From cca89959a50143f4d6e645f1b3b55ceef5514e91 Mon Sep 17 00:00:00 2001
From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com>
Date: Fri, 6 Mar 2026 12:33:43 +0200
Subject: [PATCH 1/6] docs(cloud): align aws role mode and external id steps
 with ui

---
 platform-cloud/docs/compute-envs/aws-batch.md | 18 ++++++++++--------
 platform-cloud/docs/compute-envs/aws-cloud.md |  4 ++--
 platform-cloud/docs/compute-envs/eks.md       | 11 ++++++-----
 3 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/platform-cloud/docs/compute-envs/aws-batch.md b/platform-cloud/docs/compute-envs/aws-batch.md
index 435ebf3e4..3fa18d760 100644
--- a/platform-cloud/docs/compute-envs/aws-batch.md
+++ b/platform-cloud/docs/compute-envs/aws-batch.md
@@ -711,10 +711,10 @@ For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access ro
 
 AWS credentials can be configured in two ways:
 
-- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**. `External ID` is optional.
+- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**.
 - **Role-based credentials (recommended)**: Assume IAM role ARN. `External ID` is mandatory and generated by Seqera.
 
-Seqera Platform generates the `External ID` value during credential creation.
+In **Role** mode, Seqera Platform generates the `External ID` value during credential creation.
 
 In the credentials form, paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
 
@@ -746,9 +746,10 @@ Depending on the provided configuration in the UI, Seqera might also create IAM
     You can create multiple credentials in your Seqera environment. See [Credentials](../credentials/overview).
     :::
 1. Enter a name, e.g., _AWS Credentials_.
-1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user.
-1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources.
-1. **External ID**: this value is read-only and generated by Seqera during credential creation. It is optional for key-based credentials.
+1. Under **AWS credential mode**, select **Keys** or **Role**.
+1. For **Keys** mode, add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials). **Assume role** is optional.
+1. For **Role** mode, provide the IAM role ARN in **Assume role**.
+1. **External ID Auto-Generation**: An External ID will be automatically generated when you save these credentials. You'll be able to copy it and configure your AWS IAM role's trust policy accordingly.
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
     :::
@@ -980,9 +981,10 @@ AWS Batch creates resources that you may be charged for in your AWS account. See
     You can create multiple credentials in your Seqera environment. See [Credentials](../credentials/overview).
     :::
 1. Enter a name, e.g., _AWS Credentials_.
-1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user.
-1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources.
-1. **External ID**: this value is read-only and generated by Seqera during credential creation. It is optional for key-based credentials.
+1. Under **AWS credential mode**, select **Keys** or **Role**.
+1. For **Keys** mode, add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials). **Assume role** is optional.
+1. For **Role** mode, provide the IAM role ARN in **Assume role**.
+1. **External ID Auto-Generation**: An External ID will be automatically generated when you save these credentials. You'll be able to copy it and configure your AWS IAM role's trust policy accordingly.
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
     :::
diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md
index 171d1067e..8e4a5f569 100644
--- a/platform-cloud/docs/compute-envs/aws-cloud.md
+++ b/platform-cloud/docs/compute-envs/aws-cloud.md
@@ -419,10 +419,10 @@ For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access ro
 
 AWS credentials can be configured in two ways:
 
-- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**. `External ID` is optional.
+- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**.
 - **Role-based credentials (recommended)**: Assume IAM role ARN. `External ID` is mandatory and generated by Seqera.
 
-Seqera Platform generates the `External ID` value during credential creation.
+In **Role** mode, Seqera Platform generates the `External ID` value during credential creation.
 
 In the credentials form, paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
 
diff --git a/platform-cloud/docs/compute-envs/eks.md b/platform-cloud/docs/compute-envs/eks.md
index 3726b7e99..a143aeba7 100644
--- a/platform-cloud/docs/compute-envs/eks.md
+++ b/platform-cloud/docs/compute-envs/eks.md
@@ -270,10 +270,10 @@ For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access ro
 
 AWS credentials can be configured in two ways:
 
-- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**. `External ID` is optional.
+- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**.
 - **Role-based credentials (recommended)**: Assume IAM role ARN. `External ID` is mandatory and generated by Seqera.
 
-Seqera Platform generates the `External ID` value during credential creation.
+In **Role** mode, Seqera Platform generates the `External ID` value during credential creation.
 
