seqeralabs · munishchouhan · May 5, 2026 · May 5, 2026 · May 5, 2026 · May 5, 2026
diff --git a/platform-cloud/docs/compute-envs/aws-batch.md b/platform-cloud/docs/compute-envs/aws-batch.md
@@ -262,6 +262,14 @@ A permissive and broad policy with all the required permissions is provided here
         "secretsmanager:CreateSecret"
       ],
       "Resource": "arn:aws:secretsmanager:*:*:secret:tower-*"
+    },
+    {
+      "Sid": "OptionalUserdataCheck",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:GetConsoleOutput"
+      ],
+      "Resource": "*"
     }
   ]
 }
@@ -578,6 +586,21 @@ The listing of secrets cannot be restricted, but the management actions can be r
 
 To successfully use pipeline secrets, the IAM roles manually created must follow the steps detailed in the [documentation](../secrets/overview#aws-secrets-manager-integration).
 
+### Userdata script error detection (optional)
+
+Platform can retrieve the EC2 instance console output to detect errors in the userdata script that bootstraps the VM during instance startup. If the userdata script fails, Platform surfaces the failure as a warning on the workflow. Without this permission, userdata script failures are not detected and no warning is shown.
+
+```json
+{
+  "Sid": "OptionalUserdataCheck",
+  "Effect": "Allow",
+  "Action": [
+    "ec2:GetConsoleOutput"
+  ],
+  "Resource": "*"
+}
+```
+
 ## Create the IAM policy
 
 The policy above must be created in the AWS account where the AWS Batch resources need to be created.

diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md
@@ -157,6 +157,14 @@ A permissive and broad policy with all the required permissions is provided here
         "s3:ListAllMyBuckets"
       ],
       "Resource": "*"
+    },
+    {
+      "Sid": "AwsCloudUserdataCheck",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:GetConsoleOutput"
+      ],
+      "Resource": "*"
     }
   ]
 }
@@ -295,6 +303,21 @@ The following permissions enable Seqera to populate values for dropdown fields.
 }
 ```
 
+### Userdata script error detection (optional)
+
+Platform can retrieve the EC2 instance console output to detect errors in the userdata script that bootstraps the VM during instance startup. If the userdata script fails, Platform surfaces the failure as a warning on the workflow. Without this permission, userdata script failures are not detected and no warning is shown.
+
+```json
+{
+  "Sid": "AwsCloudUserdataCheck",
+  "Effect": "Allow",
+  "Action": [
+    "ec2:GetConsoleOutput"
+  ],
+  "Resource": "*"
+}
+```
+
 ## Create the IAM policy
 
 The policy above must be created in the AWS account where the AWS Batch resources need to be created.

diff --git a/platform-cloud/docs/compute-envs/azure-cloud.md b/platform-cloud/docs/compute-envs/azure-cloud.md
@@ -134,6 +134,8 @@ For granular control over the permissions granted to Seqera, use [Azure custom r
                     "Microsoft.OperationalInsights/workspaces/query/read",
                     "Microsoft.OperationalInsights/workspaces/query/Tables.Custom/read",
 
+                    "Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action",
+
                     "Microsoft.Storage/storageAccounts/blobServices/containers/read",
                     "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
                 ],
@@ -285,6 +287,34 @@ The following permissions are required to fetch logs for the pipeline execution
 }
 ```
 
+#### Userdata script error detection (optional)
+
+Platform can retrieve the serial console output of the Azure VM to detect errors in the userdata script that bootstraps the VM during instance startup. If the userdata script fails, Platform surfaces the failure as a warning on the workflow. Without this permission, userdata script failures are not detected and no warning is shown.
+
+This requires [boot diagnostics](https://learn.microsoft.com/en-us/azure/virtual-machines/boot-diagnostics) to be enabled on the VM and the following permission on the service principal:
+
+```json
+{
+    "properties": {
+        "roleName": "seqera-azure-cloud-userdata-check",
+        "description": "Role to retrieve boot diagnostics for pre-run script error detection",
+        "assignableScopes": [
+            "/subscriptions/<SUBSCRIPTION-ID>"
+        ],
+        "permissions": [
+            {
+                "actions": [
+                    "Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action"
+                ],
+                "notActions": [],
+                "dataActions": [],
+                "notDataActions": []
+            }
+        ]
+    }
+}
+```
+
 #### Data-links
 
 The following permissions are required to work with [Data Explorer](../data/data-explorer) data-links on Azure:

diff --git a/platform-cloud/docs/compute-envs/google-cloud.md b/platform-cloud/docs/compute-envs/google-cloud.md
@@ -91,6 +91,10 @@ To create and launch pipelines or Studio sessions with this compute environment
 
 If your Google Cloud project does not require access restrictions on any of its Cloud Storage buckets, you can grant project Storage Admin (`roles/storage.admin`) permissions to your service account to simplify setup. To grant access only to specific buckets, add the service account as a principal [on each bucket individually](https://docs.seqera.io/platform-cloud/compute-envs/google-cloud-batch#cloud-storage-bucket). For each Google Cloud compute environment created in the Seqera platform, a separate service account is created with the necessary permissions to launch pipelines/studios.
 
+#### Userdata script error detection (optional)
+
+Platform can retrieve the serial port output of the Compute Engine instance to detect errors in the userdata script that bootstraps the VM during instance startup. This capability is included in the `roles/compute.instanceAdmin.v1` role listed above. If you use a custom role instead, include the `compute.instances.getSerialPortOutput` permission. Without this permission, userdata script failures are not detected, and no warning is shown.
+
 ## Advanced options
 
 - **Use an ARM64 architecture instance**: Select this option to enable an ARM architecture instance to be created for your compute workload. This option defaults to using a [C4A machine series](https://cloud.google.com/compute/docs/general-purpose-machines#c4a_series) VM with Google's ARM-based Axion™ processor.