diff --git a/platform-cloud/docs/compute-envs/aws-batch.md b/platform-cloud/docs/compute-envs/aws-batch.md index 435ebf3e4..ae487cd2f 100644 --- a/platform-cloud/docs/compute-envs/aws-batch.md +++ b/platform-cloud/docs/compute-envs/aws-batch.md @@ -711,12 +711,10 @@ For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access ro AWS credentials can be configured in two ways: -- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**. `External ID` is optional. -- **Role-based credentials (recommended)**: Assume IAM role ARN. `External ID` is mandatory and generated by Seqera. +- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional. +- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save. -Seqera Platform generates the `External ID` value during credential creation. - -In the credentials form, paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. +Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. Existing credentials created before March 2026 continue to work without changes. @@ -746,9 +744,15 @@ Depending on the provided configuration in the UI, Seqera might also create IAM You can create multiple credentials in your Seqera environment. See [Credentials](../credentials/overview). ::: 1. Enter a name, e.g., _AWS Credentials_. -1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user. -1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources. -1. **External ID**: this value is read-only and generated by Seqera during credential creation. It is optional for key-based credentials. +1. Under **AWS credential mode**, select **Keys** or **Role**. +1. For **Keys** mode: + - Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials). + - Optionally paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. + - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode. + - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential. +1. For **Role** mode: + - Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. + - External ID is generated automatically when you save the credential. :::note When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role. ::: @@ -980,9 +984,15 @@ AWS Batch creates resources that you may be charged for in your AWS account. See You can create multiple credentials in your Seqera environment. See [Credentials](../credentials/overview). ::: 1. Enter a name, e.g., _AWS Credentials_. -1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user. -1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources. -1. **External ID**: this value is read-only and generated by Seqera during credential creation. It is optional for key-based credentials. +1. Under **AWS credential mode**, select **Keys** or **Role**. +1. For **Keys** mode: + - Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials). + - Optionally paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. + - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode. + - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential. +1. For **Role** mode: + - Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. + - External ID is generated automatically when you save the credential. :::note When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role. ::: diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 171d1067e..ecf633381 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -419,12 +419,10 @@ For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access ro AWS credentials can be configured in two ways: -- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**. `External ID` is optional. -- **Role-based credentials (recommended)**: Assume IAM role ARN. `External ID` is mandatory and generated by Seqera. +- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional. +- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save. -Seqera Platform generates the `External ID` value during credential creation. - -In the credentials form, paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. +Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. Existing credentials created before March 2026 continue to work without changes. diff --git a/platform-cloud/docs/compute-envs/eks.md b/platform-cloud/docs/compute-envs/eks.md index 3726b7e99..bc518a7a0 100644 --- a/platform-cloud/docs/compute-envs/eks.md +++ b/platform-cloud/docs/compute-envs/eks.md @@ -270,12 +270,10 @@ For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access ro AWS credentials can be configured in two ways: -- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**. `External ID` is optional. -- **Role-based credentials (recommended)**: Assume IAM role ARN. `External ID` is mandatory and generated by Seqera. +- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional. +- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save. -Seqera Platform generates the `External ID` value during credential creation. - -In the credentials form, paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. +Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. Existing credentials created before March 2026 continue to work without changes. @@ -411,9 +409,15 @@ Once all prerequisites are met, create a Seqera EKS compute environment: ::: 1. Enter a name, e.g., `EKS Credentials`. -1. Add the **Access key** and **Secret key** obtained from the AWS IAM console. This is the [IAM user](#obtain-iam-user-credentials) with the Service Account role detailed in the requirements section. -1. (Optional) Under **Assume role**, specify the [IAM role](#iam-role-creation-optional) to be assumed by the Seqera IAM user to access the compute environment's AWS resources. -1. **External ID**: this value is read-only and generated by Seqera during credential creation. It is optional for key-based credentials. +1. Under **AWS credential mode**, select **Keys** or **Role**. +1. For **Keys** mode: + - Add the **Access key** and **Secret key** obtained from the AWS IAM console. + - Optionally paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. + - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode. + - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential. +1. For **Role** mode: + - Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. + - External ID is generated automatically when you save the credential. :::note When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role. diff --git a/platform-enterprise_docs/compute-envs/aws-batch.md b/platform-enterprise_docs/compute-envs/aws-batch.md index 35b9b4468..bbdc6c75e 100644 --- a/platform-enterprise_docs/compute-envs/aws-batch.md +++ b/platform-enterprise_docs/compute-envs/aws-batch.md @@ -707,6 +707,12 @@ For role-based AWS credentials in Enterprise, use the AWS IAM role configured in } ``` +:::info +In Seqera Enterprise, a jump role is optional. If you configure one, use your own jump role ARN as the trusted principal in the trust policy. + +The **Assume role** value in the credential form is the customer IAM role ARN in your AWS account. It is separate from any optional jump role configuration. +::: + :::info To use role-based access with no External ID, set `TOWER_ALLOW_INSTANCE_CREDENTIALS=true` in your deployment [configuration](../enterprise/configuration/overview#compute-environments). Then create AWS credentials using an IAM role ARN only (no access key, secret key, or External ID), and remove the entire `Condition` block for `sts:ExternalId` from your trust policy. @@ -716,12 +722,10 @@ Then create AWS credentials using an IAM role ARN only (no access key, secret ke AWS credentials can be configured in two ways: -- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**. `External ID` is optional. -- **Role-based credentials (recommended)**: IAM role ARN with required permissions. `External ID` is mandatory and generated by Seqera. - -Seqera Platform generates the `External ID` value during credential