 In the credentials form, paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
 
@@ -411,9 +411,10 @@ Once all prerequisites are met, create a Seqera EKS compute environment:
     :::
 
 1. Enter a name, e.g., `EKS Credentials`.
-1. Add the **Access key** and **Secret key** obtained from the AWS IAM console. This is the [IAM user](#obtain-iam-user-credentials) with the Service Account role detailed in the requirements section.
-1. (Optional) Under **Assume role**, specify the [IAM role](#iam-role-creation-optional) to be assumed by the Seqera IAM user to access the compute environment's AWS resources.
-1. **External ID**: this value is read-only and generated by Seqera during credential creation. It is optional for key-based credentials.
+1. Under **AWS credential mode**, select **Keys** or **Role**.
+1. For **Keys** mode, add the **Access key** and **Secret key** obtained from the AWS IAM console. **Assume role** is optional.
+1. For **Role** mode, provide the IAM role ARN in **Assume role**.
+1. **External ID Auto-Generation**: An External ID will be automatically generated when you save these credentials. You'll be able to copy it and configure your AWS IAM role's trust policy accordingly.
 
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.

From ea524deb4d9e52b8b4381bcf979dedbb12a47f52 Mon Sep 17 00:00:00 2001
From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com>
Date: Fri, 6 Mar 2026 12:54:39 +0200
Subject: [PATCH 2/6] Apply suggestions from code review

Signed-off-by: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com>
---
 platform-cloud/docs/compute-envs/aws-batch.md | 4 ++--
 platform-cloud/docs/compute-envs/eks.md       | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/platform-cloud/docs/compute-envs/aws-batch.md b/platform-cloud/docs/compute-envs/aws-batch.md
index 3fa18d760..c641e2728 100644
--- a/platform-cloud/docs/compute-envs/aws-batch.md
+++ b/platform-cloud/docs/compute-envs/aws-batch.md
@@ -749,7 +749,7 @@ Depending on the provided configuration in the UI, Seqera might also create IAM
 1. Under **AWS credential mode**, select **Keys** or **Role**.
 1. For **Keys** mode, add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials). **Assume role** is optional.
 1. For **Role** mode, provide the IAM role ARN in **Assume role**.
-1. **External ID Auto-Generation**: An External ID will be automatically generated when you save these credentials. You'll be able to copy it and configure your AWS IAM role's trust policy accordingly.
+1. **External ID Auto-Generation**: An External ID will be automatically generated when you save **Role** credentials. Copy this value and configure your AWS IAM role's trust policy accordingly.
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
     :::
@@ -984,7 +984,7 @@ AWS Batch creates resources that you may be charged for in your AWS account. See
 1. Under **AWS credential mode**, select **Keys** or **Role**.
 1. For **Keys** mode, add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials). **Assume role** is optional.
 1. For **Role** mode, provide the IAM role ARN in **Assume role**.
-1. **External ID Auto-Generation**: An External ID will be automatically generated when you save these credentials. You'll be able to copy it and configure your AWS IAM role's trust policy accordingly.
+1. **External ID Auto-Generation**: An External ID will be automatically generated when you save **Role** credentials. Copy this value and configure your AWS IAM role's trust policy accordingly.
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
     :::
diff --git a/platform-cloud/docs/compute-envs/eks.md b/platform-cloud/docs/compute-envs/eks.md
index a143aeba7..b82247398 100644
--- a/platform-cloud/docs/compute-envs/eks.md
+++ b/platform-cloud/docs/compute-envs/eks.md
@@ -414,7 +414,7 @@ Once all prerequisites are met, create a Seqera EKS compute environment:
 1. Under **AWS credential mode**, select **Keys** or **Role**.
 1. For **Keys** mode, add the **Access key** and **Secret key** obtained from the AWS IAM console. **Assume role** is optional.
 1. For **Role** mode, provide the IAM role ARN in **Assume role**.
-1. **External ID Auto-Generation**: An External ID will be automatically generated when you save these credentials. You'll be able to copy it and configure your AWS IAM role's trust policy accordingly.
+1. **External ID Auto-Generation**: An External ID will be automatically generated when you save **Role** credentials. Copy this value and configure your AWS IAM role's trust policy accordingly.
 
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.

From 9fbb13486a3d21184110f700fffcfb05c979b3a5 Mon Sep 17 00:00:00 2001
From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com>
Date: Fri, 6 Mar 2026 13:29:56 +0200
Subject: [PATCH 3/6] docs(enterprise): align aws external id ui behavior with
 cloud

---
 .../compute-envs/aws-batch.md                  | 18 ++++++++++--------
 .../compute-envs/aws-cloud.md                  |  4 ++--
 platform-enterprise_docs/compute-envs/eks.md   | 11 ++++++-----
 3 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/platform-enterprise_docs/compute-envs/aws-batch.md b/platform-enterprise_docs/compute-envs/aws-batch.md
index 35b9b4468..37373c0c6 100644
--- a/platform-enterprise_docs/compute-envs/aws-batch.md
+++ b/platform-enterprise_docs/compute-envs/aws-batch.md
@@ -716,10 +716,10 @@ Then create AWS credentials using an IAM role ARN only (no access key, secret ke
 
 AWS credentials can be configured in two ways:
 
-- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**. `External ID` is optional.
+- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**.
 - **Role-based credentials (recommended)**: IAM role ARN with required permissions. `External ID` is mandatory and generated by Seqera.
 
