Skip to content

docs(aws-cloud): document Seqera Intelligent Compute IAM permissions #1382

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pditommaso wants to merge 5 commits into
base: master
Choose a base branch
from
+388 −0
Open

docs(aws-cloud): document Seqera Intelligent Compute IAM permissions #1382

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5949771
docs(aws-cloud): document Seqera Intelligent Compute IAM permissions
pditommaso May 4, 2026
c9a838d
docs(aws-cloud): drop unused ec2:DeleteSecurityGroup from SIC policy
pditommaso May 4, 2026
9940204
Merge branch 'master' into docs/aws-cloud-seqera-intelligent-compute
justinegeffen May 4, 2026
ebeb859
Apply suggestion from @christopher-hakkaart
justinegeffen May 5, 2026
24f118d
Apply suggestion from @christopher-hakkaart
justinegeffen May 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
195 changes: 195 additions & 0 deletions platform-cloud/docs/compute-envs/aws-cloud.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -426,6 +426,201 @@ Use the IAM role ARN which Seqera must use for accessing your AWS resources in *

Existing credentials created before March 2026 continue to work without changes.

## Seqera Intelligent Compute

Seqera Intelligent Compute is an optional capability that executes Nextflow tasks on a Seqera-managed Amazon ECS cluster instead of running them entirely on the head EC2 instance. The AWS Cloud compute environment scales beyond the resources of a single instance while preserving its fast startup behavior.

When you enable Seqera Intelligent Compute, Seqera provisions and manages all ECS infrastructure on your behalf, including clusters, capacity providers, task definitions, IAM roles, and (optionally) Auto Scaling Groups for spot and on-demand capacity. All managed resources use the `seqera-sched-` prefix and are torn down automatically when no longer needed.

### Additional IAM permissions

Enabling Seqera Intelligent Compute requires an additional IAM policy in addition to the [Required Platform IAM permissions](#required-platform-iam-permissions). Attach it to the same IAM user or role that Seqera uses to access your AWS account.

The policy scopes every ARN-eligible action to the `seqera-sched-*` prefix. The remaining `Resource: "*"` entries correspond to AWS APIs that do not support resource-level permissions, such as EC2 `Describe*`, ECR authorization tokens, and Cost Explorer.

<details>
<summary>Seqera Intelligent Compute policy</summary>

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECSScopedOperations",
"Effect": "Allow",
"Action": [
"ecs:CreateCluster",
"ecs:DeleteCluster",
"ecs:DescribeClusters",
"ecs:ListTasks",
"ecs:PutClusterCapacityProviders",
"ecs:CreateCapacityProvider",
"ecs:DeleteCapacityProvider",
"ecs:DescribeCapacityProviders",
"ecs:DeregisterTaskDefinition",
"ecs:DescribeTaskDefinition",
"ecs:RunTask",
"ecs:StopTask",
"ecs:DescribeTasks",
"ecs:DescribeContainerInstances",
"ecs:TagResource"
],
"Resource": "arn:aws:ecs:*:*:*/seqera-sched-*"
},
{
"Sid": "ECSUnscopedOperations",
"Effect": "Allow",
"Action": [
"ecs:RegisterTaskDefinition",
"ecs:ListTaskDefinitions",
"ecs:ListTaskDefinitionFamilies"
],
"Resource": "*"
},
{
"Sid": "IAMRoleManagement",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:GetRole",
"iam:DeleteRole",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:ListRolePolicies",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:CreateInstanceProfile",
"iam:GetInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:role/seqera-sched-*",
"arn:aws:iam::*:instance-profile/seqera-sched-*"
]
},
{
"Sid": "PassRoleToECS",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/seqera-sched-*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ecs-tasks.amazonaws.com",
"ecs.amazonaws.com",
"ec2.amazonaws.com"
]
}
}
},
{
"Sid": "CloudWatchLogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:TagResource"
],
"Resource": "arn:aws:logs:*:*:log-group:/seqera/sched*"
},
{
"Sid": "EC2NetworkDiscovery",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRouteTables",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeInstances",
"ec2:CreateSecurityGroup",
"ec2:CreateVpcEndpoint",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:CreateTags"
],
"Resource": "*"
},
{
"Sid": "ECRAccess",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource": "*"
},
{
"Sid": "S3Access",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "ASGEC2Operations",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstanceTypes",
"ec2:CreateLaunchTemplate",
"ec2:DeleteLaunchTemplate",
"ec2:RunInstances"
],
"Resource": "*"
},
{
"Sid": "ASGManagement",
"Effect": "Allow",
"Action": [
"autoscaling:CreateAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:CreateOrUpdateTags"
],
"Resource": "arn:aws:autoscaling:*:*:*/seqera-sched-*"
},
{
"Sid": "ASGDescribe",
"Effect": "Allow",
"Action": "autoscaling:DescribeAutoScalingGroups",
"Resource": "*"
},
{
"Sid": "SSMECSOptimizedAmi",
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:*:*:parameter/aws/service/ecs/optimized-ami/*"
},
{
"Sid": "CostExplorer",
"Effect": "Allow",
"Action": "ce:GetCostAndUsage",
"Resource": "*"
}
Copy link
Copy Markdown
Contributor

