From 9445520aa887738ebfb04a9257c986d8ec229ec4 Mon Sep 17 00:00:00 2001 From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com> Date: Wed, 25 Feb 2026 17:31:20 +0200 Subject: [PATCH 1/5] docs(aws): document generated external ID behavior for key vs role credentials --- platform-cloud/docs/compute-envs/aws-batch.md | 55 ++++++++++++++++++- platform-cloud/docs/compute-envs/aws-cloud.md | 53 +++++++++++++++++- platform-cloud/docs/compute-envs/eks.md | 54 +++++++++++++++++- .../compute-envs/aws-batch.md | 53 +++++++++++++++++- .../compute-envs/aws-cloud.md | 37 ++++++++++++- platform-enterprise_docs/compute-envs/eks.md | 52 +++++++++++++++++- 6 files changed, 291 insertions(+), 13 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-batch.md b/platform-cloud/docs/compute-envs/aws-batch.md index 57f04a7f0..7bd19d619 100644 --- a/platform-cloud/docs/compute-envs/aws-batch.md +++ b/platform-cloud/docs/compute-envs/aws-batch.md @@ -609,7 +609,12 @@ Depending whether you choose to let Seqera automatically create the required AWS "Sid": "AssumeRoleToManageBatchResources", "Effect": "Allow", "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam:::role/" + "Resource": "arn:aws:iam:::role/", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ``` 1. On the last page, review the user details and select **Create user**. @@ -643,7 +648,12 @@ Rather than attaching permissions directly to the IAM user, you can create an IA "arn:aws:iam:::user/" ] }, - "Action": "sts:AssumeRole" + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ] } @@ -653,6 +663,45 @@ Rather than attaching permissions directly to the IAM user, you can create an IA Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section. +:::note +Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in both your IAM trust policy (`sts:ExternalId`) and the Seqera **External ID** field. +::: + +### Role-based trust policy example (Seqera Cloud) + +For role-based AWS credentials in Seqera Cloud, use a trust policy that allows the Seqera Cloud jump role to assume your IAM role, and enforce an external ID: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + } + ] +} +``` + +## AWS credential options + +AWS credentials can be configured in two ways: + +- **Key-based credentials**: Access key and secret key with direct IAM permissions. `External ID` is optional. +- **Role-based credentials (recommended)**: Access key and secret key used only to assume an IAM role. `External ID` is mandatory. + +Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise). + +Existing credentials continue to work without changes. + ## Automatic configuration of Batch resources Seqera automates the configuration of an [AWS Batch](https://aws.amazon.com/batch/) compute environment and the queues required for deploying Nextflow pipelines. @@ -681,6 +730,7 @@ Depending on the provided configuration in the UI, Seqera might also create IAM 1. Enter a name, e.g., _AWS Credentials_. 1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user. 1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources. +1. Under **External ID**, enter the value generated by Seqera during credential creation. This value is required when **Assume role** is set. :::note When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role. ::: @@ -914,6 +964,7 @@ AWS Batch creates resources that you may be charged for in your AWS account. See 1. Enter a name, e.g., _AWS Credentials_. 1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user. 1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources. +1. Under **External ID**, enter the value generated by Seqera during credential creation. This value is required when **Assume role** is set. :::note When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role. ::: diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 35e3c3fc6..05085925c 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -326,7 +326,12 @@ Depending whether you choose to let Seqera automatically create the required AWS "Sid": "AssumeRoleToManageBatchResources", "Effect": "Allow", "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam:::role/" + "Resource": "arn:aws:iam:::role/", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ``` 1. On the last page, review the user details and select **Create user**. @@ -360,7 +365,12 @@ Rather than attaching permissions directly to the IAM user, you can create an IA "arn:aws:iam:::user/" ] }, - "Action": "sts:AssumeRole" + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ] } @@ -370,6 +380,45 @@ Rather than attaching permissions directly to the IAM user, you can create an IA Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section. +:::note +Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in both your IAM trust policy (`sts:ExternalId`) and the Seqera **External ID** field. +::: + +### Role-based trust policy example (Seqera Cloud) + +For role-based AWS credentials in Seqera Cloud, use a trust policy that allows the Seqera Cloud jump role to assume your IAM role, and enforce an external ID: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + } + ] +} +``` + +## AWS credential options + +AWS credentials can be configured in two ways: + +- **Key-based credentials**: Access key and secret key with direct IAM permissions. `External ID` is optional. +- **Role-based credentials (recommended)**: Access key and secret key used only to assume an IAM role. `External ID` is mandatory. + +Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise). + +Existing credentials continue to work without changes. + ## Managed Amazon Machine Image (AMI) The AWS Cloud compute environment uses a public AMI maintained by Seqera, and the pipeline launch procedure assumes that some basic tooling is already present in the image itself. If you want to provide your own AMI, it must include at least the following: diff --git a/platform-cloud/docs/compute-envs/eks.md b/platform-cloud/docs/compute-envs/eks.md index b5bb8e1f3..a3bdca410 100644 --- a/platform-cloud/docs/compute-envs/eks.md +++ b/platform-cloud/docs/compute-envs/eks.md @@ -166,7 +166,12 @@ In certain scenarios, for example when multiple users need to access the same AW "Sid": "AssumeRole", "Effect": "Allow", "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam:::role/" + "Resource": "arn:aws:iam:::role/", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ``` 1. On the last page, review the user details and select **Create user**. @@ -201,7 +206,12 @@ Rather than attaching permissions directly to the IAM user, you can create an IA "arn:aws:iam:::user/" ] }, - "Action": "sts:AssumeRole" + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ] } @@ -212,6 +222,45 @@ Rather than attaching permissions directly to the IAM user, you can create an IA Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section. +:::note +Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in both your IAM trust policy (`sts:ExternalId`) and the Seqera **External ID** field. +::: + +### Role-based trust policy example (Seqera Cloud) + +For role-based AWS credentials in Seqera Cloud, use a trust policy that allows the Seqera Cloud jump role to assume your IAM role, and enforce an external ID: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + } + ] +} +``` + +## AWS credential options + +AWS credentials can be configured in two ways: + +- **Key-based credentials**: Access key and secret key with direct IAM permissions. `External ID` is optional. +- **Role-based credentials (recommended)**: Access key and secret key used only to assume an IAM role. `External ID` is mandatory. + +Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise). + +Existing credentials continue to work without changes. + ## Configure EKS Service Account IAM role for Fusion v2 To use [Fusion v2](https://docs.seqera.io/fusion) in your Amazon EKS compute environment, an AWS S3 bucket must be used as work directory and both the head and compute Service Accounts (if separate) must have access to the S3 bucket specified as the work directory. @@ -346,6 +395,7 @@ Once all prerequisites are met, create a Seqera EKS compute environment: 1. Enter a name, e.g., `EKS Credentials`. 1. Add the **Access key** and **Secret key** obtained from the AWS IAM console. This is the [IAM user](#obtain-iam-user-credentials) with the Service Account role detailed in the requirements section. 1. (Optional) Under **Assume role**, specify the [IAM role](#iam-role-creation-optional) to be assumed by the Seqera IAM user to access the compute environment's AWS resources. +1. Under **External ID**, enter the value generated by Seqera during credential creation. This value is required when **Assume role** is set. :::note When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role. diff --git a/platform-enterprise_docs/compute-envs/aws-batch.md b/platform-enterprise_docs/compute-envs/aws-batch.md index f0e207873..57cab36c9 100644 --- a/platform-enterprise_docs/compute-envs/aws-batch.md +++ b/platform-enterprise_docs/compute-envs/aws-batch.md @@ -609,7 +609,12 @@ Depending whether you choose to let Seqera automatically create the required AWS "Sid": "AssumeRoleToManageBatchResources", "Effect": "Allow", "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam:::role/" + "Resource": "arn:aws:iam:::role/", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ``` 1. On the last page, review the user details and