-Seqera Platform generates the `External ID` value during credential creation.
+When an IAM role ARN is set in **Assume role** (for key-based or role-based credentials), Seqera displays **External ID Auto-Generation** and generates an External ID when you save the credential.
 
 In the credentials form, add the IAM role ARN which Seqera must use for accessing AWS resources in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
 
@@ -749,9 +749,10 @@ Depending on the provided configuration in the UI, Seqera might also create IAM
     You can create multiple credentials in your Seqera environment. See [Credentials](../credentials/overview).
     :::
 1. Enter a name, e.g., _AWS Credentials_.
-1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user.
-1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources.
-1. **External ID**: this value is read-only and generated by Seqera during credential creation. It is optional for key-based credentials.
+1. Under **AWS credential mode**, select **Keys** or **Role**.
+1. For **Keys** mode, add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials). **Assume role** is optional.
+1. For **Role** mode, provide the IAM role ARN in **Assume role**.
+1. **External ID Auto-Generation** appears when an IAM role ARN is set in **Assume role**. An External ID will be automatically generated when you save these credentials. You'll be able to copy it and configure your AWS IAM role's trust policy accordingly.
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
     :::
@@ -983,9 +984,10 @@ AWS Batch creates resources that you may be charged for in your AWS account. See
     You can create multiple credentials in your Seqera environment. See [Credentials](../credentials/overview).
     :::
 1. Enter a name, e.g., _AWS Credentials_.
-1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user.
-1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources.
-1. **External ID**: this value is read-only and generated by Seqera during credential creation. It is optional for key-based credentials.
+1. Under **AWS credential mode**, select **Keys** or **Role**.
+1. For **Keys** mode, add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials). **Assume role** is optional.
+1. For **Role** mode, provide the IAM role ARN in **Assume role**.
+1. **External ID Auto-Generation** appears when an IAM role ARN is set in **Assume role**. An External ID will be automatically generated when you save these credentials. You'll be able to copy it and configure your AWS IAM role's trust policy accordingly.
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
     :::
diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md
index 73d5bf4d2..accd70031 100644
--- a/platform-enterprise_docs/compute-envs/aws-cloud.md
+++ b/platform-enterprise_docs/compute-envs/aws-cloud.md
@@ -52,10 +52,10 @@ To create and launch pipelines or Studio sessions with this compute environment
 
 AWS credentials can be configured in two ways:
 
-- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**. `External ID` is optional.
+- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**.
 - **Role-based credentials (recommended)**: IAM role ARN with required permissions. `External ID` is mandatory and generated by Seqera.
 
-Seqera Platform generates the `External ID` value during credential creation.
+When an IAM role ARN is set in **Assume role** (for key-based or role-based credentials), Seqera displays **External ID Auto-Generation** and generates an External ID when you save the credential.
 
 In the credentials form, add the IAM role ARN which Seqera must use for accessing AWS resources in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
 
diff --git a/platform-enterprise_docs/compute-envs/eks.md b/platform-enterprise_docs/compute-envs/eks.md
index fc816065b..e103afc9b 100644
--- a/platform-enterprise_docs/compute-envs/eks.md
+++ b/platform-enterprise_docs/compute-envs/eks.md
@@ -275,10 +275,10 @@ Then create AWS credentials using an IAM role ARN only (no access key, secret ke
 
 AWS credentials can be configured in two ways:
 
-- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**. `External ID` is optional.
+- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**.
 - **Role-based credentials (recommended)**: IAM role ARN with required permissions. `External ID` is mandatory and generated by Seqera.
 
-Seqera Platform generates the `External ID` value during credential creation.
+When an IAM role ARN is set in **Assume role** (for key-based or role-based credentials), Seqera displays **External ID Auto-Generation** and generates an External ID when you save the credential.
 
