From 0272cf4a930aeaa882dd02aeb0821015934b7a74 Mon Sep 17 00:00:00 2001 From: munishchouhan Date: Tue, 5 May 2026 10:39:38 +0200 Subject: [PATCH 1/7] added docs to userdata script error permissions Signed-off-by: munishchouhan --- platform-cloud/docs/compute-envs/aws-batch.md | 23 ++++++++++++++ platform-cloud/docs/compute-envs/aws-cloud.md | 23 ++++++++++++++ .../docs/compute-envs/azure-cloud.md | 30 +++++++++++++++++++ .../docs/compute-envs/google-cloud.md | 4 +++ 4 files changed, 80 insertions(+) diff --git a/platform-cloud/docs/compute-envs/aws-batch.md b/platform-cloud/docs/compute-envs/aws-batch.md index ae487cd2f..bdb0fa88c 100644 --- a/platform-cloud/docs/compute-envs/aws-batch.md +++ b/platform-cloud/docs/compute-envs/aws-batch.md @@ -262,6 +262,14 @@ A permissive and broad policy with all the required permissions is provided here "secretsmanager:CreateSecret" ], "Resource": "arn:aws:secretsmanager:*:*:secret:tower-*" + }, + { + "Sid": "OptionalUserdataCheck", + "Effect": "Allow", + "Action": [ + "ec2:GetConsoleOutput" + ], + "Resource": "*" } ] } @@ -578,6 +586,21 @@ The listing of secrets cannot be restricted, but the management actions can be r To successfully use pipeline secrets, the IAM roles manually created must follow the steps detailed in the [documentation](../secrets/overview#aws-secrets-manager-integration). +### Pre-run script error detection (optional) + +Seqera can retrieve the EC2 instance console output to detect errors in the pre-run script (userdata) executed during instance startup. If the pre-run script fails, Seqera surfaces the failure as a warning on the workflow. Without this permission, pre-run script failures are not detected and no warning is shown. + +```json +{ + "Sid": "OptionalUserdataCheck", + "Effect": "Allow", + "Action": [ + "ec2:GetConsoleOutput" + ], + "Resource": "*" +} +``` + ## Create the IAM policy The policy above must be created in the AWS account where the AWS Batch resources need to be created. diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index ecf633381..af7b46194 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -157,6 +157,14 @@ A permissive and broad policy with all the required permissions is provided here "s3:ListAllMyBuckets" ], "Resource": "*" + }, + { + "Sid": "AwsCloudUserdataCheck", + "Effect": "Allow", + "Action": [ + "ec2:GetConsoleOutput" + ], + "Resource": "*" } ] } @@ -295,6 +303,21 @@ The following permissions enable Seqera to populate values for dropdown fields. } ``` +### Pre-run script error detection (optional) + +Seqera can retrieve the EC2 instance console output to detect errors in the pre-run script (userdata) executed during instance startup. If the pre-run script fails, Seqera surfaces the failure as a warning on the workflow. Without this permission, pre-run script failures are not detected and no warning is shown. + +```json +{ + "Sid": "AwsCloudUserdataCheck", + "Effect": "Allow", + "Action": [ + "ec2:GetConsoleOutput" + ], + "Resource": "*" +} +``` + ## Create the IAM policy The policy above must be created in the AWS account where the AWS Batch resources need to be created. diff --git a/platform-cloud/docs/compute-envs/azure-cloud.md b/platform-cloud/docs/compute-envs/azure-cloud.md index aea357d0b..5ea12a892 100644 --- a/platform-cloud/docs/compute-envs/azure-cloud.md +++ b/platform-cloud/docs/compute-envs/azure-cloud.md @@ -134,6 +134,8 @@ For granular control over the permissions granted to Seqera, use [Azure custom r "Microsoft.OperationalInsights/workspaces/query/read", "Microsoft.OperationalInsights/workspaces/query/Tables.Custom/read", + "Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action", + "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" ], @@ -285,6 +287,34 @@ The following permissions are required to fetch logs for the pipeline execution } ``` +#### Pre-run script error detection (optional) + +Seqera can retrieve the serial console output of the Azure VM to detect errors in the pre-run script executed during instance startup. If the pre-run script fails, Seqera surfaces the failure as a warning on the workflow. Without this permission, pre-run script failures are not detected and no warning is shown. + +This requires [boot diagnostics](https://learn.microsoft.com/en-us/azure/virtual-machines/boot-diagnostics) to be enabled on the VM and the following permission on the service principal: + +```json +{ + "properties": { + "roleName": "seqera-azure-cloud-userdata-check", + "description": "Role to retrieve boot diagnostics for pre-run script error detection", + "assignableScopes": [ + "/subscriptions/" + ], + "permissions": [ + { + "actions": [ + "Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ] + } +} +``` + #### Data-links The following permissions are required to work with [Data Explorer](../data/data-explorer) data-links on Azure: diff --git a/platform-cloud/docs/compute-envs/google-cloud.md b/platform-cloud/docs/compute-envs/google-cloud.md index