docs(aws): clarify generated External ID behavior for key and role credentials

netlify.toml

@@ -17,7 +17,12 @@
   DOCUSAURUS_SSG_WORKER_THREAD_COUNT = "1"
 
 [context.deploy-preview.build.environment]
+  EXCLUDE_CHANGELOG="true"
+  EXCLUDE_PLATFORM_CLI="true"
   INCLUDE_NEXT="true"
+  EXCLUDE_MULTIQC="true"
+  EXCLUDE_FUSION="true"
+  EXCLUDE_WAVE="true"
   EXCLUDE_PLATFORM_API="true"
   EXCLUDE_PLATFORM_OPENAPI="true"
 

platform-cloud/docs/compute-envs/aws-batch.md

@@ -609,7 +609,12 @@ Depending whether you choose to let Seqera automatically create the required AWS
      "Sid": "AssumeRoleToManageBatchResources",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
-     "Resource": "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
+     "Resource": "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>",
+     "Condition": {
+       "StringEquals": {
+         "sts:ExternalId": "<EXTERNAL_ID>"
+       }
+     }
    }
    ```
 1. On the last page, review the user details and select **Create user**.
@@ -643,7 +648,12 @@ Rather than attaching permissions directly to the IAM user, you can create an IA
               "arn:aws:iam::<ACCOUNT_ID>:user/<IAM_USER_NAME>"
             ]
          },
-         "Action": "sts:AssumeRole"
+         "Action": "sts:AssumeRole",
+         "Condition": {
+           "StringEquals": {
+             "sts:ExternalId": "<EXTERNAL_ID>"
+           }
+         }
        }
      ]
    }
@@ -653,6 +663,54 @@ Rather than attaching permissions directly to the IAM user, you can create an IA
 
 Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section.
 
+:::note
+Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in both your IAM trust policy (`sts:ExternalId`) and the Seqera **External ID** field.
+:::
+
+### Role-based trust policy example (Seqera Cloud)
+
+For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "<ExternalId>"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole"
+      },
+      "Action": "sts:TagSession"
+    }
+  ]
+}
+```
+
+## AWS credential options
+
+AWS credentials can be configured in two ways:
+
+- **Key-based credentials**: Access key and secret key with direct IAM permissions. `External ID` is optional.
+- **Role-based credentials (recommended)**: Access key and secret key used only to assume an IAM role. `External ID` is mandatory.
+
+Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise).
+
+In the credentials form, paste the AWS role ARN in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
+
+Existing credentials continue to work without changes.
+
 ## Automatic configuration of Batch resources
 
 Seqera automates the configuration of an [AWS Batch](https://aws.amazon.com/batch/) compute environment and the queues required for deploying Nextflow pipelines.
@@ -681,6 +739,7 @@ Depending on the provided configuration in the UI, Seqera might also create IAM
 1. Enter a name, e.g., _AWS Credentials_.
 1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user.
 1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources.
+1. Under **External ID**, enter the value generated by Seqera during credential creation. This value is required when **Assume role** is set.
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
     :::
@@ -914,6 +973,7 @@ AWS Batch creates resources that you may be charged for in your AWS account. See
 1. Enter a name, e.g., _AWS Credentials_.
 1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user.
 1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources.
+1. Under **External ID**, enter the value generated by Seqera during credential creation. This value is required when **Assume role** is set.
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
     :::

platform-cloud/docs/compute-envs/aws-cloud.md

@@ -326,7 +326,12 @@ Depending whether you choose to let Seqera automatically create the required AWS
      "Sid": "AssumeRoleToManageBatchResources",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
-     "Resource": "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
+     "Resource": "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>",
+     "Condition": {
+       "StringEquals": {
+         "sts:ExternalId": "<EXTERNAL_ID>"
+       }
+     }
    }
    ```
 1. On the last page, review the user details and select **Create user**.
@@ -360,7 +365,12 @@ Rather than attaching permissions directly to the IAM user, you can create an IA
               "arn:aws:iam::<ACCOUNT_ID>:user/<IAM_USER_NAME>"
             ]
          },
-         "Action": "sts:AssumeRole"
+         "Action": "sts:AssumeRole",
+         "Condition": {
+           "StringEquals": {
+             "sts:ExternalId": "<EXTERNAL_ID>"
+           }
+         }
        }
      ]
    }
@@ -370,6 +380,54 @@ Rather than attaching permissions directly to the IAM user, you can create an IA
 
 Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section.
 
+:::note
+Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in both your IAM trust policy (`sts:ExternalId`) and the Seqera **External ID** field.
+:::
+
+### Role-based trust policy example (Seqera Cloud)
+
+For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "<ExternalId>"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole"
+      },
+      "Action": "sts:TagSession"
+    }
+  ]
+}
+```
+
+## AWS credential options
+
+AWS credentials can be configured in two ways:
+
+- **Key-based credentials**: Access key and secret key with direct IAM permissions. `External ID` is optional.
+- **Role-based credentials (recommended)**: Access key and secret key used only to assume an IAM role. `External ID` is mandatory.
+
+Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise).
+
+In the credentials form, paste the AWS role ARN in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
+
+Existing credentials continue to work without changes.
+
 ## Managed Amazon Machine Image (AMI)
 