 In the credentials form, add the IAM role ARN which Seqera must use for accessing AWS resources in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
 
@@ -416,9 +416,10 @@ Once all prerequisites are met, create a Seqera EKS compute environment:
     :::
 
 1. Enter a name, e.g., `EKS Credentials`.
-1. Add the **Access key** and **Secret key** obtained from the AWS IAM console. This is the [IAM user](#obtain-iam-user-credentials) with the Service Account role detailed in the requirements section.
-1. (Optional) Under **Assume role**, specify the [IAM role](#iam-role-creation-optional) to be assumed by the Seqera IAM user to access the compute environment's AWS resources.
-1. **External ID**: this value is read-only and generated by Seqera during credential creation. It is optional for key-based credentials.
+1. Under **AWS credential mode**, select **Keys** or **Role**.
+1. For **Keys** mode, add the **Access key** and **Secret key** obtained from the AWS IAM console. **Assume role** is optional.
+1. For **Role** mode, provide the IAM role ARN in **Assume role**.
+1. **External ID Auto-Generation** appears when an IAM role ARN is set in **Assume role**. An External ID will be automatically generated when you save these credentials. You'll be able to copy it and configure your AWS IAM role's trust policy accordingly.
 
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.

From 044ecf40ef1977b38073d9b046de7cedeb74bc43 Mon Sep 17 00:00:00 2001
From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com>
Date: Fri, 6 Mar 2026 14:42:20 +0200
Subject: [PATCH 4/6] docs(aws): refine mode-specific external id wording

---
 platform-cloud/docs/compute-envs/aws-batch.md | 30 ++++++++++++-------
 platform-cloud/docs/compute-envs/aws-cloud.md |  8 ++---
 platform-cloud/docs/compute-envs/eks.md       | 19 +++++++-----
 .../compute-envs/aws-batch.md                 | 30 ++++++++++++-------
 .../compute-envs/aws-cloud.md                 |  8 ++---
 platform-enterprise_docs/compute-envs/eks.md  | 19 +++++++-----
 6 files changed, 66 insertions(+), 48 deletions(-)

diff --git a/platform-cloud/docs/compute-envs/aws-batch.md b/platform-cloud/docs/compute-envs/aws-batch.md
index c641e2728..96214bc1e 100644
--- a/platform-cloud/docs/compute-envs/aws-batch.md
+++ b/platform-cloud/docs/compute-envs/aws-batch.md
@@ -711,12 +711,10 @@ For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access ro
 
 AWS credentials can be configured in two ways:
 
-- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**.
-- **Role-based credentials (recommended)**: Assume IAM role ARN. `External ID` is mandatory and generated by Seqera.
+- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
+- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role**. External ID is generated automatically when you save.
 
-In **Role** mode, Seqera Platform generates the `External ID` value during credential creation.
-
-In the credentials form, paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
+Use `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role** for both key-based credentials (optional) and role-based credentials (required).
 
 Existing credentials created before March 2026 continue to work without changes.
 
@@ -747,9 +745,14 @@ Depending on the provided configuration in the UI, Seqera might also create IAM
     :::
 1. Enter a name, e.g., _AWS Credentials_.
 1. Under **AWS credential mode**, select **Keys** or **Role**.
-1. For **Keys** mode, add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials). **Assume role** is optional.
-1. For **Role** mode, provide the IAM role ARN in **Assume role**.
-1. **External ID Auto-Generation**: An External ID will be automatically generated when you save **Role** credentials. Copy this value and configure your AWS IAM role's trust policy accordingly.
+1. For **Keys** mode:
+   - Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials).
+   - Optionally paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role**.
+   - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode.
+   - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential.
+1. For **Role** mode:
+   - Paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role**.
+   - External ID is generated automatically when you save the credential.
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
     :::
@@ -982,9 +985,14 @@ AWS Batch creates resources that you may be charged for in your AWS account. See
     :::
 1. Enter a name, e.g., _AWS Credentials_.
 1. Under **AWS credential mode**, select **Keys** or **Role**.
-1. For **Keys** mode, add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials). **Assume role** is optional.
-1. For **Role** mode, provide the IAM role ARN in **Assume role**.
-1. **External ID Auto-Generation**: An External ID will be automatically generated when you save **Role** credentials. Copy this value and configure your AWS IAM role's trust policy accordingly.
+1. For **Keys** mode:
+   - Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials).
+   - Optionally paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role**.
+   - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode.
+   - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential.
+1. For **Role** mode:
+   - Paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role**.
+   - External ID is generated automatically when you save the credential.
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
     :::
diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md
index 8e4a5f569..e201a1b38 100644
--- a/platform-cloud/docs/compute-envs/aws-cloud.md
+++ b/platform-cloud/docs/compute-envs/aws-cloud.md
@@ -419,12 +419,10 @@ For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access ro
 
 AWS credentials can be configured in two ways:
 
-- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**.
-- **Role-based credentials (recommended)**: Assume IAM role ARN. `External ID` is mandatory and generated by Seqera.
+- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
+- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role**. External ID is generated automatically when you save.
 