e9de8cc10..ccb4e9029 100644 --- a/platform-cloud/docs/compute-envs/google-cloud.md +++ b/platform-cloud/docs/compute-envs/google-cloud.md @@ -91,6 +91,10 @@ To create and launch pipelines or Studio sessions with this compute environment If your Google Cloud project does not require access restrictions on any of its Cloud Storage buckets, you can grant project Storage Admin (`roles/storage.admin`) permissions to your service account to simplify setup. To grant access only to specific buckets, add the service account as a principal [on each bucket individually](https://docs.seqera.io/platform-cloud/compute-envs/google-cloud-batch#cloud-storage-bucket). For each Google Cloud compute environment created in the Seqera platform, a separate service account is created with the necessary permissions to launch pipelines/studios. +#### Pre-run script error detection (optional) + +Seqera can retrieve the serial port output of the Compute Engine instance to detect errors in the pre-run script executed during instance startup. This capability is included in the `roles/compute.instanceAdmin.v1` role listed above. If you use a custom role instead, ensure it includes the `compute.instances.getSerialPortOutput` permission. Without this permission, pre-run script failures are not detected and no warning is shown. + ## Advanced options - **Use an ARM64 architecture instance**: Select this option to enable an ARM architecture instance to be created for your compute workload. This option defaults to using a [C4A machine series](https://cloud.google.com/compute/docs/general-purpose-machines#c4a_series) VM with Google's ARM-based Axion™ processor. From a69fe3854138bd6f084cd73a1e8ad52578bbb0c7 Mon Sep 17 00:00:00 2001 From: munishchouhan Date: Tue, 5 May 2026 12:17:53 +0200 Subject: [PATCH 2/7] use userdata instead of pre run Signed-off-by: munishchouhan --- platform-cloud/docs/compute-envs/aws-batch.md | 4 ++-- platform-cloud/docs/compute-envs/aws-cloud.md | 4 ++-- platform-cloud/docs/compute-envs/azure-cloud.md | 4 ++-- platform-cloud/docs/compute-envs/google-cloud.md | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-batch.md b/platform-cloud/docs/compute-envs/aws-batch.md index bdb0fa88c..5950dac37 100644 --- a/platform-cloud/docs/compute-envs/aws-batch.md +++ b/platform-cloud/docs/compute-envs/aws-batch.md @@ -586,9 +586,9 @@ The listing of secrets cannot be restricted, but the management actions can be r To successfully use pipeline secrets, the IAM roles manually created must follow the steps detailed in the [documentation](../secrets/overview#aws-secrets-manager-integration). -### Pre-run script error detection (optional) +### Userdata script error detection (optional) -Seqera can retrieve the EC2 instance console output to detect errors in the pre-run script (userdata) executed during instance startup. If the pre-run script fails, Seqera surfaces the failure as a warning on the workflow. Without this permission, pre-run script failures are not detected and no warning is shown. +Seqera can retrieve the EC2 instance console output to detect errors in the userdata script that bootstraps the VM during instance startup. If the userdata script fails, Seqera surfaces the failure as a warning on the workflow. Without this permission, userdata script failures are not detected and no warning is shown. ```json { diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index af7b46194..ceca980a9 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -303,9 +303,9 @@ The following permissions enable Seqera to populate values for dropdown fields. } ``` -### Pre-run script error detection (optional) +### Userdata script error detection (optional) -Seqera can retrieve the EC2 instance console output to detect errors in the pre-run script (userdata) executed during instance startup. If the pre-run script fails, Seqera surfaces the failure as a warning on the workflow. Without this permission, pre-run script failures are not detected and no warning is shown. +Seqera can retrieve the EC2 instance console output to detect errors in the userdata script that bootstraps the VM during instance startup. If the userdata script fails, Seqera surfaces the failure as a warning on the workflow. Without this permission, userdata script failures are not detected and no warning is shown. ```json { diff --git a/platform-cloud/docs/compute-envs/azure-cloud.md b/platform-cloud/docs/compute-envs/azure-cloud.md index 5ea12a892..b0a0b2790 100644 --- a/platform-cloud/docs/compute-envs/azure-cloud.md +++ b/platform-cloud/docs/compute-envs/azure-cloud.md @@ -287,9 +287,9 @@ The following permissions are required to fetch logs for the pipeline execution } ``` -#### Pre-run script error detection (optional) +#### Userdata script error detection (optional) -Seqera can retrieve the serial console output of the Azure VM to detect errors in the pre-run script executed during instance startup. If the pre-run script fails, Seqera surfaces the failure