From c22cfb42a82e764a3ff5f4659a31023d536b28ec Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Tue, 5 May 2026 11:00:27 +0200 Subject: [PATCH 1/5] Enhance authentication methods section for Google Cloud Added details on Workload Identity Federation as an authentication method and updated service account key instructions. Signed-off-by: Justine Geffen --- .../docs/compute-envs/google-cloud-batch.md | 37 +++++++++++++++++-- 1 file changed, 33 insertions(+), 4 deletions(-) diff --git a/platform-cloud/docs/compute-envs/google-cloud-batch.md b/platform-cloud/docs/compute-envs/google-cloud-batch.md index 55bb9f856..aae1d9ff2 100644 --- a/platform-cloud/docs/compute-envs/google-cloud-batch.md +++ b/platform-cloud/docs/compute-envs/google-cloud-batch.md @@ -75,14 +75,20 @@ Ask your Google Cloud administrator to grant you the following IAM user permissi - Service Account User (`roles/iam.serviceAccountUser`) on the job's service account (default: Compute Engine service account) - View Service Accounts (`roles/iam.serviceAccountViewer`) on the project -To configure a credential in Seqera, you must first create a [service account JSON key file][get-json]: +#### Authentication methods + +Seqera supports two methods for authenticating with Google Cloud: + +**Service account keys** + +To authenticate using a service account key, create a [service account JSON key file](https://cloud.google.com/iam/docs/keys-list-get#get-key): 1. In the Google Cloud navigation menu, select **IAM & Admin > Service Accounts**. 2. Select the email address of the service account. - :::note - The Compute Engine default service account is not recommended for production environments due to its powerful permissions. To use a service account other than the Compute Engine default, specify the service account email address under **Advanced options** on the Seqera compute environment creation form. - ::: + :::note + The Compute Engine default service account is not recommended for production environments due to its powerful permissions. To use a service account other than the Compute Engine default, specify the service account email address under **Advanced options** on the Seqera compute environment creation form. + ::: 3. Select **Keys > Add key > Create new key**. 4. Select **JSON** as the key type. @@ -92,6 +98,29 @@ A JSON file is downloaded to your computer. This file contains the credential ne You can manage your key from the **Service Accounts** page. +**Workload Identity Federation** + +Workload Identity Federation (WIF) is the recommended authentication method for production and regulated environments because it eliminates the need for long-lived service account keys. WIF uses short-lived OIDC tokens for authentication, which are generated by Seqera Platform. This requires the following steps in the GCP Console: + +1. Create a [Workload Identity Pool and Provider](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers) in your Google Cloud project. +2. Set Seqera as an OIDC provider within the pool. Set the Issuer URL to `https://cloud.seqera.io/api`. +3. Set the **Allowed audiences**. If left empty, GCP derives a default audience from the provider resource path in the format `//iam.googleapis.com/projects/{PROJECT}/locations/global/workloadIden + tityPools/{POOL}/providers/{PROVIDER}`. If you specify a custom value, it must match exactly what you enter in the Token audience field when creating the Google WIF credential in Seqera. +4. Define an attribute mapping and condition. At a minimum set `google.subject=assertion.sub`. This maps the subject claim from Seqera's JWT to GCP's identity space. For more information see [here](https://docs.cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#mappings-and-conditions) +5. Grant `roles/iam.workloadIdentityUser` on the service account created above to the Workload Identity Pool principal. This can be set for all pool identities or for a specific workspace. + +WIF requires an OIDC signing key and this is automatically configured. + +After setting up WIF in Google Cloud, you need the following information to create a credential in Seqera: + +* **Service Account Email**: The email address of the Google Cloud service account that WIF will impersonate. +* **Workload Identity Provider**: The full resource path of the Workload Identity Provider (e.g., `projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID`). +* **Token Audience** (optional): The intended audience for the OIDC token. Configure this if your Workload Identity Provider requires a specific audience value. Ensure this matches what you have configured in the **Allowed Audiences** value in the GCP console + +:::caution +If WIF authentication fails, verify that the Workload Identity Provider path is correctly formatted, the service account has the required permissions, and the Kubernetes service account is properly annotated for your deployment environment. Check your Seqera Platform logs for specific error details. A `400` error typically indicates an invalid provider format, while a `401` error indicates a token exchange failure. +::: + ### Cloud Storage bucket Google Cloud Storage is a type of **object storage**. To access files and store the results for your pipelines, create a **Cloud bucket** that your Seqera service account can access. From 0bdbcce8091cd8e16549192882a7405084238bd5 Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Tue, 5 May 2026 11:01:39 +0200 Subject: [PATCH 2/5] Apply suggestion from @justinegeffen Signed-off-by: Justine Geffen --- platform-cloud/docs/compute-envs/google-cloud-batch.