-In **Role** mode, Seqera Platform generates the `External ID` value during credential creation.
-
-In the credentials form, paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
+Use `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role** for both key-based credentials (optional) and role-based credentials (required).
 
 Existing credentials created before March 2026 continue to work without changes.
 
diff --git a/platform-cloud/docs/compute-envs/eks.md b/platform-cloud/docs/compute-envs/eks.md
index b82247398..b000df814 100644
--- a/platform-cloud/docs/compute-envs/eks.md
+++ b/platform-cloud/docs/compute-envs/eks.md
@@ -270,12 +270,10 @@ For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access ro
 
 AWS credentials can be configured in two ways:
 
-- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**.
-- **Role-based credentials (recommended)**: Assume IAM role ARN. `External ID` is mandatory and generated by Seqera.
+- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
+- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role**. External ID is generated automatically when you save.
 
-In **Role** mode, Seqera Platform generates the `External ID` value during credential creation.
-
-In the credentials form, paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
+Use `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role** for both key-based credentials (optional) and role-based credentials (required).
 
 Existing credentials created before March 2026 continue to work without changes.
 
@@ -412,9 +410,14 @@ Once all prerequisites are met, create a Seqera EKS compute environment:
 
 1. Enter a name, e.g., `EKS Credentials`.
 1. Under **AWS credential mode**, select **Keys** or **Role**.
-1. For **Keys** mode, add the **Access key** and **Secret key** obtained from the AWS IAM console. **Assume role** is optional.
-1. For **Role** mode, provide the IAM role ARN in **Assume role**.
-1. **External ID Auto-Generation**: An External ID will be automatically generated when you save **Role** credentials. Copy this value and configure your AWS IAM role's trust policy accordingly.
+1. For **Keys** mode:
+   - Add the **Access key** and **Secret key** obtained from the AWS IAM console.
+   - Optionally paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role**.
+   - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode.
+   - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential.
+1. For **Role** mode:
+   - Paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role**.
+   - External ID is generated automatically when you save the credential.
 
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
diff --git a/platform-enterprise_docs/compute-envs/aws-batch.md b/platform-enterprise_docs/compute-envs/aws-batch.md
index 37373c0c6..5aa5f8b65 100644
--- a/platform-enterprise_docs/compute-envs/aws-batch.md
+++ b/platform-enterprise_docs/compute-envs/aws-batch.md
@@ -716,12 +716,10 @@ Then create AWS credentials using an IAM role ARN only (no access key, secret ke
 
 AWS credentials can be configured in two ways:
 
-- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**.
-- **Role-based credentials (recommended)**: IAM role ARN with required permissions. `External ID` is mandatory and generated by Seqera.
+- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
+- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste your deployment IAM role ARN in **Assume role**. External ID is generated automatically when you save.
 
-When an IAM role ARN is set in **Assume role** (for key-based or role-based credentials), Seqera displays **External ID Auto-Generation** and generates an External ID when you save the credential.
-
-In the credentials form, add the IAM role ARN which Seqera must use for accessing AWS resources in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
+Use the IAM role ARN configured in your deployment in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
 
 Existing credentials created before March 2026 continue to work without changes. `TOWER_ALLOW_INSTANCE_CREDENTIALS=true` configuration behavior remains unchanged.
 
@@ -750,9 +748,14 @@ Depending on the provided configuration in the UI, Seqera might also create IAM
     :::
 1. Enter a name, e.g., _AWS Credentials_.
 1. Under **AWS credential mode**, select **Keys** or **Role**.
-1. For **Keys** mode, add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials). **Assume role** is optional.
-1. For **Role** mode, provide the IAM role ARN in **Assume role**.
-1. **External ID Auto-Generation** appears when an IAM role ARN is set in **Assume role**. An External ID will be automatically generated when you save these credentials. You'll be able to copy it and configure your AWS IAM role's trust policy accordingly.
+1. For **Keys** mode:
+   - Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials).
+   - Optionally paste your deployment IAM role ARN in **Assume role**.
+   - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode.
+   - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential.
+1. For **Role** mode:
+   - Paste your deployment IAM role ARN in **Assume role**.
+   - External ID is generated automatically when you save the credential.
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
     :::
@@ -985,9 +988,14 @@ AWS Batch creates resources that you may be charged for in your AWS account. See
     :::
 1. Enter a name, e.g., _AWS Credentials_.
 1. Under **AWS credential mode**, select **Keys** or **Role**.
-1. For **Keys** mode, add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials). **Assume role** is optional.
-1. For **Role** mode, provide the IAM role ARN in **Assume role**.
-1. **External ID Auto-Generation** appears when an IAM role ARN is set in **Assume role**. An External ID will be automatically generated when you save these credentials. You'll be able to copy it and configure your AWS IAM role's trust policy accordingly.
+1. For **Keys** mode:
+   - Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials).
+   - Optionally paste your deployment IAM role ARN in **Assume role**.
+   - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode.
+   - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential.
+1. For **Role** mode:
+   - Paste your deployment IAM role ARN in **Assume role**.
+   - External ID is generated automatically when you save the credential.
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
     :::
diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md
index accd70031..49afd2600 100644
--- a/platform-enterprise_docs/compute-envs/aws-cloud.md
+++ b/platform-enterprise_docs/compute-envs/aws-cloud.md
@@ -52,12 +52,10 @@ To create and launch pipelines or Studio sessions with this compute environment
 
