policy (`sts:ExternalId`). +::: + +##### Role-based trust policy example (Seqera Cloud) + +For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + }, + "Action": "sts:TagSession" + } + ] +} +``` + +### Programmatic provisioning (CloudFormation) + +As an alternative to manual setup, you can use the provided AWS CloudFormation template to create all required IAM resources in a single operation. The template creates the IAM user, the access key, and the role with the appropriate policies attached. + +
+CloudFormation template + +```yaml +{% include '../compute-envs/template.yaml' %} +``` + +
+ +#### Template parameters + +| Parameter | Description | Default | +|-----------|-------------|---------| +| `IAMUserName` | Name of the IAM user created for Seqera Platform | `SeqeraPlatform` | +| `RoleName` | Name of the IAM role assumed by the Seqera Platform IAM user | `SeqeraPlatformRole` | +| `ForgePrefix` | Prefix used for resources created by Seqera Platform (Forge) | `TowerForge` | +| `SeqeraIntelligentComputeEnabled` | Set to `true` to attach the additional permissions required for Seqera Intelligent Compute | `false` | + +#### Template outputs + +| Output | Description | +|--------|-------------| +| `SeqeraPlatoformUserAccessKeyId` | Access key ID to use when creating AWS credentials in Seqera Platform | +| `SeqeraPlatoformUserSecretAccessKey` | Secret access key to use when creating AWS credentials in Seqera Platform | +| `SeqeraPlatoformRole` | ARN of the IAM role to provide in the **Assume role** field when creating AWS credentials in Seqera Platform | + +#### Deploy the stack + +The `--capabilities CAPABILITY_NAMED_IAM` flag is required because the template creates IAM resources with custom names. CloudFormation requires explicit acknowledgement before creating named IAM resources as a safeguard against unintended privilege escalation. + +**Create a stack with default parameters:** + +```bash +aws cloudformation create-stack \ + --stack-name seqera-platform-iam \ + --template-body file://template.yaml \ + --capabilities CAPABILITY_NAMED_IAM +``` + +**Create a stack with custom parameters:** + +```bash +aws cloudformation create-stack \ + --stack-name seqera-platform-iam \ + --template-body file://template.yaml \ + --capabilities CAPABILITY_NAMED_IAM \ + --parameters \ + ParameterKey=IAMUserName,ParameterValue=my-seqera-user \ + ParameterKey=RoleName,ParameterValue=my-seqera-role \ + ParameterKey=ForgePrefix,ParameterValue=TowerForge \ + ParameterKey=SeqeraIntelligentComputeEnabled,ParameterValue=true +``` + +**Update an existing stack:** + +```bash +aws cloudformation update-stack \ + --stack-name seqera-platform-iam \ + --template-body file://template.yaml \ + --capabilities CAPABILITY_NAMED_IAM \ + --parameters \ + ParameterKey=SeqeraIntelligentComputeEnabled,ParameterValue=true +``` + +**Delete a stack:** + +```bash +aws cloudformation delete-stack \ + --stack-name seqera-platform-iam +``` + +#### Retrieve stack outputs + +After the stack reaches `CREATE_COMPLETE`, retrieve the access key and role ARN to use when creating credentials in Seqera Platform: + +```bash +aws cloudformation describe-stacks \ + --stack-name seqera-platform-iam \ + --query "Stacks[0].Outputs" +``` + +Example output: + +```json +[ + { + "OutputKey": "SeqeraPlatoformUserAccessKeyId", + "OutputValue": "AKIAIOSFODNN7EXAMPLE", + "Description": "The User access key to upload to Seqera Platform as credentials" + }, + { + "OutputKey": "SeqeraPlatoformUserSecretAccessKey", + "OutputValue": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", + "Description": "The User secret access key to upload to Seqera Platform as credentials" + }, + { + "OutputKey": "SeqeraPlatoformRole", + "OutputValue": "arn:aws:iam::123456789012:role/SeqeraPlatformRole", + "Description": "The role to be assumed by Seqera Platform to create and use the AWS Cloud credentials" + } +] +``` + +## AWS credential options + +AWS credentials can be configured in two ways: + +- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional. +- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save. + +Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. + +Existing credentials created before March 2026 continue to work without changes. ## Managed Amazon Machine Image (AMI) diff --git a/platform-cloud/docs/compute-envs/template.yaml b/platform-cloud/docs/compute-envs/template.yaml new file mode 100644 index 000000000..d984a96a1 --- /dev/null +++ b/platform-cloud/docs/compute-envs/template.yaml @@ -0,0 +1,277 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Parameters: + IAMUserName: + Description: Enter the name for the IAM user that will be created for the Seqera Platform + Type: String + Default: SeqeraPlatform + RoleName: + Description: Enter the name for the IAM role that will be assumed by the Seqera Platform IAM user + Type: String + Default: SeqeraPlatformRole + ForgePrefix: + Description: Enter the prefix used for resources created by Seqera Platform (Forge) + Type: String + Default: TowerForge + SeqeraIntelligentComputeEnabled: + Description: Set to true to attach the permissions required for Seqera Intelligent Compute (ECS-based scheduler) + Type: String + Default: 'false' + AllowedValues: + - 'true' + - 'false' + +Conditions: + IntelligentComputeEnabled: !Equals [!Ref SeqeraIntelligentComputeEnabled, 'true'] + +Resources: + SeqeraPlatformUser: + Type: 'AWS::IAM::User' + Properties: + UserName: !Ref IAMUserName + SeqeraPlatformRole: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + AWS: + - !GetAtt SeqeraPlatformUser.Arn + Action: + - 'sts:AssumeRole' + Policies: + - PolicyName: SeqeraAWSCloud + PolicyDocument: + Version: "2012-10-17" + Statement: + # Permissions necessary to create resources for the AWS Cloud Compute environment. + - Sid: AwsCloudCreate + Effect: Allow + Action: + - iam:CreateRole + - iam:AddRoleToInstanceProfile + - iam:CreateInstanceProfile + - iam:AttachRolePolicy + - iam:PutRolePolicy + - iam:TagRole + - iam:TagInstanceProfile + Resource: + - !Sub 'arn:aws:iam::${AWS::AccountId}:role/${ForgePrefix}-*' + - !Sub 'arn:aws:iam::${AWS::AccountId}:instance-profile/${ForgePrefix}-*' + - Sid: AwsCloudCreatePassRole + Effect: Allow + Action: + - iam:PassRole + Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${ForgePrefix}-*' + # Permissions necessary to launch, monitor and stop Nextflow pipelines / Studio sessions on the AWS Cloud compute environment. + - Sid: AwsCloudLaunchEC2 + Effect: Allow + Action: + - ec2:CreateTags + - ec2:DeleteTags + - ec2:DescribeInstances + - ec2:RunInstances + - ec2:TerminateInstances + Resource: '*' + - Sid: AwsCloudLaunchLogs + Effect: Allow + Action: + - logs:GetLogEvents + Resource: 'arn:aws:logs:*:*:log-group:*:log-stream:*' + - Sid: AwsCloudLaunchS3 + Effect: Allow + Action: + - s3:GetObject + Resource: '*' + # Permissions necessary to delete AWS resources when deleting a Compute Environment. + - Sid: AwsCloudDelete + Effect: Allow + Action: + - iam:GetRole + - iam:ListAttachedRolePolicies + - iam:ListRolePolicies + - iam:DeleteRole + - iam:DeleteInstanceProfile + - iam:RemoveRoleFromInstanceProfile + - iam:DetachRolePolicy + - iam:DeleteRolePolicy + Resource: + - !Sub 'arn:aws:iam::${AWS::AccountId}:role/${ForgePrefix}-*' + - !Sub 'arn:aws:iam::${AWS::AccountId}:instance-profile/${ForgePrefix}-*' + # Permissions to read AWS resource information to populate options in the UI. + - Sid: AwsCloudRead + Effect: Allow + Action: + - ec2:DescribeInstanceTypes + - ec2:DescribeKeyPairs + - ec2:DescribeVpcs + - ec2:DescribeImages + - ec2:DescribeSubnets + - ec2:DescribeSecurityGroups + - s3:ListAllMyBuckets + Resource: '*' + RoleName: !Ref RoleName + # Permissions necessary to create and manage resources for the Seqera scheduler (ECS-based). + # Created only when SeqeraIntelligentComputeEnabled is true. + SeqeraSchedulerPolicy: + Type: 'AWS::IAM::ManagedPolicy' + Condition: IntelligentComputeEnabled + Properties: + Roles: + - !Ref SeqeraPlatformRole + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: ECSScopedOperations + Effect: Allow + Action: + - ecs:CreateCluster + - ecs:DeleteCluster + - ecs:DescribeClusters + - ecs:PutClusterCapacityProviders + - ecs:CreateCapacityProvider + - ecs:DeleteCapacityProvider + - ecs:DescribeCapacityProviders + - ecs:RunTask + - ecs:StopTask + - ecs:DescribeTasks + - ecs:DescribeContainerInstances + - ecs:TagResource + Resource: 'arn:aws:ecs:*:*:*/seqera-sched-*' + - Sid: ECSUnscopedOperations + Effect: Allow + Action: + - ecs:RegisterTaskDefinition + - ecs:DeregisterTaskDefinition + - ecs:DescribeTaskDefinition + - ecs:ListTaskDefinitions + - ecs:ListTaskDefinitionFamilies + - ecs:ListTasks + Resource: '*' + - Sid: IAMRoleManagement + Effect: Allow + Action: + - iam:CreateRole + - iam:GetRole + - iam:DeleteRole + - iam:PutRolePolicy + - iam:DeleteRolePolicy + - iam:ListRolePolicies + - iam:AttachRolePolicy + - iam:DetachRolePolicy + - iam:ListAttachedRolePolicies + - iam:CreateInstanceProfile + - iam:GetInstanceProfile + - iam:AddRoleToInstanceProfile + - iam:ListInstanceProfilesForRole + - iam:RemoveRoleFromInstanceProfile + - iam:DeleteInstanceProfile + Resource: + - !Sub 'arn:aws:iam::${AWS::AccountId}:role/seqera-sched-*' + - !Sub 'arn:aws:iam::${AWS::AccountId}:instance-profile/seqera-sched-*' + - Sid: PassRoleToECS + Effect: Allow + Action: 'iam:PassRole' + Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/seqera-sched-*' + Condition: + StringEquals: + 'iam:PassedToService': + - ecs-tasks.amazonaws.com + - ecs.amazonaws.com + - ec2.amazonaws.com + - Sid: ServiceLinkedRoles + Effect: Allow + Action: 'iam:CreateServiceLinkedRole' + Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/*' + Condition: + StringEquals: + 'iam:AWSServiceName': + - ecs.amazonaws.com + - ecs-compute.amazonaws.com + - autoscaling.amazonaws.com + - spot.amazonaws.com + - Sid: CloudWatchLogs + Effect: Allow + Action: + - logs:CreateLogGroup + - logs:DeleteLogGroup + - logs:PutRetentionPolicy + - logs:DescribeLogStreams + - logs:GetLogEvents + - logs:TagResource + Resource: 'arn:aws:logs:*:*:log-group:/seqera/sched*' + - Sid: EC2NetworkDiscovery + Effect: Allow + Action: + - ec2:DescribeVpcs + - ec2:DescribeSubnets + - ec2:DescribeSecurityGroups + - ec2:DescribeRouteTables + - ec2:DescribeVpcEndpoints + - ec2:DescribeInstances + - ec2:CreateSecurityGroup + - ec2:CreateVpcEndpoint + - ec2:AuthorizeSecurityGroupEgress + - ec2:CreateTags + Resource: '*' + - Sid: ECRAccess + Effect: Allow + Action: + - ecr:GetAuthorizationToken + - ecr:BatchCheckLayerAvailability + - ecr:GetDownloadUrlForLayer + - ecr:BatchGetImage + Resource: '*' + - Sid: S3Access + Effect: Allow + Action: + - s3:GetObject + - s3:ListBucket + - s3:ListAllMyBuckets + Resource: '*' + - Sid: ASGEC2Operations + Effect: Allow + Action: + - ec2:DescribeInstanceTypes + - ec2:CreateLaunchTemplate + - ec2:DeleteLaunchTemplate + - ec2:RunInstances + Resource: '*' + - Sid: ASGManagement + Effect: Allow + Action: + - autoscaling:CreateAutoScalingGroup + - autoscaling:UpdateAutoScalingGroup + - autoscaling:DeleteAutoScalingGroup + - autoscaling:CreateOrUpdateTags + Resource: 'arn:aws:autoscaling:*:*:*/seqera-sched-*' + - Sid: ASGDescribe + Effect: Allow + Action: 'autoscaling:DescribeAutoScalingGroups' + Resource: '*' + - Sid: SSMECSOptimizedAmi + Effect: Allow + Action: 'ssm:GetParameter' + Resource: 'arn:aws:ssm:*:*:parameter/aws/service/ecs/optimized-ami/*' + - Sid: CostExplorer + Effect: Allow + Action: 'ce:GetCostAndUsage' + Resource: '*' + SeqeraPlatformAccessKeys: + Type: AWS::IAM::AccessKey + Properties: + Status: Active + UserName: !Ref SeqeraPlatformUser + +Outputs: + SeqeraPlatformUserAccessKeyId: + Description: The User access key to upload to Seqera Platform as credentials + Value: !Ref SeqeraPlatformAccessKeys + SeqeraPlatformUserSecretAccessKey: + Description: The User secret access key to upload to Seqera Platform as credentials + Value: !GetAtt SeqeraPlatformAccessKeys.SecretAccessKey + SeqeraPlatformRole: + Description: The role to be assumed by Seqera Platform to create and use the AWS Cloud credentials + Value: !GetAtt SeqeraPlatformRole.Arn