diff --git a/platform-cloud/docs/compute-envs/aws-batch.md b/platform-cloud/docs/compute-envs/aws-batch.md index ae487cd2f..4fc731a56 100644 --- a/platform-cloud/docs/compute-envs/aws-batch.md +++ b/platform-cloud/docs/compute-envs/aws-batch.md @@ -2,8 +2,8 @@ title: "AWS Batch" description: "Instructions to set up AWS Batch in Seqera Platform" date created: "2023-04-21" -last updated: "2025-12-18" -tags: [aws, batch, compute environment] +last updated: "2026-05-05" +tags: [aws, batch, compute-environment] --- :::tip @@ -262,6 +262,14 @@ A permissive and broad policy with all the required permissions is provided here "secretsmanager:CreateSecret" ], "Resource": "arn:aws:secretsmanager:*:*:secret:tower-*" + }, + { + "Sid": "OptionalUserdataCheck", + "Effect": "Allow", + "Action": [ + "ec2:GetConsoleOutput" + ], + "Resource": "*" } ] } @@ -578,6 +586,21 @@ The listing of secrets cannot be restricted, but the management actions can be r To successfully use pipeline secrets, the IAM roles manually created must follow the steps detailed in the [documentation](../secrets/overview#aws-secrets-manager-integration). +### Userdata script error detection (optional) + +Platform can retrieve the EC2 instance console output to detect errors in the userdata script that bootstraps the VM during instance startup. If the userdata script fails, Platform surfaces the failure as a warning on the workflow. Without this permission, userdata script failures are not detected and no warning is shown. + +```json +{ + "Sid": "OptionalUserdataCheck", + "Effect": "Allow", + "Action": [ + "ec2:GetConsoleOutput" + ], + "Resource": "*" +} +``` + ## Create the IAM policy The policy above must be created in the AWS account where the AWS Batch resources need to be created. diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index ecf633381..ccad58165 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -2,12 +2,10 @@ title: "AWS Cloud" description: "Instructions to set up an AWS Cloud CE in Seqera Platform" date created: "2025-05-15" -last updated: "2026-01-30" -tags: [cloud, vm, amazon, compute environment] +last updated: "2026-05-05" +tags: [cloud, vm, amazon, compute-environment] --- -# AWS Cloud - :::note This compute environment type is currently in public preview. Please consult this guide for the latest information on recommended configuration and limitations. This guide assumes you already have an AWS account with a valid AWS subscription. ::: @@ -157,6 +155,14 @@ A permissive and broad policy with all the required permissions is provided here "s3:ListAllMyBuckets" ], "Resource": "*" + }, + { + "Sid": "AwsCloudUserdataCheck", + "Effect": "Allow", + "Action": [ + "ec2:GetConsoleOutput" + ], + "Resource": "*" } ] } @@ -295,6 +301,21 @@ The following permissions enable Seqera to populate values for dropdown fields. } ``` +### Userdata script error detection (optional) + +Platform can retrieve the EC2 instance console output to detect errors in the userdata script that bootstraps the VM during instance startup. If the userdata script fails, Platform surfaces the failure as a warning on the workflow. Without this permission, userdata script failures are not detected and no warning is shown. + +```json +{ + "Sid": "AwsCloudUserdataCheck", + "Effect": "Allow", + "Action": [ + "ec2:GetConsoleOutput" + ], + "Resource": "*" +} +``` + ## Create the IAM policy The policy above must be created in the AWS account where the AWS Batch resources need to be created. diff --git a/platform-cloud/docs/compute-envs/azure-cloud.md b/platform-cloud/docs/compute-envs/azure-cloud.md index aea357d0b..c624b394c 100644 --- a/platform-cloud/docs/compute-envs/azure-cloud.md +++ b/platform-cloud/docs/compute-envs/azure-cloud.md @@ -2,7 +2,7 @@ title: "Azure Cloud" description: "Instructions to set up an Azure Cloud compute environment in Seqera Platform" date created: "2025-09-29" -last updated: "2025-09-29" +last updated: "2026-05-05" tags: [cloud, vm, azure, compute-environment] --- @@ -134,6 +134,8 @@ For granular control over the permissions granted to Seqera, use [Azure custom r "Microsoft.OperationalInsights/workspaces/query/read", "Microsoft.OperationalInsights/workspaces/query/Tables.Custom/read", + "Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action", + "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" ], @@ -285,6 +287,34 @@ The following permissions are required to fetch logs for the pipeline execution } ``` +#### Userdata script error detection (optional) + +Platform can retrieve the serial console output of the Azure VM to detect errors in the userdata script that bootstraps the VM during instance startup. If the userdata script fails, Platform surfaces the failure as a warning on the workflow. Without this permission, userdata script failures are not detected and no warning is shown. + +This requires [boot diagnostics](https://learn.microsoft.com/en-us/azure/virtual-machines/boot-diagnostics) to be enabled on the VM and the following permission on the service principal: + +```json +{ + "properties": { + "roleName": "seqera-azure-cloud-userdata-check", + "description": "Role to retrieve boot diagnostics for pre-run script error detection", + "assignableScopes": [ + "/subscriptions/" + ], + "permissions": [ + { + "actions": [ + "Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ] + } +} +``` + #### Data-links The following permissions are required to work with [Data Explorer](../data/data-explorer) data-links on Azure: diff --git a/platform-cloud/docs/compute-envs/google-cloud.md b/platform-cloud/docs/compute-envs/google-cloud.md index e9de8cc10..9edff259a 100644 --- a/platform-cloud/docs/compute-envs/google-cloud.md +++ b/platform-cloud/docs/compute-envs/google-cloud.md @@ -2,11 +2,10 @@ title: "Google Cloud" description: "Instructions to set up an Google Cloud CE in Seqera Platform" date created: "2025-07-15" -tags: [cloud, vm, google, compute environment] +last updated: "2026-05-05" +tags: [cloud, vm, google, compute-environment] --- -# Google Cloud - :::note This compute environment type is currently in public preview. Consult this guide for the latest information on recommended configuration and limitations. This guide assumes you already have a GCP account with a valid subscription. ::: @@ -91,6 +90,10 @@ To create and launch pipelines or Studio sessions with this compute environment If your Google Cloud project does not require access restrictions on any of its Cloud Storage buckets, you can grant project Storage Admin (`roles/storage.admin`) permissions to your service account to simplify setup. To grant access only to specific buckets, add the service account as a principal [on each bucket individually](https://docs.seqera.io/platform-cloud/compute-envs/google-cloud-batch#cloud-storage-bucket). For each Google Cloud compute environment created in the Seqera platform, a separate service account is created with the necessary permissions to launch pipelines/studios. +#### Userdata script error detection (optional) + +Platform can retrieve the serial port output of the Compute Engine instance to detect errors in the userdata script that bootstraps the VM during instance startup. This capability is included in the `roles/compute.instanceAdmin.v1` role listed above. If you use a custom role instead, include the `compute.instances.getSerialPortOutput` permission. Without this permission, userdata script failures are not detected, and no warning is shown. + ## Advanced options - **Use an ARM64 architecture instance**: Select this option to enable an ARM architecture instance to be created for your compute workload. This option defaults to using a [C4A machine series](https://cloud.google.com/compute/docs/general-purpose-machines#c4a_series) VM with Google's ARM-based Axion™ processor.