 AWS credentials can be configured in two ways:
 
-- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**.
-- **Role-based credentials (recommended)**: IAM role ARN with required permissions. `External ID` is mandatory and generated by Seqera.
+- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
+- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste your deployment IAM role ARN in **Assume role**. External ID is generated automatically when you save.
 
-When an IAM role ARN is set in **Assume role** (for key-based or role-based credentials), Seqera displays **External ID Auto-Generation** and generates an External ID when you save the credential.
-
-In the credentials form, add the IAM role ARN which Seqera must use for accessing AWS resources in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
+Use the IAM role ARN configured in your deployment in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
 
 Existing credentials created before March 2026 continue to work without changes. `TOWER_ALLOW_INSTANCE_CREDENTIALS=true` configuration behavior remains unchanged.
 
diff --git a/platform-enterprise_docs/compute-envs/eks.md b/platform-enterprise_docs/compute-envs/eks.md
index e103afc9b..438c5b2d9 100644
--- a/platform-enterprise_docs/compute-envs/eks.md
+++ b/platform-enterprise_docs/compute-envs/eks.md
@@ -275,12 +275,10 @@ Then create AWS credentials using an IAM role ARN only (no access key, secret ke
 
 AWS credentials can be configured in two ways:
 
-- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**.
-- **Role-based credentials (recommended)**: IAM role ARN with required permissions. `External ID` is mandatory and generated by Seqera.
+- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
+- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste your deployment IAM role ARN in **Assume role**. External ID is generated automatically when you save.
 
-When an IAM role ARN is set in **Assume role** (for key-based or role-based credentials), Seqera displays **External ID Auto-Generation** and generates an External ID when you save the credential.
-
-In the credentials form, add the IAM role ARN which Seqera must use for accessing AWS resources in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
+Use the IAM role ARN configured in your deployment in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
 
 Existing credentials created before March 2026 continue to work without changes. `TOWER_ALLOW_INSTANCE_CREDENTIALS=true` configuration behavior remains unchanged.
 
@@ -417,9 +415,14 @@ Once all prerequisites are met, create a Seqera EKS compute environment:
 
 1. Enter a name, e.g., `EKS Credentials`.
 1. Under **AWS credential mode**, select **Keys** or **Role**.
-1. For **Keys** mode, add the **Access key** and **Secret key** obtained from the AWS IAM console. **Assume role** is optional.
-1. For **Role** mode, provide the IAM role ARN in **Assume role**.
-1. **External ID Auto-Generation** appears when an IAM role ARN is set in **Assume role**. An External ID will be automatically generated when you save these credentials. You'll be able to copy it and configure your AWS IAM role's trust policy accordingly.
+1. For **Keys** mode:
+   - Add the **Access key** and **Secret key** obtained from the AWS IAM console.
+   - Optionally paste your deployment IAM role ARN in **Assume role**.
+   - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode.
+   - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential.
+1. For **Role** mode:
+   - Paste your deployment IAM role ARN in **Assume role**.
+   - External ID is generated automatically when you save the credential.
 
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.

From 7cac99c34eb58b639f9d94eda7f2a3f7c4a4b2bb Mon Sep 17 00:00:00 2001
From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com>
Date: Fri, 6 Mar 2026 15:52:04 +0200
Subject: [PATCH 5/6] docs(aws): restore customer role ARN phrasing in assume
 role

---
 platform-cloud/docs/compute-envs/aws-batch.md      | 12 ++++++------
 platform-cloud/docs/compute-envs/aws-cloud.md      |  4 ++--
 platform-cloud/docs/compute-envs/eks.md            |  8 ++++----
 platform-enterprise_docs/compute-envs/aws-batch.md | 12 ++++++------
 platform-enterprise_docs/compute-envs/aws-cloud.md |  4 ++--
 platform-enterprise_docs/compute-envs/eks.md       |  8 ++++----
 6 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/platform-cloud/docs/compute-envs/aws-batch.md b/platform-cloud/docs/compute-envs/aws-batch.md
index 96214bc1e..ae487cd2f 100644
--- a/platform-cloud/docs/compute-envs/aws-batch.md
+++ b/platform-cloud/docs/compute-envs/aws-batch.md
@@ -712,9 +712,9 @@ For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access ro
 AWS credentials can be configured in two ways:
 
 - **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
-- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role**. External ID is generated automatically when you save.
+- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save.
 