select **Create user**. @@ -643,7 +648,12 @@ Rather than attaching permissions directly to the IAM user, you can create an IA "arn:aws:iam:::user/" ] }, - "Action": "sts:AssumeRole" + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ] } @@ -653,6 +663,43 @@ Rather than attaching permissions directly to the IAM user, you can create an IA Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section. +:::note +Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in both your IAM trust policy (`sts:ExternalId`) and the Seqera **External ID** field. +::: + +### Role-based trust policy example (Seqera Enterprise) + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::user/" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + } + ] +} +``` + +## AWS credential options + +AWS credentials can be configured in two ways: + +- **Key-based credentials**: Access key and secret key with direct IAM permissions. `External ID` is optional. +- **Role-based credentials (recommended)**: Access key and secret key used only to assume an IAM role. `External ID` is mandatory. + +Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise). + +Existing credentials continue to work without changes. The `TOWER_ALLOW_CREDENTIALS` feature behavior is unchanged. + ## Automatic configuration of Batch resources :::caution @@ -679,6 +726,7 @@ Depending on the provided configuration in the UI, Seqera might also create IAM 1. Enter a name, e.g., _AWS Credentials_. 1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user. 1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources. +1. Under **External ID**, enter the value generated by Seqera during credential creation. This value is required when **Assume role** is set. :::note When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role. ::: @@ -912,6 +960,7 @@ AWS Batch creates resources that you may be charged for in your AWS account. See 1. Enter a name, e.g., _AWS Credentials_. 1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user. 1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources. +1. Under **External ID**, enter the value generated by Seqera during credential creation. This value is required when **Assume role** is set. :::note When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role. ::: diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index bb79708e6..681535e6e 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -9,7 +9,7 @@ tags: [cloud, vm, amazon, aws, compute-environment] :::note This compute environment type is currently in public preview. Please consult this guide for the latest information on recommended configuration and limitations. This guide assumes you already have an AWS account with a valid AWS subscription. -::: +::: The current implementation of compute environments for cloud providers all rely on the use of batch services such as AWS Batch, Azure Batch, and Google Batch for the execution and management of submitted jobs, including pipelines and Studio session environments. Batch services are suitable for large-scale workloads, but they add management complexity. In practical terms, the currently used batch services result in some limitations: @@ -32,7 +32,7 @@ This type of compute environment is best suited to run Studios and small to medi ## Supported regions -The following regions are currently supported: +The following regions are currently supported: - `eu-west-1` - `us-east-1` @@ -50,6 +50,37 @@ The following regions are currently supported: To create and launch pipelines or Studio sessions with this compute environment type, you must attach Seqera credentials for the cloud provider. Some permissions are mandatory for the compute environment to be created and function correctly; others are optional and used to pre-fill options in Platform. +AWS credentials can be configured in two ways: + +- **Key-based credentials**: Access key and secret key with direct IAM permissions. `External ID` is optional. +- **Role-based credentials (recommended)**: Access key and secret key used only to assume an IAM role. `External ID` is mandatory. + +Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise). + +Existing credentials continue to work without changes. The `TOWER_ALLOW_CREDENTIALS` feature behavior is unchanged. + +### Role-based trust policy example (Seqera Enterprise) + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::user/" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + } + ] +} +``` + ### Required permissions #### Compute environment creation @@ -180,7 +211,7 @@ The following permissions enable Seqera to populate values for dropdown fields. } ``` -## Managed Amazon Machine Image (AMI) +## Managed Amazon Machine Image (AMI) The