From 594977176a246b5ea80c37170ff08d26d43dbf00 Mon Sep 17 00:00:00 2001 From: Paolo Di Tommaso Date: Mon, 4 May 2026 17:02:06 +0200 Subject: [PATCH 1/4] docs(aws-cloud): document Seqera Intelligent Compute IAM permissions Add a new "Seqera Intelligent Compute" section to the AWS Cloud compute environment docs (cloud + enterprise) describing the optional capability that offloads Nextflow tasks to a Seqera-managed Amazon ECS cluster, and the additional IAM policy required to enable it. The policy mirrors the seqera-sched compute policy: every action that AWS allows to be scoped by ARN is restricted to the seqera-sched-* prefix, with the remaining Resource "*" entries reserved for AWS APIs that don't support resource-level permissions. --- platform-cloud/docs/compute-envs/aws-cloud.md | 196 ++++++++++++++++++ .../compute-envs/aws-cloud.md | 194 +++++++++++++++++ 2 files changed, 390 insertions(+) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index ecf633381..fc8a30d93 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -426,6 +426,202 @@ Use the IAM role ARN which Seqera must use for accessing your AWS resources in * Existing credentials created before March 2026 continue to work without changes. +## Seqera Intelligent Compute + +Seqera Intelligent Compute is an optional capability that, when enabled, executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. This lets the AWS Cloud compute environment scale beyond the resources of a single instance while preserving its fast startup behavior. + +When Seqera Intelligent Compute is enabled, Seqera provisions and manages all ECS infrastructure on your behalf — clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. + +### Additional IAM permissions + +Enabling Seqera Intelligent Compute requires an additional IAM policy on top of the [Required Platform IAM permissions](#required-platform-iam-permissions). Attach it to the same IAM user or role that Seqera uses to access your AWS account. + +Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions (for example, EC2 `Describe*`, ECR authorization tokens, or Cost Explorer). + +
+Seqera Intelligent Compute policy + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ECSScopedOperations", + "Effect": "Allow", + "Action": [ + "ecs:CreateCluster", + "ecs:DeleteCluster", + "ecs:DescribeClusters", + "ecs:ListTasks", + "ecs:PutClusterCapacityProviders", + "ecs:CreateCapacityProvider", + "ecs:DeleteCapacityProvider", + "ecs:DescribeCapacityProviders", + "ecs:DeregisterTaskDefinition", + "ecs:DescribeTaskDefinition", + "ecs:RunTask", + "ecs:StopTask", + "ecs:DescribeTasks", + "ecs:DescribeContainerInstances", + "ecs:TagResource" + ], + "Resource": "arn:aws:ecs:*:*:*/seqera-sched-*" + }, + { + "Sid": "ECSUnscopedOperations", + "Effect": "Allow", + "Action": [ + "ecs:RegisterTaskDefinition", + "ecs:ListTaskDefinitions", + "ecs:ListTaskDefinitionFamilies" + ], + "Resource": "*" + }, + { + "Sid": "IAMRoleManagement", + "Effect": "Allow", + "Action": [ + "iam:CreateRole", + "iam:GetRole", + "iam:DeleteRole", + "iam:PutRolePolicy", + "iam:DeleteRolePolicy", + "iam:ListRolePolicies", + "iam:AttachRolePolicy", + "iam:DetachRolePolicy", + "iam:ListAttachedRolePolicies", + "iam:CreateInstanceProfile", + "iam:GetInstanceProfile", + "iam:AddRoleToInstanceProfile", + "iam:ListInstanceProfilesForRole", + "iam:RemoveRoleFromInstanceProfile", + "iam:DeleteInstanceProfile" + ], + "Resource": [ + "arn:aws:iam::*:role/seqera-sched-*", + "arn:aws:iam::*:instance-profile/seqera-sched-*" + ] + }, + { + "Sid": "PassRoleToECS", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "arn:aws:iam::*:role/seqera-sched-*", + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "ecs-tasks.amazonaws.com", + "ecs.amazonaws.com", + "ec2.amazonaws.com" + ] + } + } + }, + { + "Sid": "CloudWatchLogs", + "Effect": "Allow", + "Action": [ + "logs:CreateLogGroup", + "logs:DeleteLogGroup", + "logs:PutRetentionPolicy", + "logs:DescribeLogStreams", + "logs:GetLogEvents", + "logs:TagResource" + ], + "Resource": "arn:aws:logs:*:*:log-group:/seqera/sched*" + }, + { + "Sid": "EC2NetworkDiscovery", + "Effect": "Allow", + "Action": [ + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeRouteTables", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeInstances", + "ec2:CreateSecurityGroup", + "ec2:CreateVpcEndpoint", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:DeleteSecurityGroup", + "ec2:CreateTags" + ], + "Resource": "*" + }, + { + "Sid": "ECRAccess", + "Effect": "Allow", + "Action": [ + "ecr:GetAuthorizationToken", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage" + ], + "Resource": "*" + }, + { + "Sid": "S3Access", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListAllMyBuckets" + ], + "Resource": "*" + }, + { + "Sid": "ASGEC2Operations", + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstanceTypes", + "ec2:CreateLaunchTemplate", + "ec2:DeleteLaunchTemplate", + "ec2:RunInstances" + ], + "Resource": "*" + }, + { + "Sid": "ASGManagement", + "Effect": "Allow", + "Action": [ + "autoscaling:CreateAutoScalingGroup", + "autoscaling:UpdateAutoScalingGroup", + "autoscaling:DeleteAutoScalingGroup", + "autoscaling:CreateOrUpdateTags" + ], + "Resource": "arn:aws:autoscaling:*:*:*/seqera-sched-*" + }, + { + "Sid": "ASGDescribe", + "Effect": "Allow", + "Action": "autoscaling:DescribeAutoScalingGroups", + "Resource": "*" + }, + { + "Sid": "SSMECSOptimizedAmi", + "Effect": "Allow", + "Action": "ssm:GetParameter", + "Resource": "arn:aws:ssm:*:*:parameter/aws/service/ecs/optimized-ami/*" + }, + { + "Sid": "CostExplorer", + "Effect": "Allow", + "Action": "ce:GetCostAndUsage", + "Resource": "*" + } + ] +} +``` + +
+ +:::note +- The `ASGEC2Operations` and `ASGManagement` statements are only required if you enable Auto Scaling Group-backed clusters (managed instances). They can be omitted for Fargate-only deployments. +- The `CostExplorer` statement is only required if you enable Cost Analysis. +::: + +Like the base AWS Cloud policy, you can attach this policy directly to the IAM user or to an IAM role that the user assumes. See [Create the IAM policy](#create-the-iam-policy) for the AWS Console steps. + ## Managed Amazon Machine Image (AMI) The AWS Cloud compute environment uses a public AMI maintained by Seqera, and the pipeline launch procedure assumes that some basic tooling is already present in the image itself. If you want to provide your own AMI, it must include at least the following: diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index 42a12402c..62d44fccc 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -231,6 +231,200 @@ The following permissions enable Seqera to populate values for dropdown fields. } ``` +## Seqera Intelligent Compute + +Seqera Intelligent Compute is an optional capability that, when enabled, executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. This lets the AWS Cloud compute environment scale beyond the resources of a single instance while preserving its fast startup behavior. + +When Seqera Intelligent Compute is enabled, Seqera provisions and manages all ECS infrastructure on your behalf — clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. + +### Additional IAM permissions + +Enabling Seqera Intelligent Compute requires the following IAM policy in addition to the [Required permissions](#required-permissions) listed above. Attach it to the same IAM user or role that Seqera uses to access your AWS account. + +Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions (for example, EC2 `Describe*`, ECR authorization tokens, or Cost Explorer). + +