@stefanoboriero stefanoboriero May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Working on the CF equivalent I found out you are also going to need

 {
    "Sid": "ECSServiceLinkedRole",
    "Effect": "Allow",
    "Action": "iam:CreateServiceLinkedRole",
    "Resource": "arn:aws:iam::*:role/aws-service-role/ecs-compute.amazonaws.
  com/AWSServiceRoleForECSCompute",
    "Condition": {
      "StringEquals": {
        "iam:AWSServiceName": "ecs-compute.amazonaws.com"
      }
    }
  }

If you are going to use Managed Capacity for ECS and the service role was not created before hand

Copy link
Copy Markdown
Contributor

@justinegeffen justinegeffen May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stefanoboriero, would you be able to update the relevant section with that content? Thank you!

]
}
```

</details>

:::note
- The `ASGEC2Operations` and `ASGManagement` statements are only required if you enable Auto Scaling Group-backed clusters (managed instances). They can be omitted for Fargate-only deployments.
- The `CostExplorer` statement is only required if you enable Cost Analysis.
:::

Like the base AWS Cloud policy, you can attach this policy directly to the IAM user or to an IAM role that the user assumes. See [Create the IAM policy](#create-the-iam-policy) for the AWS Console steps.
Comment on lines +617 to +622
Copy link
Copy Markdown
Member

@christopher-hakkaart christopher-hakkaart May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
:::note
- The `ASGEC2Operations` and `ASGManagement` statements are only required if you enable Auto Scaling Group-backed clusters (managed instances). They can be omitted for Fargate-only deployments.
- The `CostExplorer` statement is only required if you enable Cost Analysis.
:::
Like the base AWS Cloud policy, you can attach this policy directly to the IAM user or to an IAM role that the user assumes. See [Create the IAM policy](#create-the-iam-policy) for the AWS Console steps.
:::note
- The `ASGEC2Operations` and `ASGManagement` statements are required only if you enable Auto Scaling Group-backed clusters (managed instances). Omit them for Fargate-only deployments.
- The `CostExplorer` statement is required only if you enable Cost Analysis.
:::
Like the base AWS Cloud policy, you can attach this policy directly to the IAM user or to an IAM role that the user assumes. See [Create the IAM policy](#create-the-iam-policy) for the AWS Console steps.

Copy link
Copy Markdown
Member

@christopher-hakkaart christopher-hakkaart May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check meaning is retained for "Omit them for Fargate-only deployments."


## Managed Amazon Machine Image (AMI)

The AWS Cloud compute environment uses a public AMI maintained by Seqera, and the pipeline launch procedure assumes that some basic tooling is already present in the image itself. If you want to provide your own AMI, it must include at least the following:
Expand Down
Loading
Loading