docs(aws-cloud): document Seqera Intelligent Compute IAM permissions#1382
Open
pditommaso wants to merge 3 commits intomasterfrom
Open
docs(aws-cloud): document Seqera Intelligent Compute IAM permissions#1382pditommaso wants to merge 3 commits intomasterfrom
pditommaso wants to merge 3 commits intomasterfrom
Conversation
Add a new "Seqera Intelligent Compute" section to the AWS Cloud compute environment docs (cloud + enterprise) describing the optional capability that offloads Nextflow tasks to a Seqera-managed Amazon ECS cluster, and the additional IAM policy required to enable it. The policy mirrors the seqera-sched compute policy: every action that AWS allows to be scoped by ARN is restricted to the seqera-sched-* prefix, with the remaining Resource "*" entries reserved for AWS APIs that don't support resource-level permissions.
✅ Deploy Preview for seqera-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
cristianrcv
approved these changes
May 4, 2026
jonmarti
approved these changes
May 4, 2026
| "Effect": "Allow", | ||
| "Action": "ce:GetCostAndUsage", | ||
| "Resource": "*" | ||
| } |
Contributor
There was a problem hiding this comment.
Working on the CF equivalent I found out you are also going to need
{
"Sid": "ECSServiceLinkedRole",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/ecs-compute.amazonaws.
com/AWSServiceRoleForECSCompute",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "ecs-compute.amazonaws.com"
}
}
}
If you are going to use Managed Capacity for ECS and the service role was not created before hand
The scheduler never calls DeleteSecurityGroup. The security group it manages has a static name (seqera-sched-ecs) shared across clusters in the region and is not torn down per-cluster.
Comment on lines
+431
to
+433
| Seqera Intelligent Compute is an optional capability that, when enabled, executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. This lets the AWS Cloud compute environment scale beyond the resources of a single instance while preserving its fast startup behavior. | ||
|
|
||
| When Seqera Intelligent Compute is enabled, Seqera provisions and manages all ECS infrastructure on your behalf — clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. |
Member
There was a problem hiding this comment.
Suggested change
| Seqera Intelligent Compute is an optional capability that, when enabled, executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. This lets the AWS Cloud compute environment scale beyond the resources of a single instance while preserving its fast startup behavior. | |
| When Seqera Intelligent Compute is enabled, Seqera provisions and manages all ECS infrastructure on your behalf — clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. | |
| Seqera Intelligent Compute is an optional capability that executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. The AWS Cloud compute environment scales beyond the resources of a single instance while preserving its fast startup behavior. | |
| When you enable Seqera Intelligent Compute, Seqera provisions and manages all ECS infrastructure on your behalf, including clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. |
Comment on lines
+437
to
+439
| Enabling Seqera Intelligent Compute requires an additional IAM policy on top of the [Required Platform IAM permissions](#required-platform-iam-permissions). Attach it to the same IAM user or role that Seqera uses to access your AWS account. | ||
|
|
||
| Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions (for example, EC2 `Describe*`, ECR authorization tokens, or Cost Explorer). |
Member
There was a problem hiding this comment.
Suggested change
| Enabling Seqera Intelligent Compute requires an additional IAM policy on top of the [Required Platform IAM permissions](#required-platform-iam-permissions). Attach it to the same IAM user or role that Seqera uses to access your AWS account. | |
| Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions (for example, EC2 `Describe*`, ECR authorization tokens, or Cost Explorer). | |
| Enabling Seqera Intelligent Compute requires an additional IAM policy in addition to the [Required Platform IAM permissions](#required-platform-iam-permissions). Attach it to the same IAM user or role that Seqera uses to access your AWS account. | |
| The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions, such as EC2 `Describe*`, ECR authorization tokens, and Cost Explorer. |
Comment on lines
+617
to
+622
| :::note | ||
| - The `ASGEC2Operations` and `ASGManagement` statements are only required if you enable Auto Scaling Group-backed clusters (managed instances). They can be omitted for Fargate-only deployments. | ||
| - The `CostExplorer` statement is only required if you enable Cost Analysis. | ||
| ::: | ||
|
|
||
| Like the base AWS Cloud policy, you can attach this policy directly to the IAM user or to an IAM role that the user assumes. See [Create the IAM policy](#create-the-iam-policy) for the AWS Console steps. |
Member
There was a problem hiding this comment.
Suggested change
| :::note | |
| - The `ASGEC2Operations` and `ASGManagement` statements are only required if you enable Auto Scaling Group-backed clusters (managed instances). They can be omitted for Fargate-only deployments. | |
| - The `CostExplorer` statement is only required if you enable Cost Analysis. | |
| ::: | |
| Like the base AWS Cloud policy, you can attach this policy directly to the IAM user or to an IAM role that the user assumes. See [Create the IAM policy](#create-the-iam-policy) for the AWS Console steps. | |
| :::note | |
| - The `ASGEC2Operations` and `ASGManagement` statements are required only if you enable Auto Scaling Group-backed clusters (managed instances). Omit them for Fargate-only deployments. | |
| - The `CostExplorer` statement is required only if you enable Cost Analysis. | |
| ::: | |
| Like the base AWS Cloud policy, you can attach this policy directly to the IAM user or to an IAM role that the user assumes. See [Create the IAM policy](#create-the-iam-policy) for the AWS Console steps. |
Member
There was a problem hiding this comment.
Please check meaning is retained for "Omit them for Fargate-only deployments."
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add a new Seqera Intelligent Compute section to the AWS Cloud compute environment docs (cloud + enterprise), documenting the optional capability that offloads Nextflow tasks to a Seqera-managed Amazon ECS cluster, and the additional IAM policy required to enable it.
The new section explains:
seqera-sched-prefix and are torn down automatically.seqera-sched-compute-policy) that must be attached to the IAM user/role used by Seqera, in addition to the base AWS Cloud permissions.seqera-sched-*resources) and which remainResource: "*"(AWS APIs that don't support resource-level permissions).ASGEC2Operations/ASGManagementfor ASG-backed clusters,CostExplorerfor Cost Analysis).Files changed
platform-cloud/docs/compute-envs/aws-cloud.mdplatform-enterprise_docs/compute-envs/aws-cloud.mdThe new section is placed between AWS credential options / Required permissions and Managed Amazon Machine Image (AMI) in both docs.
Test plan
<details>block, JSON syntax highlighting,:::noteadmonition).#required-platform-iam-permissions(cloud) and#required-permissions(enterprise) resolve correctly from the new section's cross-link.seqera-sched-compute-policyshipped with the scheduler.