 The AWS Cloud compute environment uses a public AMI maintained by Seqera, and the pipeline launch procedure assumes that some basic tooling is already present in the image itself. If you want to provide your own AMI, it must include at least the following:

platform-cloud/docs/compute-envs/eks.md

@@ -166,7 +166,12 @@ In certain scenarios, for example when multiple users need to access the same AW
      "Sid": "AssumeRole",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
-     "Resource": "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
+     "Resource": "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>",
+     "Condition": {
+       "StringEquals": {
+         "sts:ExternalId": "<EXTERNAL_ID>"
+       }
+     }
    }
    ```
 1. On the last page, review the user details and select **Create user**.
@@ -201,7 +206,12 @@ Rather than attaching permissions directly to the IAM user, you can create an IA
               "arn:aws:iam::<ACCOUNT_ID>:user/<IAM_USER_NAME>"
             ]
          },
-         "Action": "sts:AssumeRole"
+         "Action": "sts:AssumeRole",
+         "Condition": {
+           "StringEquals": {
+             "sts:ExternalId": "<EXTERNAL_ID>"
+           }
+         }
        }
      ]
    }
@@ -212,6 +222,54 @@ Rather than attaching permissions directly to the IAM user, you can create an IA
 
 Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section.
 
+:::note
+Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in both your IAM trust policy (`sts:ExternalId`) and the Seqera **External ID** field.
+:::
+
+### Role-based trust policy example (Seqera Cloud)
+
+For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "<ExternalId>"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole"
+      },
+      "Action": "sts:TagSession"
+    }
+  ]
+}
+```
+
+## AWS credential options
+
+AWS credentials can be configured in two ways:
+
+- **Key-based credentials**: Access key and secret key with direct IAM permissions. `External ID` is optional.
+- **Role-based credentials (recommended)**: Access key and secret key used only to assume an IAM role. `External ID` is mandatory.
+
+Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise).
+
+In the credentials form, paste the AWS role ARN in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
+
+Existing credentials continue to work without changes.
+
 ## Configure EKS Service Account IAM role for Fusion v2
 
 To use [Fusion v2](https://docs.seqera.io/fusion) in your Amazon EKS compute environment, an AWS S3 bucket must be used as work directory and both the head and compute Service Accounts (if separate) must have access to the S3 bucket specified as the work directory.
@@ -346,6 +404,7 @@ Once all prerequisites are met, create a Seqera EKS compute environment:
 1. Enter a name, e.g., `EKS Credentials`.
 1. Add the **Access key** and **Secret key** obtained from the AWS IAM console. This is the [IAM user](#obtain-iam-user-credentials) with the Service Account role detailed in the requirements section.
 1. (Optional) Under **Assume role**, specify the [IAM role](#iam-role-creation-optional) to be assumed by the Seqera IAM user to access the compute environment's AWS resources.
+1. Under **External ID**, enter the value generated by Seqera during credential creation. This value is required when **Assume role** is set.
 
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.

platform-enterprise_docs/compute-envs/aws-batch.md

@@ -609,7 +609,12 @@ Depending whether you choose to let Seqera automatically create the required AWS
      "Sid": "AssumeRoleToManageBatchResources",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
-     "Resource": "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
+     "Resource": "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>",
+     "Condition": {
+       "StringEquals": {
+         "sts:ExternalId": "<EXTERNAL_ID>"
+       }
+     }
    }
    ```
 1. On the last page, review the user details and select **Create user**.
@@ -643,7 +648,12 @@ Rather than attaching permissions directly to the IAM user, you can create an IA
               "arn:aws:iam::<ACCOUNT_ID>:user/<IAM_USER_NAME>"
             ]
          },
-         "Action": "sts:AssumeRole"
+         "Action": "sts:AssumeRole",
+         "Condition": {
+           "StringEquals": {
+             "sts:ExternalId": "<EXTERNAL_ID>"
+           }
+         }
        }
      ]
    }
@@ -653,6 +663,54 @@ Rather than attaching permissions directly to the IAM user, you can create an IA
 
 Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section.
 
+:::note
+Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in both your IAM trust policy (`sts:ExternalId`) and the Seqera **External ID** field.
+:::
+
+### Role-based trust policy example (Seqera Enterprise)
+
+For role-based AWS credentials in Enterprise, use the AWS IAM role configured in your deployment (`<YOUR_SEQERA_ROLE_ARN>`) in your trust policy and enforce the `External ID` generated during credential creation:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "<YOUR_SEQERA_ROLE_ARN>"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "<ExternalId>"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "<YOUR_SEQERA_ROLE_ARN>"
+      },
+      "Action": "sts:TagSession"
+    }
+  ]
+}
+```
+
+## AWS credential options
+
+AWS credentials can be configured in two ways:
+
+- **Key-based credentials**: Access key and secret key with direct IAM permissions. `External ID` is optional.
+- **Role-based credentials (recommended)**: Access key and secret key used only to assume an IAM role. `External ID` is mandatory.
+
+Seqera Platform generates the `External ID` value during credential creation (Cloud and Enterprise).
+
+In the credentials form, paste the AWS role ARN in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
+
+Existing credentials continue to work without changes. The `TOWER_ALLOW_CREDENTIALS` feature behavior is unchanged.
+
 ## Automatic configuration of Batch resources
 
 :::caution
@@ -679,6 +737,7 @@ Depending on the provided configuration in the UI, Seqera might also create IAM
 1. Enter a name, e.g., _AWS Credentials_.
 1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user.
 1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources.
+1. Under **External ID**, enter the value generated by Seqera during credential creation. This value is required when **Assume role** is set.
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
     :::
@@ -912,6 +971,7 @@ AWS Batch creates resources that you may be charged for in your AWS account. See
 1. Enter a name, e.g., _AWS Credentials_.
 1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user.
 1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources.
+1. Under **External ID**, enter the value generated by Seqera during credential creation. This value is required when **Assume role** is set.
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
     :::