+Seqera Intelligent Compute policy + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ECSScopedOperations", + "Effect": "Allow", + "Action": [ + "ecs:CreateCluster", + "ecs:DeleteCluster", + "ecs:DescribeClusters", + "ecs:ListTasks", + "ecs:PutClusterCapacityProviders", + "ecs:CreateCapacityProvider", + "ecs:DeleteCapacityProvider", + "ecs:DescribeCapacityProviders", + "ecs:DeregisterTaskDefinition", + "ecs:DescribeTaskDefinition", + "ecs:RunTask", + "ecs:StopTask", + "ecs:DescribeTasks", + "ecs:DescribeContainerInstances", + "ecs:TagResource" + ], + "Resource": "arn:aws:ecs:*:*:*/seqera-sched-*" + }, + { + "Sid": "ECSUnscopedOperations", + "Effect": "Allow", + "Action": [ + "ecs:RegisterTaskDefinition", + "ecs:ListTaskDefinitions", + "ecs:ListTaskDefinitionFamilies" + ], + "Resource": "*" + }, + { + "Sid": "IAMRoleManagement", + "Effect": "Allow", + "Action": [ + "iam:CreateRole", + "iam:GetRole", + "iam:DeleteRole", + "iam:PutRolePolicy", + "iam:DeleteRolePolicy", + "iam:ListRolePolicies", + "iam:AttachRolePolicy", + "iam:DetachRolePolicy", + "iam:ListAttachedRolePolicies", + "iam:CreateInstanceProfile", + "iam:GetInstanceProfile", + "iam:AddRoleToInstanceProfile", + "iam:ListInstanceProfilesForRole", + "iam:RemoveRoleFromInstanceProfile", + "iam:DeleteInstanceProfile" + ], + "Resource": [ + "arn:aws:iam::*:role/seqera-sched-*", + "arn:aws:iam::*:instance-profile/seqera-sched-*" + ] + }, + { + "Sid": "PassRoleToECS", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "arn:aws:iam::*:role/seqera-sched-*", + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "ecs-tasks.amazonaws.com", + "ecs.amazonaws.com", + "ec2.amazonaws.com" + ] + } + } + }, + { + "Sid": "CloudWatchLogs", + "Effect": "Allow", + "Action": [ + "logs:CreateLogGroup", + "logs:DeleteLogGroup", + "logs:PutRetentionPolicy", + "logs:DescribeLogStreams", + "logs:GetLogEvents", + "logs:TagResource" + ], + "Resource": "arn:aws:logs:*:*:log-group:/seqera/sched*" + }, + { + "Sid": "EC2NetworkDiscovery", + "Effect": "Allow", + "Action": [ + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeRouteTables", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeInstances", + "ec2:CreateSecurityGroup", + "ec2:CreateVpcEndpoint", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:DeleteSecurityGroup", + "ec2:CreateTags" + ], + "Resource": "*" + }, + { + "Sid": "ECRAccess", + "Effect": "Allow", + "Action": [ + "ecr:GetAuthorizationToken", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage" + ], + "Resource": "*" + }, + { + "Sid": "S3Access", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListAllMyBuckets" + ], + "Resource": "*" + }, + { + "Sid": "ASGEC2Operations", + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstanceTypes", + "ec2:CreateLaunchTemplate", + "ec2:DeleteLaunchTemplate", + "ec2:RunInstances" + ], + "Resource": "*" + }, + { + "Sid": "ASGManagement", + "Effect": "Allow", + "Action": [ + "autoscaling:CreateAutoScalingGroup", + "autoscaling:UpdateAutoScalingGroup", + "autoscaling:DeleteAutoScalingGroup", + "autoscaling:CreateOrUpdateTags" + ], + "Resource": "arn:aws:autoscaling:*:*:*/seqera-sched-*" + }, + { + "Sid": "ASGDescribe", + "Effect": "Allow", + "Action": "autoscaling:DescribeAutoScalingGroups", + "Resource": "*" + }, + { + "Sid": "SSMECSOptimizedAmi", + "Effect": "Allow", + "Action": "ssm:GetParameter", + "Resource": "arn:aws:ssm:*:*:parameter/aws/service/ecs/optimized-ami/*" + }, + { + "Sid": "CostExplorer", + "Effect": "Allow", + "Action": "ce:GetCostAndUsage", + "Resource": "*" + } + ] +} +``` + +
+ +:::note +- The `ASGEC2Operations` and `ASGManagement` statements are only required if you enable Auto Scaling Group-backed clusters (managed instances). They can be omitted for Fargate-only deployments. +- The `CostExplorer` statement is only required if you enable Cost Analysis. +::: + ## Managed Amazon Machine Image (AMI) The AWS Cloud compute environment uses an AMI maintained by Seqera, and the pipeline launch procedure assumes that some basic tooling is already present in the image itself. If you want to provide your own AMI, it must include at least the following: From c9a838d294cf125cf6653495f2d2dca0aa5ec9a8 Mon Sep 17 00:00:00 2001 From: Paolo Di Tommaso Date: Mon, 4 May 2026 17:41:42 +0200 Subject: [PATCH 2/4] docs(aws-cloud): drop