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform-cloud/docs/compute-envs/google-cloud-batch.md b/platform-cloud/docs/compute-envs/google-cloud-batch.md index aae1d9ff2..b9abc002f 100644 --- a/platform-cloud/docs/compute-envs/google-cloud-batch.md +++ b/platform-cloud/docs/compute-envs/google-cloud-batch.md @@ -115,7 +115,7 @@ After setting up WIF in Google Cloud, you need the following information to crea * **Service Account Email**: The email address of the Google Cloud service account that WIF will impersonate. * **Workload Identity Provider**: The full resource path of the Workload Identity Provider (e.g., `projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID`). -* **Token Audience** (optional): The intended audience for the OIDC token. Configure this if your Workload Identity Provider requires a specific audience value. Ensure this matches what you have configured in the **Allowed Audiences** value in the GCP console +* **Token Audience** (optional): The intended audience for the OIDC token. Configure this if your Workload Identity Provider requires a specific audience value. Ensure this matches what you have configured in the **Allowed Audiences** value in the GCP console. :::caution If WIF authentication fails, verify that the Workload Identity Provider path is correctly formatted, the service account has the required permissions, and the Kubernetes service account is properly annotated for your deployment environment. Check your Seqera Platform logs for specific error details. A `400` error typically indicates an invalid provider format, while a `401` error indicates a token exchange failure. From 8e43847a94a120537d383545d5b5dfc939da830f Mon Sep 17 00:00:00 2001 From: MichaelTansiniSeqera Date: Tue, 5 May 2026 10:31:04 +0100 Subject: [PATCH 3/5] Update google-cloud-batch.md clarified wording Signed-off-by: MichaelTansiniSeqera --- .../docs/compute-envs/google-cloud-batch.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/platform-cloud/docs/compute-envs/google-cloud-batch.md b/platform-cloud/docs/compute-envs/google-cloud-batch.md index b9abc002f..dd98bb75f 100644 --- a/platform-cloud/docs/compute-envs/google-cloud-batch.md +++ b/platform-cloud/docs/compute-envs/google-cloud-batch.md @@ -100,7 +100,9 @@ You can manage your key from the **Service Accounts** page. **Workload Identity Federation** -Workload Identity Federation (WIF) is the recommended authentication method for production and regulated environments because it eliminates the need for long-lived service account keys. WIF uses short-lived OIDC tokens for authentication, which are generated by Seqera Platform. This requires the following steps in the GCP Console: +Workload Identity Federation (WIF) is the recommended authentication method for production and regulated environments because it eliminates the need for long-lived service account keys. WIF uses short-lived OIDC tokens for authentication, which are generated by Seqera Platform. + +This requires the following steps in the GCP Console: 1. Create a [Workload Identity Pool and Provider](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers) in your Google Cloud project. 2. Set Seqera as an OIDC provider within the pool. Set the Issuer URL to `https://cloud.seqera.io/api`. @@ -109,13 +111,11 @@ Workload Identity Federation (WIF) is the recommended authentication method for 4. Define an attribute mapping and condition. At a minimum set `google.subject=assertion.sub`. This maps the subject claim from Seqera's JWT to GCP's identity space. For more information see [here](https://docs.cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#mappings-and-conditions) 5. Grant `roles/iam.workloadIdentityUser` on the service account created above to the Workload Identity Pool principal. This can be set for all pool identities or for a specific workspace. -WIF requires an OIDC signing key and this is automatically configured. - -After setting up WIF in Google Cloud, you need the following information to create a credential in Seqera: +After setting up WIF in the GCP Console, you need the following information to create a credential in Seqera Platform: -* **Service Account Email**: The email address of the Google Cloud service account that WIF will impersonate. -* **Workload Identity Provider**: The full resource path of the Workload Identity Provider (e.g., `projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID`). -* **Token Audience** (optional): The intended