AWS Cloud compute environment uses an AMI maintained by Seqera, and the pipeline launch procedure assumes that some basic tooling is already present in the image itself. If you want to provide your own AMI, it must include at least the following: diff --git a/platform-enterprise_docs/compute-envs/eks.md b/platform-enterprise_docs/compute-envs/eks.md index b5bb8e1f3..1f235b0da 100644 --- a/platform-enterprise_docs/compute-envs/eks.md +++ b/platform-enterprise_docs/compute-envs/eks.md @@ -166,7 +166,12 @@ In certain scenarios, for example when multiple users need to access the same AW "Sid": "AssumeRole", "Effect": "Allow", "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam:::role/" + "Resource": "arn:aws:iam:::role/", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ``` 1. On the last page, review the user details and select **Create user**. @@ -201,7 +206,12 @@ Rather than attaching permissions directly to the IAM user, you can create an IA "arn:aws:iam:::user/" ] }, - "Action": "sts:AssumeRole" + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } } ] } @@ -212,6 +222,43 @@ Rather than attaching permissions directly to the IAM user, you can create an IA Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section. +:::note +Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in both your IAM trust policy (`sts:ExternalId`) and the Seqera **External ID** field. +::: + +### Role-based trust policy example (Seqera Enterprise) + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::user/" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + } + ] +} +``` + +## AWS credential options + +AWS credentials can be configured in two ways: + +- **Key-based credentials**: Access key and secret key with direct IAM permissions. `External ID` is optional. +- **Role-based credentials (recommended)**: Access key and secret key used only to assume an IAM role. `External ID` is mandatory. + +Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise). + +Existing credentials continue to work without changes. The `TOWER_ALLOW_CREDENTIALS` feature behavior is unchanged. + ## Configure EKS Service Account IAM role for Fusion v2 To use [Fusion v2](https://docs.seqera.io/fusion) in your Amazon EKS compute environment, an AWS S3 bucket must be used as work directory and both the head and compute Service Accounts (if separate) must have access to the S3 bucket specified as the work directory. @@ -346,6 +393,7 @@ Once all prerequisites are met, create a Seqera EKS compute environment: 1. Enter a name, e.g., `EKS Credentials`. 1. Add the **Access key** and **Secret key** obtained from the AWS IAM console. This is the [IAM user](#obtain-iam-user-credentials) with the Service Account role detailed in the requirements section. 1. (Optional) Under **Assume role**, specify the [IAM role](#iam-role-creation-optional) to be assumed by the Seqera IAM user to access the compute environment's AWS resources. +1. Under **External ID**, enter the value generated by Seqera during credential creation. This value is required when **Assume role** is set. :::note When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role. From d5a5331063420702ff56191d63f02c90d4a97ff2 Mon Sep 17 00:00:00 2001 From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com> Date: Fri, 27 Feb 2026 12:14:16 +0200 Subject: [PATCH 2/5] docs(aws): align assume-role ARN and external ID guidance across cloud and enterprise --- platform-cloud/docs/compute-envs/aws-batch.md | 6 ++++-- platform-cloud/docs/compute-envs/aws-cloud.md | 6 ++++-- platform-cloud/docs/compute-envs/eks.md | 6 ++++-- platform-enterprise_docs/compute-envs/aws-batch.md | 6 +++++- platform-enterprise_docs/compute-envs/aws-cloud.md | 6 +++++- platform-enterprise_docs/compute-envs/eks.md | 6 +++++- 6 files changed, 27 insertions(+), 9 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-batch.md b/platform-cloud/docs/compute-envs/aws-batch.md index 7bd19d619..a8d41e6c0 100644 --- a/platform-cloud/docs/compute-envs/aws-batch.md +++ b/platform-cloud/docs/compute-envs/aws-batch.md @@ -669,7 +669,7 @@ Seqera Platform generates the `External ID` value during AWS credential creation ### Role-based trust policy example (Seqera Cloud) -For role-based AWS credentials in Seqera Cloud, use a trust policy that allows the Seqera Cloud jump role to assume your IAM role, and enforce an external ID: +For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation: ```json { @@ -678,7 +678,7 @@ For role-based AWS credentials in Seqera Cloud, use a trust policy that allows t { "Effect": "Allow", "Principal": { - "AWS": "" + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" }, "Action": "sts:AssumeRole", "Condition": { @@ -700,6 +700,8 @@ AWS credentials can be configured in two ways: Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise). +In the credentials form, paste the AWS role ARN in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. + Existing credentials continue to work without changes. ## Automatic configuration of Batch resources diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 05085925c..62c7f7fc3 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -386,7 +386,7 @@ Seqera Platform generates the `External ID` value during AWS credential creation ### Role-based trust policy example (Seqera Cloud) -For role-based AWS credentials in Seqera Cloud, use a trust policy that allows the Seqera Cloud jump role to assume your IAM role, and enforce an external ID: +For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation: ```json { @@ -395,7 +395,7 @@ For role-based AWS credentials in Seqera Cloud, use a trust policy that allows t { "Effect": "Allow", "Principal": { - "AWS": "" + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" }, "Action": "sts:AssumeRole", "Condition": { @@ -417,6 +417,8 @@ AWS credentials can be configured in two ways: Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise). +In the credentials form, paste the AWS role ARN in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. + Existing credentials continue to work without changes. ## Managed Amazon Machine Image (AMI) diff --git a/platform-cloud/docs/compute-envs/eks.md b/platform-cloud/docs/compute-envs/eks.md index a3bdca410..ceec92cf2 100644 --- a/platform-cloud/docs/compute-envs/eks.md +++ b/platform-cloud/docs/compute-envs/eks.md @@ -228,7 +228,7 @@ Seqera Platform generates the `External ID` value during AWS credential creation ### Role-based trust policy example (Seqera Cloud) -For role-based AWS credentials in Seqera Cloud, use a trust policy that allows the Seqera Cloud jump role to assume your IAM role, and enforce an external ID: +For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation: ```json { @@ -237,7 +237,7 @@ For role-based AWS credentials in Seqera Cloud, use a trust policy that allows t { "Effect": "Allow", "Principal": { - "AWS": "" + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" }, "Action": "sts:AssumeRole", "Condition": { @@ -259,6 +259,8 @@ AWS credentials can be configured in two ways: Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise). +In the credentials form, paste the AWS role ARN in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. + Existing credentials continue to work without changes. ## Configure EKS Service Account IAM role for Fusion v2 diff --git a/platform-enterprise_docs/compute-envs/aws-batch.md b/platform-enterprise_docs/compute-envs/aws-batch.md index 57cab36c9..03073ba27 100644 --- a/platform-enterprise_docs/compute-envs/aws-batch.md +++ b/platform-enterprise_docs/compute-envs/aws-batch.md @@ -669,6 +669,8 @@ Seqera Platform generates the `External ID` value during AWS credential creation ### Role-based trust policy example (Seqera Enterprise) +For role-based AWS credentials, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation: + ```json { "Version": "2012-10-17", @@ -676,7 +678,7 @@ Seqera Platform generates the `External ID` value during AWS credential creation { "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam:::user/" + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" }, "Action": "sts:AssumeRole", "Condition": { @@ -698,6 +700,8 @@ AWS credentials can be configured in two ways: Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise). +In the credentials form, paste the AWS role ARN in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. + Existing credentials continue to work without changes. The `TOWER_ALLOW_CREDENTIALS` feature behavior is unchanged. ## Automatic configuration of Batch resources diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index 681535e6e..6ba07f28d 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -57,10 +57,14 @@ AWS credentials can be configured in two ways: Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise). +In the credentials form, paste the AWS role ARN in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. + Existing credentials continue to work without changes. The `TOWER_ALLOW_CREDENTIALS` feature behavior is unchanged. ### Role-based trust policy example (Seqera Enterprise) +For role-based AWS credentials, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation: + ```json { "Version": "2012-10-17", @@ -68,7 +72,7 @@ Existing credentials continue to work without changes. The `TOWER_ALLOW_CREDENTI { "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam:::user/" + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" }, "Action": "sts:AssumeRole", "Condition": { diff --git a/platform-enterprise_docs/compute-envs/eks.md b/platform-enterprise_docs/compute-envs/eks.md index 1f235b0da..423969546 100644 --- a/platform-enterprise_docs/compute-envs/eks.md +++ b/platform-enterprise_docs/compute-envs/eks.md @@ -228,6 +228,8 @@ Seqera Platform generates the `External ID` value during AWS credential creation ### Role-based trust policy example (Seqera Enterprise) +For role-based AWS credentials, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation: + ```json { "Version": "2012-10-17", @@ -235,7 +237,7 @@ Seqera Platform generates the `External ID` value during AWS credential creation { "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam:::user/" + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" }, "Action": "sts:AssumeRole", "Condition": { @@ -257,6 +259,8 @@ AWS credentials can be configured in two ways: Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise). +In the credentials form, paste the AWS role ARN in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. + Existing credentials continue to work without changes. The `TOWER_ALLOW_CREDENTIALS` feature behavior is unchanged. ## Configure EKS Service Account IAM role for Fusion v2 From 92a3c47d8dc9f7e0e7290065c879ec702977c34a Mon Sep 17 00:00:00 2001 From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com> Date: Fri, 27 Feb 2026 12:21:53 +0200 Subject: [PATCH 3/5] chore(netlify): set deploy-preview excludes for docs subsets --- netlify.toml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/netlify.toml b/netlify.toml index fd8fea06e..9b845e2a4 100644 --- a/netlify.toml +++ b/netlify.toml @@ -17,7 +17,12 @@ DOCUSAURUS_SSG_WORKER_THREAD_COUNT = "1" [context.deploy-preview.build.environment] + EXCLUDE_CHANGELOG="true" + EXCLUDE_PLATFORM_CLI="true" INCLUDE_NEXT="true" + EXCLUDE_MULTIQC="true" + EXCLUDE_FUSION="true" + EXCLUDE_WAVE="true" EXCLUDE_PLATFORM_API="true" EXCLUDE_PLATFORM_OPENAPI="true" From cb52c13f3b1173eb50c24a15301bec50d2b3f0de Mon Sep 17 00:00:00 2001 From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com> Date: Fri, 27 Feb 2026 14:26:16 +0200 Subject: [PATCH 4/5] docs(aws): update trust policy examples with TagSession statement --- platform-cloud/docs/compute-envs/aws-batch.md | 9 ++++++++- platform-cloud/docs/compute-envs/aws-cloud.md | 9 ++++++++- platform-cloud/docs/compute-envs/eks.md | 9 ++++++++- platform-enterprise_docs/compute-envs/aws-batch.md | 9 ++++++++- platform-enterprise_docs/compute-envs/aws-cloud.md | 9 ++++++++- platform-enterprise_docs/compute-envs/eks.md | 9 ++++++++- 6 files changed, 48 insertions(+), 6 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-batch.md b/platform-cloud/docs/compute-envs/aws-batch.md index a8d41e6c0..4f63f3a0f 100644 --- a/platform-cloud/docs/compute-envs/aws-batch.md +++ b/platform-cloud/docs/compute-envs/aws-batch.md @@ -683,9 +683,16 @@ For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access ro "Action": "sts:AssumeRole", "Condition": { "StringEquals": { - "sts:ExternalId": "" + "sts:ExternalId": "" } } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + }, + "Action": "sts:TagSession" } ] } diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 62c7f7fc3..bc2103195 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -400,9 +400,16 @@ For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access ro "Action": "sts:AssumeRole", "Condition": { "StringEquals": { - "sts:ExternalId": "" + "sts:ExternalId": "" } } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + }, + "Action": "sts:TagSession" } ] } diff --git a/platform-cloud/docs/compute-envs/eks.md b/platform-cloud/docs/compute-envs/eks.md index ceec92cf2..f987841a7 100644 --- a/platform-cloud/docs/compute-envs/eks.md +++ b/platform-cloud/docs/compute-envs/eks.md @@ -242,9 +242,16 @@ For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access ro "Action": "sts:AssumeRole", "Condition": { "StringEquals": { - "sts:ExternalId": "" + "sts:ExternalId": "" } } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + }, + "Action": "sts:TagSession" } ] } diff --git a/platform-enterprise_docs/compute-envs/aws-batch.md b/platform-enterprise_docs/compute-envs/aws-batch.md index 03073ba27..56678504f 100644 --- a/platform-enterprise_docs/compute-envs/aws-batch.md +++ b/platform-enterprise_docs/compute-envs/aws-batch.md @@ -683,9 +683,16 @@ For role-based AWS credentials, allow the Seqera Cloud access role `arn:aws:iam: "Action": "sts:AssumeRole", "Condition": { "StringEquals": { - "sts:ExternalId": "" + "sts:ExternalId": "" } } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + }, + "Action": "sts:TagSession" } ] } diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index 6ba07f28d..82a745624 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -77,9 +77,16 @@ For role-based AWS credentials, allow the Seqera Cloud access role `arn:aws:iam: "Action": "sts:AssumeRole", "Condition": { "StringEquals": { - "sts:ExternalId": "" + "sts:ExternalId": "" } } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + }, + "Action": "sts:TagSession" } ] } diff --git a/platform-enterprise_docs/compute-envs/eks.md b/platform-enterprise_docs/compute-envs/eks.md index 423969546..97a17c7df 100644 --- a/platform-enterprise_docs/compute-envs/eks.md +++ b/platform-enterprise_docs/compute-envs/eks.md @@ -242,9 +242,16 @@ For role-based AWS credentials, allow the Seqera Cloud access role `arn:aws:iam: "Action": "sts:AssumeRole", "Condition": { "StringEquals": { - "sts:ExternalId": "" + "sts:ExternalId": "" } } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + }, + "Action": "sts:TagSession" } ] } From 13f9704dd2a32a96847f42114949123062f456da Mon Sep 17 00:00:00 2001 From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com> Date: Sat, 28 Feb 2026 12:40:32 +0200 Subject: [PATCH 5/5] docs(ent-aws): use IAM role terminology in trust policy guidance --- platform-enterprise_docs/compute-envs/aws-batch.md | 6 +++--- platform-enterprise_docs/compute-envs/aws-cloud.md | 6 +++--- platform-enterprise_docs/compute-envs/eks.md | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/platform-enterprise_docs/compute-envs/aws-batch.md b/platform-enterprise_docs/compute-envs/aws-batch.md index 56678504f..f452a297f 100644 --- a/platform-enterprise_docs/compute-envs/aws-batch.md +++ b/platform-enterprise_docs/compute-envs/aws-batch.md @@ -669,7 +669,7 @@ Seqera Platform generates the `External ID` value during AWS credential creation ### Role-based trust policy example (Seqera Enterprise) -For role-based AWS credentials, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation: +For role-based AWS credentials in Enterprise, use the AWS IAM role configured in your deployment (``) in your trust policy and enforce the `External ID` generated during credential creation: ```json { @@ -678,7 +678,7 @@ For role-based AWS credentials, allow the Seqera Cloud access role `arn:aws:iam: { "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + "AWS": "" }, "Action": "sts:AssumeRole", "Condition": { @@ -690,7 +690,7 @@ For role-based AWS credentials, allow the Seqera Cloud access role `arn:aws:iam: { "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + "AWS": "" }, "Action": "sts:TagSession" } diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index 82a745624..08106222d 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -63,7 +63,7 @@ Existing credentials continue to work without changes. The `TOWER_ALLOW_CREDENTI ### Role-based trust policy example (Seqera Enterprise) -For role-based AWS credentials, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation: +For role-based AWS credentials in Enterprise, use the AWS IAM role configured in your deployment (``) in your trust policy and enforce the `External ID` generated during credential creation: ```json { @@ -72,7 +72,7 @@ For role-based AWS credentials, allow the Seqera Cloud access role `arn:aws:iam: { "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + "AWS": "" }, "Action": "sts:AssumeRole", "Condition": { @@ -84,7 +84,7 @@ For role-based AWS credentials, allow the Seqera Cloud access role `arn:aws:iam: { "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + "AWS": "" }, "Action": "sts:TagSession" } diff --git a/platform-enterprise_docs/compute-envs/eks.md b/platform-enterprise_docs/compute-envs/eks.md index 97a17c7df..5c45e1641 100644 --- a/platform-enterprise_docs/compute-envs/eks.md +++ b/platform-enterprise_docs/compute-envs/eks.md @@ -228,7 +228,7 @@ Seqera Platform generates the `External ID` value during AWS credential creation ### Role-based trust policy example (Seqera Enterprise) -For role-based AWS credentials, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation: +For role-based AWS credentials in Enterprise, use the AWS IAM role configured in your deployment (``) in your trust policy and enforce the `External ID` generated during credential creation: ```json { @@ -237,7 +237,7 @@ For role-based AWS credentials, allow the Seqera Cloud access role `arn:aws:iam: { "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + "AWS": "" }, "Action": "sts:AssumeRole", "Condition": { @@ -249,7 +249,7 @@ For role-based AWS credentials, allow the Seqera Cloud access role `arn:aws:iam: { "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole" + "AWS": "" }, "Action": "sts:TagSession" }