as a warning on the workflow. Without this permission, pre-run script failures are not detected and no warning is shown. +Seqera can retrieve the serial console output of the Azure VM to detect errors in the userdata script that bootstraps the VM during instance startup. If the userdata script fails, Seqera surfaces the failure as a warning on the workflow. Without this permission, userdata script failures are not detected and no warning is shown. This requires [boot diagnostics](https://learn.microsoft.com/en-us/azure/virtual-machines/boot-diagnostics) to be enabled on the VM and the following permission on the service principal: diff --git a/platform-cloud/docs/compute-envs/google-cloud.md b/platform-cloud/docs/compute-envs/google-cloud.md index ccb4e9029..fc3bdf512 100644 --- a/platform-cloud/docs/compute-envs/google-cloud.md +++ b/platform-cloud/docs/compute-envs/google-cloud.md @@ -91,9 +91,9 @@ To create and launch pipelines or Studio sessions with this compute environment If your Google Cloud project does not require access restrictions on any of its Cloud Storage buckets, you can grant project Storage Admin (`roles/storage.admin`) permissions to your service account to simplify setup. To grant access only to specific buckets, add the service account as a principal [on each bucket individually](https://docs.seqera.io/platform-cloud/compute-envs/google-cloud-batch#cloud-storage-bucket). For each Google Cloud compute environment created in the Seqera platform, a separate service account is created with the necessary permissions to launch pipelines/studios. -#### Pre-run script error detection (optional) +#### Userdata script error detection (optional) -Seqera can retrieve the serial port output of the Compute Engine instance to detect errors in the pre-run script executed during instance startup. This capability is included in the `roles/compute.instanceAdmin.v1` role listed above. If you use a custom role instead, ensure it includes the `compute.instances.getSerialPortOutput` permission. Without this permission, pre-run script failures are not detected and no warning is shown. +Seqera can retrieve the serial port output of the Compute Engine instance to detect errors in the userdata script that bootstraps the VM during instance startup. This capability is included in the `roles/compute.instanceAdmin.v1` role listed above. If you use a custom role instead, ensure it includes the `compute.instances.getSerialPortOutput` permission. Without this permission, userdata script failures are not detected and no warning is shown. ## Advanced options From 45e3dcfeb34662cd7d79417b79754f28b1b3e6f6 Mon Sep 17 00:00:00 2001 From: Munish Chouhan Date: Tue, 5 May 2026 12:30:45 +0200 Subject: [PATCH 3/7] Update platform-cloud/docs/compute-envs/google-cloud.md Co-authored-by: Chris Hakkaart Signed-off-by: Munish Chouhan --- platform-cloud/docs/compute-envs/google-cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform-cloud/docs/compute-envs/google-cloud.md b/platform-cloud/docs/compute-envs/google-cloud.md index fc3bdf512..5299dfad4 100644 --- a/platform-cloud/docs/compute-envs/google-cloud.md +++ b/platform-cloud/docs/compute-envs/google-cloud.md @@ -93,7 +93,7 @@ If your Google Cloud project does not require access restrictions on any of its #### Userdata script error detection (optional) -Seqera can retrieve the serial port output of the Compute Engine instance to detect errors in the userdata script that bootstraps the VM during instance startup. This capability is included in the `roles/compute.instanceAdmin.v1` role listed above. If you use a custom role instead, ensure it includes the `compute.instances.getSerialPortOutput` permission. Without this permission, userdata script failures are not detected and no warning is shown. +Seqera can retrieve the serial port output of the Compute Engine instance to detect errors in the userdata script that bootstraps the VM during instance startup. This capability is included in the `roles/compute.instanceAdmin.v1` role listed above. If you use a custom role instead, include the `compute.instances.getSerialPortOutput` permission. Without this permission, userdata script failures are not detected, and no warning is shown. ## Advanced options From d21c671e961731328476c4299a4d9374a648a4dd Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Tue, 5 May 2026 16:46:00 +0200 Subject: [PATCH 4/7] Apply suggestion from @justinegeffen Signed-off-by: Justine Geffen --- platform-cloud/docs/compute-envs/aws-batch.