-Use `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role** for both key-based credentials (optional) and role-based credentials (required).
+Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
 
 Existing credentials created before March 2026 continue to work without changes.
 
@@ -747,11 +747,11 @@ Depending on the provided configuration in the UI, Seqera might also create IAM
 1. Under **AWS credential mode**, select **Keys** or **Role**.
 1. For **Keys** mode:
    - Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials).
-   - Optionally paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role**.
+   - Optionally paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
    - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode.
    - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential.
 1. For **Role** mode:
-   - Paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role**.
+   - Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
    - External ID is generated automatically when you save the credential.
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
@@ -987,11 +987,11 @@ AWS Batch creates resources that you may be charged for in your AWS account. See
 1. Under **AWS credential mode**, select **Keys** or **Role**.
 1. For **Keys** mode:
    - Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials).
-   - Optionally paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role**.
+   - Optionally paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
    - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode.
    - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential.
 1. For **Role** mode:
-   - Paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role**.
+   - Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
    - External ID is generated automatically when you save the credential.
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md
index e201a1b38..ecf633381 100644
--- a/platform-cloud/docs/compute-envs/aws-cloud.md
+++ b/platform-cloud/docs/compute-envs/aws-cloud.md
@@ -420,9 +420,9 @@ For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access ro
 AWS credentials can be configured in two ways:
 
 - **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
-- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role**. External ID is generated automatically when you save.
+- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save.
 
-Use `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role** for both key-based credentials (optional) and role-based credentials (required).
+Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
 
 Existing credentials created before March 2026 continue to work without changes.
 
diff --git a/platform-cloud/docs/compute-envs/eks.md b/platform-cloud/docs/compute-envs/eks.md
index b000df814..bc518a7a0 100644
--- a/platform-cloud/docs/compute-envs/eks.md
+++ b/platform-cloud/docs/compute-envs/eks.md
@@ -271,9 +271,9 @@ For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access ro
 AWS credentials can be configured in two ways:
 
 - **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
-- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role**. External ID is generated automatically when you save.
+- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save.
 
-Use `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role** for both key-based credentials (optional) and role-based credentials (required).
+Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
 
 Existing credentials created before March 2026 continue to work without changes.
 
@@ -412,11 +412,11 @@ Once all prerequisites are met, create a Seqera EKS compute environment:
 1. Under **AWS credential mode**, select **Keys** or **Role**.
 1. For **Keys** mode:
    - Add the **Access key** and **Secret key** obtained from the AWS IAM console.
-   - Optionally paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role**.
+   - Optionally paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
    - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode.
    - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential.
 1. For **Role** mode:
-   - Paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in **Assume role**.
+   - Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
    - External ID is generated automatically when you save the credential.
 
     :::note
diff --git a/platform-enterprise_docs/compute-envs/aws-batch.md b/platform-enterprise_docs/compute-envs/aws-batch.md
index 5aa5f8b65..1b3888de6 100644
--- a/platform-enterprise_docs/compute-envs/aws-batch.md
+++ b/platform-enterprise_docs/compute-envs/aws-batch.md
@@ -717,9 +717,9 @@ Then create AWS credentials using an IAM role ARN only (no access key, secret ke
 AWS credentials can be configured in two ways:
 
 - **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
-- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste your deployment IAM role ARN in **Assume role**. External ID is generated automatically when you save.
+- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save.
 
-Use the IAM role ARN configured in your deployment in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
+Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
 
 Existing credentials created before March 2026 continue to work without changes. `TOWER_ALLOW_INSTANCE_CREDENTIALS=true` configuration behavior remains unchanged.
 