audience for the OIDC token. Configure this if your Workload Identity Provider requires a specific audience value. Ensure this matches what you have configured in the **Allowed Audiences** value in the GCP console. +1. **Service Account Email**: The email address of the Google Cloud service account that WIF will impersonate. +2. **Workload Identity Provider**: The full resource path of the Workload Identity Provider (e.g., `projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID`). +3. **Token Audience** (optional): The intended audience for the OIDC token. Configure this if your Workload Identity Provider requires a specific audience value. Ensure this matches what you have configured in the **Allowed Audiences** value in the GCP console. :::caution If WIF authentication fails, verify that the Workload Identity Provider path is correctly formatted, the service account has the required permissions, and the Kubernetes service account is properly annotated for your deployment environment. Check your Seqera Platform logs for specific error details. A `400` error typically indicates an invalid provider format, while a `401` error indicates a token exchange failure. From eec9dc699c0a0af4e2eadfad55f10d4a5117d123 Mon Sep 17 00:00:00 2001 From: MichaelTansiniSeqera Date: Tue, 5 May 2026 13:24:34 +0100 Subject: [PATCH 4/5] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jon Martí Signed-off-by: MichaelTansiniSeqera --- platform-cloud/docs/compute-envs/google-cloud-batch.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/platform-cloud/docs/compute-envs/google-cloud-batch.md b/platform-cloud/docs/compute-envs/google-cloud-batch.md index dd98bb75f..df64dad09 100644 --- a/platform-cloud/docs/compute-envs/google-cloud-batch.md +++ b/platform-cloud/docs/compute-envs/google-cloud-batch.md @@ -118,7 +118,12 @@ After setting up WIF in the GCP Console, you need the following information to c 3. **Token Audience** (optional): The intended audience for the OIDC token. Configure this if your Workload Identity Provider requires a specific audience value. Ensure this matches what you have configured in the **Allowed Audiences** value in the GCP console. :::caution -If WIF authentication fails, verify that the Workload Identity Provider path is correctly formatted, the service account has the required permissions, and the Kubernetes service account is properly annotated for your deployment environment. Check your Seqera Platform logs for specific error details. A `400` error typically indicates an invalid provider format, while a `401` error indicates a token exchange failure. +If WIF authentication fails at runtime, verify that: + +- The service account has the required roles (see [Service account permissions](#service-account-permissions)) +- The Workload Identity Pool principal has `roles/iam.workloadIdentityUser` on the service account +- The Issuer URL configured in the WIF provider matches Platform's URL +- The Token Audience in the credential (if set) matches the Allowed Audiences in the WIF provider ::: ### Cloud Storage bucket From 54acb67aeb80bdd899104ea2c764eb5b13b7345f Mon Sep 17 00:00:00 2001 From: MichaelTansiniSeqera Date: Tue, 5 May 2026 13:25:56 +0100 Subject: [PATCH 5/5] Update google-cloud-batch.md committed Jon's changes Signed-off-by: MichaelTansiniSeqera --- platform-cloud/docs/compute-envs/google-cloud-batch.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform-cloud/docs/compute-envs/google-cloud-batch.md b/platform-cloud/docs/compute-envs/google-cloud-batch.md index df64dad09..a36cf5780 100644 --- a/platform-cloud/docs/compute-envs/google-cloud-batch.md +++ b/platform-cloud/docs/compute-envs/google-cloud-batch.md @@ -109,7 +109,7 @@ This requires the following steps in the GCP Console: 3. Set the **Allowed audiences**. If left empty, GCP derives a default audience from the provider resource path in the format `//iam.googleapis.com/projects/{PROJECT}/locations/global/workloadIden tityPools/{POOL}/providers/{PROVIDER}`. If you specify a custom value, it must match exactly what you enter in the Token audience field when creating the Google WIF credential in Seqera. 4. Define an attribute mapping and condition. At a minimum set `google.subject=assertion.sub`. This maps the subject claim from Seqera's JWT to GCP's identity space. For more information see [here](https://docs.cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#mappings-and-conditions) -5. Grant `roles/iam.workloadIdentityUser` on the service account created above to the Workload Identity Pool principal. This can be set for all pool identities or for a specific workspace. +5. Grant `roles/iam.workloadIdentityUser` on the service account that WIF will impersonate to the Workload Identity Pool principal. This can be set for all pool identities or for a specific workspace. If you have not yet created a service account do so following the guidelines above. After setting up WIF in the GCP Console, you need the following information to create a credential in Seqera Platform: