diff --git a/netlify.toml b/netlify.toml index fd8fea06e..9b845e2a4 100644 --- a/netlify.toml +++ b/netlify.toml @@ -17,7 +17,12 @@ DOCUSAURUS_SSG_WORKER_THREAD_COUNT = "1" [context.deploy-preview.build.environment] + EXCLUDE_CHANGELOG="true" + EXCLUDE_PLATFORM_CLI="true" INCLUDE_NEXT="true" + EXCLUDE_MULTIQC="true" + EXCLUDE_FUSION="true" + EXCLUDE_WAVE="true" EXCLUDE_PLATFORM_API="true" EXCLUDE_PLATFORM_OPENAPI="true" diff --git a/platform-cloud/docs/compute-envs/aws-batch.md b/platform-cloud/docs/compute-envs/aws-batch.md index 57f04a7f0..4f63f3a0f 100644 --- a/platform-cloud/docs/compute-envs/aws-batch.md +++ b/platform-cloud/docs/compute-envs/aws-batch.md @@ -609,7 +609,12 @@ Depending whether you choose to let Seqera automatically create the required AWS "Sid": "AssumeRoleToManageBatchResources", "Effect": "Allow", "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam:::role/" + "Resource": "arn:aws:iam:::role/", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ``` 1. On the last page, review the user details and select **Create user**. @@ -643,7 +648,12 @@ Rather than attaching permissions directly to the IAM user, you can create an IA "arn:aws:iam:::user/" ] }, - "Action": "sts:AssumeRole" + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ] } @@ -653,6 +663,54 @@ Rather than attaching permissions directly to the IAM user, you can create an IA Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section. +:::note +Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in both your IAM trust policy (`sts:ExternalId`) and the Seqera **External ID** field. +::: + +### Role-based trust policy example (Seqera Cloud) + +For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + }, + "Action": "sts:TagSession" + } + ] +} +``` + +## AWS credential options + +AWS credentials can be configured in two ways: + +- **Key-based credentials**: Access key and secret key with direct IAM permissions. `External ID` is optional. +- **Role-based credentials (recommended)**: Access key and secret key used only to assume an IAM role. `External ID` is mandatory. + +Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise). + +In the credentials form, paste the AWS role ARN in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. + +Existing credentials continue to work without changes. + ## Automatic configuration of Batch resources Seqera automates the configuration of an [AWS Batch](https://aws.amazon.com/batch/) compute environment and the queues required for deploying Nextflow pipelines. @@ -681,6 +739,7 @@ Depending on the provided configuration in the UI, Seqera might also create IAM 1. Enter a name, e.g., _AWS Credentials_. 1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user. 1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources. +1. Under **External ID**, enter the value generated by Seqera during credential creation. This value is required when **Assume role** is set. :::note When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role. ::: @@ -914,6 +973,7 @@ AWS Batch creates resources that you may be charged for in your AWS account. See 1. Enter a name, e.g., _AWS Credentials_. 1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user. 1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources. +1. Under **External ID**, enter the value generated by Seqera during credential creation. This value is required when **Assume role** is set. :::note When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role. ::: diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 35e3c3fc6..bc2103195 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -326,7 +326,12 @@ Depending whether you choose to let Seqera automatically create the required AWS "Sid": "AssumeRoleToManageBatchResources", "Effect": "Allow", "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam:::role/" + "Resource": "arn:aws:iam:::role/", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ``` 1. On the last page, review the user details and select **Create user**. @@ -360,7 +365,12 @@ Rather than attaching permissions directly to the IAM user, you can create an IA "arn:aws:iam:::user/" ] }, - "Action": "sts:AssumeRole" + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ] } @@ -370,6 +380,54 @@ Rather than attaching permissions directly to the IAM user, you can create an IA Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section. +:::note +Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in both your IAM trust policy (`sts:ExternalId`) and the Seqera **External ID** field. +::: + +### Role-based trust policy example (Seqera Cloud) + +For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + }, + "Action": "sts:TagSession" + } + ] +} +``` + +## AWS credential options + +AWS credentials can be configured in two ways: + +- **Key-based credentials**: Access key and secret key with direct IAM permissions. `External ID` is optional. +- **Role-based credentials (recommended)**: Access key and secret key used only to assume an IAM role. `External ID` is mandatory. + +Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise). + +In the credentials form, paste the AWS role ARN in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. + +Existing credentials continue to work without changes. + ## Managed Amazon Machine Image (AMI) The AWS Cloud compute environment uses a public AMI maintained by Seqera, and the pipeline launch procedure assumes that some basic tooling is already present in the image itself. If you want to provide your own AMI, it must include at least the following: diff --git a/platform-cloud/docs/compute-envs/eks.md b/platform-cloud/docs/compute-envs/eks.md index b5bb8e1f3..f987841a7 100644 --- a/platform-cloud/docs/compute-envs/eks.md +++ b/platform-cloud/docs/compute-envs/eks.md @@ -166,7 +166,12 @@ In certain scenarios, for example when multiple users need to access the same AW "Sid": "AssumeRole", "Effect": "Allow", "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam:::role/" + "Resource": "arn:aws:iam:::role/", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ``` 1. On the last page, review the user details and select **Create user**. @@ -201,7 +206,12 @@ Rather than attaching permissions directly to the IAM user, you can create an IA "arn:aws:iam:::user/" ] }, - "Action": "sts:AssumeRole" + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ] } @@ -212,6 +222,54 @@ Rather than attaching permissions directly to the IAM user, you can create an IA Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section. +:::note +Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in both your IAM trust policy (`sts:ExternalId`) and the Seqera **External ID** field. +::: + +### Role-based trust policy example (Seqera Cloud) + +For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + }, + "Action": "sts:TagSession" + } + ] +} +``` + +## AWS credential options + +AWS credentials can be configured in two ways: + +- **Key-based credentials**: Access key and secret key with direct IAM permissions. `External ID` is optional. +- **Role-based credentials (recommended)**: Access key and secret key used only to assume an IAM role. `External ID` is mandatory. + +Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise). + +In the credentials form, paste the AWS role ARN in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. + +Existing credentials continue to work without changes. + ## Configure EKS Service Account IAM role for Fusion v2 To use [Fusion v2](https://docs.seqera.io/fusion) in your Amazon EKS compute environment, an AWS S3 bucket must be used as work directory and both the head and compute Service Accounts (if separate) must have access to the S3 bucket specified as the work directory. @@ -346,6 +404,7 @@ Once all prerequisites are met, create a Seqera EKS compute environment: 1. Enter a name, e.g., `EKS Credentials`. 1. Add the **Access key** and **Secret key** obtained from the AWS IAM console. This is the [IAM user](#obtain-iam-user-credentials) with the Service Account role detailed in the requirements section. 1. (Optional) Under **Assume role**, specify the [IAM role](#iam-role-creation-optional) to be assumed by the Seqera IAM user to access the compute environment's AWS resources. +1. Under **External ID**, enter the value generated by Seqera during credential creation. This value is required when **Assume role** is set. :::note When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role. diff --git a/platform-enterprise_docs/compute-envs/aws-batch.md b/platform-enterprise_docs/compute-envs/aws-batch.md index f0e207873..f452a297f 100644 --- a/platform-enterprise_docs/compute-envs/aws-batch.md +++ b/platform-enterprise_docs/compute-envs/aws-batch.md @@ -609,7 +609,12 @@ Depending whether you choose to let Seqera automatically create the required AWS "Sid": "AssumeRoleToManageBatchResources", "Effect": "Allow", "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam:::role/" + "Resource": "arn:aws:iam:::role/", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ``` 1. On the last page, review the user details and select **Create user**. @@ -643,7 +648,12 @@ Rather than attaching permissions directly to the IAM user, you can create an IA "arn:aws:iam:::user/" ] }, - "Action": "sts:AssumeRole" + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ] } @@ -653,6 +663,54 @@ Rather than attaching permissions directly to the IAM user, you can create an IA Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section. +:::note +Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in both your IAM trust policy (`sts:ExternalId`) and the Seqera **External ID** field. +::: + +### Role-based trust policy example (Seqera Enterprise) + +For role-based AWS credentials in Enterprise, use the AWS IAM role configured in your deployment (``) in your trust policy and enforce the `External ID` generated during credential creation: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "" + }, + "Action": "sts:TagSession" + } + ] +} +``` + +## AWS credential options + +AWS credentials can be configured in two ways: + +- **Key-based credentials**: Access key and secret key with direct IAM permissions. `External ID` is optional. +- **Role-based credentials (recommended)**: Access key and secret key used only to assume an IAM role. `External ID` is mandatory. + +Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise). + +In the credentials form, paste the AWS role ARN in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. + +Existing credentials continue to work without changes. The `TOWER_ALLOW_CREDENTIALS` feature behavior is unchanged. + ## Automatic configuration of Batch resources :::caution @@ -679,6 +737,7 @@ Depending on the provided configuration in the UI, Seqera might also create IAM 1. Enter a name, e.g., _AWS Credentials_. 1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user. 1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources. +1. Under **External ID**, enter the value generated by Seqera during credential creation. This value is required when **Assume role** is set. :::note When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role. ::: @@ -912,6 +971,7 @@ AWS Batch creates resources that you may be charged for in your AWS account. See 1. Enter a name, e.g., _AWS Credentials_. 1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user. 1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources. +1. Under **External ID**, enter the value generated by Seqera during credential creation. This value is required when **Assume role** is set. :::note When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role. ::: diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index bb79708e6..08106222d 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -9,7 +9,7 @@ tags: [cloud, vm, amazon, aws, compute-environment] :::note This compute environment type is currently in public preview. Please consult this guide for the latest information on recommended configuration and limitations. This guide assumes you already have an AWS account with a valid AWS subscription. -::: +::: The current implementation of compute environments for cloud providers all rely on the use of batch services such as AWS Batch, Azure Batch, and Google Batch for the execution and management of submitted jobs, including pipelines and Studio session environments. Batch services are suitable for large-scale workloads, but they add management complexity. In practical terms, the currently used batch services result in some limitations: @@ -32,7 +32,7 @@ This type of compute environment is best suited to run Studios and small to medi ## Supported regions -The following regions are currently supported: +The following regions are currently supported: - `eu-west-1` - `us-east-1` @@ -50,6 +50,48 @@ The following regions are currently supported: To create and launch pipelines or Studio sessions with this compute environment type, you must attach Seqera credentials for the cloud provider. Some permissions are mandatory for the compute environment to be created and function correctly; others are optional and used to pre-fill options in Platform. +AWS credentials can be configured in two ways: + +- **Key-based credentials**: Access key and secret key with direct IAM permissions. `External ID` is optional. +- **Role-based credentials (recommended)**: Access key and secret key used only to assume an IAM role. `External ID` is mandatory. + +Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise). + +In the credentials form, paste the AWS role ARN in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. + +Existing credentials continue to work without changes. The `TOWER_ALLOW_CREDENTIALS` feature behavior is unchanged. + +### Role-based trust policy example (Seqera Enterprise) + +For role-based AWS credentials in Enterprise, use the AWS IAM role configured in your deployment (``) in your trust policy and enforce the `External ID` generated during credential creation: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "" + }, + "Action": "sts:TagSession" + } + ] +} +``` + ### Required permissions #### Compute environment creation @@ -180,7 +222,7 @@ The following permissions enable Seqera to populate values for dropdown fields. } ``` -## Managed Amazon Machine Image (AMI) +## Managed Amazon Machine Image (AMI) The AWS Cloud compute environment uses an AMI maintained by Seqera, and the pipeline launch procedure assumes that some basic tooling is already present in the image itself. If you want to provide your own AMI, it must include at least the following: diff --git a/platform-enterprise_docs/compute-envs/eks.md b/platform-enterprise_docs/compute-envs/eks.md index b5bb8e1f3..5c45e1641 100644 --- a/platform-enterprise_docs/compute-envs/eks.md +++ b/platform-enterprise_docs/compute-envs/eks.md @@ -166,7 +166,12 @@ In certain scenarios, for example when multiple users need to access the same AW "Sid": "AssumeRole", "Effect": "Allow", "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam:::role/" + "Resource": "arn:aws:iam:::role/", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ``` 1. On the last page, review the user details and select **Create user**. @@ -201,7 +206,12 @@ Rather than attaching permissions directly to the IAM user, you can create an IA "arn:aws:iam:::user/" ] }, - "Action": "sts:AssumeRole" + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ] } @@ -212,6 +222,54 @@ Rather than attaching permissions directly to the IAM user, you can create an IA Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section. +:::note +Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in both your IAM trust policy (`sts:ExternalId`) and the Seqera **External ID** field. +::: + +### Role-based trust policy example (Seqera Enterprise) + +For role-based AWS credentials in Enterprise, use the AWS IAM role configured in your deployment (``) in your trust policy and enforce the `External ID` generated during credential creation: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "" + }, + "Action": "sts:TagSession" + } + ] +} +``` + +## AWS credential options + +AWS credentials can be configured in two ways: + +- **Key-based credentials**: Access key and secret key with direct IAM permissions. `External ID` is optional. +- **Role-based credentials (recommended)**: Access key and secret key used only to assume an IAM role. `External ID` is mandatory. + +Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise). + +In the credentials form, paste the AWS role ARN in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. + +Existing credentials continue to work without changes. The `TOWER_ALLOW_CREDENTIALS` feature behavior is unchanged. + ## Configure EKS Service Account IAM role for Fusion v2 To use [Fusion v2](https://docs.seqera.io/fusion) in your Amazon EKS compute environment, an AWS S3 bucket must be used as work directory and both the head and compute Service Accounts (if separate) must have access to the S3 bucket specified as the work directory. @@ -346,6 +404,7 @@ Once all prerequisites are met, create a Seqera EKS compute environment: 1. Enter a name, e.g., `EKS Credentials`. 1. Add the **Access key** and **Secret key** obtained from the AWS IAM console. This is the [IAM user](#obtain-iam-user-credentials) with the Service Account role detailed in the requirements section. 1. (Optional) Under **Assume role**, specify the [IAM role](#iam-role-creation-optional) to be assumed by the Seqera IAM user to access the compute environment's AWS resources. +1. Under **External ID**, enter the value generated by Seqera during credential creation. This value is required when **Assume role** is set. :::note When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.