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform-cloud/docs/compute-envs/aws-batch.md b/platform-cloud/docs/compute-envs/aws-batch.md index 5950dac37..6b31d68b2 100644 --- a/platform-cloud/docs/compute-envs/aws-batch.md +++ b/platform-cloud/docs/compute-envs/aws-batch.md @@ -588,7 +588,7 @@ To successfully use pipeline secrets, the IAM roles manually created must follow ### Userdata script error detection (optional) -Seqera can retrieve the EC2 instance console output to detect errors in the userdata script that bootstraps the VM during instance startup. If the userdata script fails, Seqera surfaces the failure as a warning on the workflow. Without this permission, userdata script failures are not detected and no warning is shown. +Platform can retrieve the EC2 instance console output to detect errors in the userdata script that bootstraps the VM during instance startup. If the userdata script fails, Platform surfaces the failure as a warning on the workflow. Without this permission, userdata script failures are not detected and no warning is shown. ```json { From ab6c07c557f1efa1d8a009a1009e22e7603e98da Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Tue, 5 May 2026 17:35:12 +0200 Subject: [PATCH 5/7] Apply suggestion from @justinegeffen Signed-off-by: Justine Geffen --- platform-cloud/docs/compute-envs/aws-cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index ceca980a9..c3b1f36fe 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -305,7 +305,7 @@ The following permissions enable Seqera to populate values for dropdown fields. ### Userdata script error detection (optional) -Seqera can retrieve the EC2 instance console output to detect errors in the userdata script that bootstraps the VM during instance startup. If the userdata script fails, Seqera surfaces the failure as a warning on the workflow. Without this permission, userdata script failures are not detected and no warning is shown. +Platform can retrieve the EC2 instance console output to detect errors in the userdata script that bootstraps the VM during instance startup. If the userdata script fails, Platform surfaces the failure as a warning on the workflow. Without this permission, userdata script failures are not detected and no warning is shown. ```json { From 0b47c3526b303a91a7e70df4c97891905cca03fa Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Tue, 5 May 2026 17:36:13 +0200 Subject: [PATCH 6/7] Apply suggestion from @justinegeffen Signed-off-by: Justine Geffen --- platform-cloud/docs/compute-envs/azure-cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform-cloud/docs/compute-envs/azure-cloud.md b/platform-cloud/docs/compute-envs/azure-cloud.md index b0a0b2790..9354f0619 100644 --- a/platform-cloud/docs/compute-envs/azure-cloud.md +++ b/platform-cloud/docs/compute-envs/azure-cloud.md @@ -289,7 +289,7 @@ The following permissions are required to fetch logs for the pipeline execution #### Userdata script error detection (optional) -Seqera can retrieve the serial console output of the Azure VM to detect errors in the userdata script that bootstraps the VM during instance startup. If the userdata script fails, Seqera surfaces the failure as a warning on the workflow. Without this permission, userdata script failures are not detected and no warning is shown. +Platform can retrieve the serial console output of the Azure VM to detect errors in the userdata script that bootstraps the VM during instance startup. If the userdata script fails, Platform surfaces the failure as a warning on the workflow. Without this permission, userdata script failures are not detected and no warning is shown. This requires [boot diagnostics](https://learn.microsoft.com/en-us/azure/virtual-machines/boot-diagnostics) to be enabled on the VM and the following permission on the service principal: From c97c33745d118f9eeb8ac3731d35adf6c3faa777 Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Tue, 5 May 2026 17:37:11 +0200 Subject: [PATCH 7/7] Apply suggestion from @justinegeffen Signed-off-by: Justine Geffen --- platform-cloud/docs/compute-envs/google-cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform-cloud/docs/compute-envs/google-cloud.md b/platform-cloud/docs/compute-envs/google-cloud.md index 5299dfad4..b6fb04421 100644 --- a/platform-cloud/docs/compute-envs/google-cloud.md +++ b/platform-cloud/docs/compute-envs/google-cloud.md @@ -93,7 +93,7 @@ If your Google Cloud project does not require access restrictions on any of its #### Userdata script error detection (optional) -Seqera can retrieve the serial port output of the Compute Engine instance to detect errors in the userdata script that bootstraps the VM during instance startup. This capability is included in the `roles/compute.instanceAdmin.v1` role listed above. If you use a custom role instead, include the `compute.instances.getSerialPortOutput` permission. Without this permission, userdata script failures are not detected, and no warning is shown. +Platform can retrieve the serial port output of the Compute Engine instance to detect errors in the userdata script that bootstraps the VM during instance startup. This capability is included in the `roles/compute.instanceAdmin.v1` role listed above. If you use a custom role instead, include the `compute.instances.getSerialPortOutput` permission. Without this permission, userdata script failures are not detected, and no warning is shown. ## Advanced options