creation. +- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional. +- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save. -In the credentials form, add the IAM role ARN which Seqera must use for accessing AWS resources in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. +Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. Existing credentials created before March 2026 continue to work without changes. `TOWER_ALLOW_INSTANCE_CREDENTIALS=true` configuration behavior remains unchanged. @@ -749,9 +753,15 @@ Depending on the provided configuration in the UI, Seqera might also create IAM You can create multiple credentials in your Seqera environment. See [Credentials](../credentials/overview). ::: 1. Enter a name, e.g., _AWS Credentials_. -1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user. -1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources. -1. **External ID**: this value is read-only and generated by Seqera during credential creation. It is optional for key-based credentials. +1. Under **AWS credential mode**, select **Keys** or **Role**. +1. For **Keys** mode: + - Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials). + - Optionally paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. + - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode. + - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential. +1. For **Role** mode: + - Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. + - External ID is generated automatically when you save the credential. :::note When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role. ::: @@ -983,9 +993,15 @@ AWS Batch creates resources that you may be charged for in your AWS account. See You can create multiple credentials in your Seqera environment. See [Credentials](../credentials/overview). ::: 1. Enter a name, e.g., _AWS Credentials_. -1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user. -1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources. -1. **External ID**: this value is read-only and generated by Seqera during credential creation. It is optional for key-based credentials. +1. Under **AWS credential mode**, select **Keys** or **Role**. +1. For **Keys** mode: + - Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials). + - Optionally paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. + - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode. + - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential. +1. For **Role** mode: + - Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. + - External ID is generated automatically when you save the credential. :::note When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role. ::: diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md index 73d5bf4d2..42a12402c 100644 --- a/platform-enterprise_docs/compute-envs/aws-cloud.md +++ b/platform-enterprise_docs/compute-envs/aws-cloud.md @@ -52,12 +52,10 @@ To create and launch pipelines or Studio sessions with this compute environment AWS credentials can be configured in two ways: -- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**. `External ID` is optional. -- **Role-based credentials (recommended)**: IAM role ARN with required permissions. `External ID` is mandatory and generated by Seqera. +- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional. +- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save. -Seqera Platform generates the `External ID` value during credential creation. - -In the credentials form, add the IAM role ARN which Seqera must use for accessing AWS resources in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. +Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. Existing credentials created before March 2026 continue to work without changes. `TOWER_ALLOW_INSTANCE_CREDENTIALS=true` configuration behavior remains unchanged. @@ -92,6 +90,12 @@ For role-based AWS credentials in Enterprise, use the AWS IAM role configured in } ``` +:::info +In Seqera Enterprise, a jump role is optional. If you configure one, use your own jump role ARN as the trusted principal in the trust policy. + +The **Assume role** value in the credential form is the customer IAM role ARN in your AWS account. It is separate from any optional jump role configuration. +::: + :::info To use role-based access with no External ID, set `TOWER_ALLOW_INSTANCE_CREDENTIALS=true` in your deployment [configuration](../enterprise/configuration/overview#compute-environments). Then create AWS credentials using an IAM role ARN only (no access key, secret key, or External ID), and remove the entire `Condition` block for `sts:ExternalId` from your trust policy. diff --git a/platform-enterprise_docs/compute-envs/eks.md b/platform-enterprise_docs/compute-envs/eks.md index fc816065b..a07458c4d 100644 --- a/platform-enterprise_docs/compute-envs/eks.md +++ b/platform-enterprise_docs/compute-envs/eks.md @@ -266,6 +266,12 @@ For role-based AWS credentials in Enterprise, use the AWS IAM role configured in } ``` +:::info +In Seqera Enterprise, a jump role is optional. If you configure one, use your own jump role ARN as the trusted principal in the trust policy. + +The **Assume role** value in the credential form is the customer IAM role ARN in your AWS account. It is separate from any optional jump role configuration. +::: + :::info To use role-based access with no External ID, set `TOWER_ALLOW_INSTANCE_CREDENTIALS=true` in your deployment [configuration](../enterprise/configuration/overview#compute-environments). Then create AWS credentials using an IAM role ARN only (no access key, secret key, or External ID), and remove the entire `Condition` block for `sts:ExternalId` from your trust policy. @@ -275,12 +281,10 @@ Then create AWS credentials using an IAM role ARN only (no access key, secret ke AWS credentials can be configured in two ways: -- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**. `External ID` is optional. -- **Role-based credentials (recommended)**: IAM role ARN with required permissions. `External ID` is mandatory and generated by Seqera. - -Seqera Platform generates the `External ID` value during credential creation. +- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional. +- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save. -In the credentials form, add the IAM role ARN which Seqera must use for accessing AWS resources in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. +Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials. Existing credentials created before March 2026 continue to work without changes. `TOWER_ALLOW_INSTANCE_CREDENTIALS=true` configuration behavior remains unchanged. @@ -416,9 +420,15 @@ Once all prerequisites are met, create a Seqera EKS compute environment: ::: 1. Enter a name, e.g., `EKS Credentials`. -1. Add the **Access key** and **Secret key** obtained from the AWS IAM console. This is the [IAM user](#obtain-iam-user-credentials) with the Service Account role detailed in the requirements section. -1. (Optional) Under **Assume role**, specify the [IAM role](#iam-role-creation-optional) to be assumed by the Seqera IAM user to access the compute environment's AWS resources. -1. **External ID**: this value is read-only and generated by Seqera during credential creation. It is optional for key-based credentials. +1. Under **AWS credential mode**, select **Keys** or **Role**. +1. For **Keys** mode: + - Add the **Access key** and **Secret key** obtained from the AWS IAM console. + - Optionally paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. + - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode. + - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential. +1. For **Role** mode: + - Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. + - External ID is generated automatically when you save the credential. :::note When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.