unused ec2:DeleteSecurityGroup from SIC policy The scheduler never calls DeleteSecurityGroup. The security group it manages has a static name (seqera-sched-ecs) shared across clusters in the region and is not torn down per-cluster. --- platform-cloud/docs/compute-envs/aws-cloud.md | 1 - platform-enterprise_docs/compute-envs/aws-cloud.md | 1 - 2 files changed, 2 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index fc8a30d93..8995e9eb1 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -543,7 +543,6 @@ Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sc "ec2:CreateSecurityGroup", "ec2:CreateVpcEndpoint", "ec2:AuthorizeSecurityGroupEgress", - "ec2:DeleteSecurityGroup", "ec2:CreateTags" ], "Resource": "*" diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index 62d44fccc..c7d66fccf 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -348,7 +348,6 @@ Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sc "ec2:CreateSecurityGroup", "ec2:CreateVpcEndpoint", "ec2:AuthorizeSecurityGroupEgress", - "ec2:DeleteSecurityGroup", "ec2:CreateTags" ], "Resource": "*" From ebeb859441f6c5a79c9fc4a6d3f9c738bdf9a182 Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Tue, 5 May 2026 21:50:41 +0200 Subject: [PATCH 3/4] Apply suggestion from @christopher-hakkaart Co-authored-by: Chris Hakkaart Signed-off-by: Justine Geffen --- platform-cloud/docs/compute-envs/aws-cloud.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 8995e9eb1..30ea8deb2 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -428,9 +428,9 @@ Existing credentials created before March 2026 continue to work without changes. ## Seqera Intelligent Compute -Seqera Intelligent Compute is an optional capability that, when enabled, executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. This lets the AWS Cloud compute environment scale beyond the resources of a single instance while preserving its fast startup behavior. +Seqera Intelligent Compute is an optional capability that executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. The AWS Cloud compute environment scales beyond the resources of a single instance while preserving its fast startup behavior. -When Seqera Intelligent Compute is enabled, Seqera provisions and manages all ECS infrastructure on your behalf — clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. +When you enable Seqera Intelligent Compute, Seqera provisions and manages all ECS infrastructure on your behalf, including clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed. ### Additional IAM permissions From 24f118d9a07e1a1498223d25a898172a0e52c36c Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Tue, 5 May 2026 21:50:51 +0200 Subject: [PATCH 4/4] Apply suggestion from @christopher-hakkaart Co-authored-by: Chris Hakkaart Signed-off-by: Justine Geffen --- platform-cloud/docs/compute-envs/aws-cloud.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 30ea8deb2..b869c9ae9 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -434,9 +434,9 @@ When you enable Seqera Intelligent Compute, Seqera provisions and manages all EC ### Additional IAM permissions -Enabling Seqera Intelligent Compute requires an additional IAM policy on top of the [Required Platform IAM permissions](#required-platform-iam-permissions). Attach it to the same IAM user or role that Seqera uses to access your AWS account. +Enabling Seqera Intelligent Compute requires an additional IAM policy in addition to the [Required Platform IAM permissions](#required-platform-iam-permissions). Attach it to the same IAM user or role that Seqera uses to access your AWS account. -Every action that AWS allows to be scoped by ARN is restricted to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions (for example, EC2 `Describe*`, ECR authorization tokens, or Cost Explorer). +The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions, such as EC2 `Describe*`, ECR authorization tokens, and Cost Explorer.
Seqera Intelligent Compute policy