@@ -750,11 +750,11 @@ Depending on the provided configuration in the UI, Seqera might also create IAM
 1. Under **AWS credential mode**, select **Keys** or **Role**.
 1. For **Keys** mode:
    - Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials).
-   - Optionally paste your deployment IAM role ARN in **Assume role**.
+   - Optionally paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
    - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode.
    - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential.
 1. For **Role** mode:
-   - Paste your deployment IAM role ARN in **Assume role**.
+   - Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
    - External ID is generated automatically when you save the credential.
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
@@ -990,11 +990,11 @@ AWS Batch creates resources that you may be charged for in your AWS account. See
 1. Under **AWS credential mode**, select **Keys** or **Role**.
 1. For **Keys** mode:
    - Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials).
-   - Optionally paste your deployment IAM role ARN in **Assume role**.
+   - Optionally paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
    - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode.
    - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential.
 1. For **Role** mode:
-   - Paste your deployment IAM role ARN in **Assume role**.
+   - Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
    - External ID is generated automatically when you save the credential.
     :::note
     When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md
index 49afd2600..eeb36f1c0 100644
--- a/platform-enterprise_docs/compute-envs/aws-cloud.md
+++ b/platform-enterprise_docs/compute-envs/aws-cloud.md
@@ -53,9 +53,9 @@ To create and launch pipelines or Studio sessions with this compute environment
 AWS credentials can be configured in two ways:
 
 - **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
-- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste your deployment IAM role ARN in **Assume role**. External ID is generated automatically when you save.
+- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save.
 
-Use the IAM role ARN configured in your deployment in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
+Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
 
 Existing credentials created before March 2026 continue to work without changes. `TOWER_ALLOW_INSTANCE_CREDENTIALS=true` configuration behavior remains unchanged.
 
diff --git a/platform-enterprise_docs/compute-envs/eks.md b/platform-enterprise_docs/compute-envs/eks.md
index 438c5b2d9..cdd85c40a 100644
--- a/platform-enterprise_docs/compute-envs/eks.md
+++ b/platform-enterprise_docs/compute-envs/eks.md
@@ -276,9 +276,9 @@ Then create AWS credentials using an IAM role ARN only (no access key, secret ke
 AWS credentials can be configured in two ways:
 
 - **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
-- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste your deployment IAM role ARN in **Assume role**. External ID is generated automatically when you save.
+- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save.
 
-Use the IAM role ARN configured in your deployment in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
+Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
 
 Existing credentials created before March 2026 continue to work without changes. `TOWER_ALLOW_INSTANCE_CREDENTIALS=true` configuration behavior remains unchanged.
 
@@ -417,11 +417,11 @@ Once all prerequisites are met, create a Seqera EKS compute environment:
 1. Under **AWS credential mode**, select **Keys** or **Role**.
 1. For **Keys** mode:
    - Add the **Access key** and **Secret key** obtained from the AWS IAM console.
-   - Optionally paste your deployment IAM role ARN in **Assume role**.
+   - Optionally paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
    - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode.
    - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential.
 1. For **Role** mode:
-   - Paste your deployment IAM role ARN in **Assume role**.
+   - Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
    - External ID is generated automatically when you save the credential.
 
     :::note

From 3d0b17d1c0c758fa18dde3013694dba047937a44 Mon Sep 17 00:00:00 2001
From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com>
Date: Fri, 13 Mar 2026 12:55:29 +0200
Subject: [PATCH 6/6] docs(enterprise): clarify optional jump role vs assume
 role arn

---
 platform-enterprise_docs/compute-envs/aws-batch.md | 6 ++++++
 platform-enterprise_docs/compute-envs/aws-cloud.md | 6 ++++++
 platform-enterprise_docs/compute-envs/eks.md       | 6 ++++++
 3 files changed, 18 insertions(+)

diff --git a/platform-enterprise_docs/compute-envs/aws-batch.md b/platform-enterprise_docs/compute-envs/aws-batch.md
index 1b3888de6..bbdc6c75e 100644
--- a/platform-enterprise_docs/compute-envs/aws-batch.md
+++ b/platform-enterprise_docs/compute-envs/aws-batch.md
@@ -707,6 +707,12 @@ For role-based AWS credentials in Enterprise, use the AWS IAM role configured in
 }
 ```
 
+:::info
+In Seqera Enterprise, a jump role is optional. If you configure one, use your own jump role ARN as the trusted principal in the trust policy.
+
+The **Assume role** value in the credential form is the customer IAM role ARN in your AWS account. It is separate from any optional jump role configuration.
+:::
+
 :::info
 To use role-based access with no External ID, set `TOWER_ALLOW_INSTANCE_CREDENTIALS=true` in your deployment [configuration](../enterprise/configuration/overview#compute-environments).
 Then create AWS credentials using an IAM role ARN only (no access key, secret key, or External ID), and remove the entire `Condition` block for `sts:ExternalId` from your trust policy.
diff --git a/platform-enterprise_docs/compute-envs/aws-cloud.md b/platform-enterprise_docs/compute-envs/aws-cloud.md
index eeb36f1c0..42a12402c 100644
--- a/platform-enterprise_docs/compute-envs/aws-cloud.md
+++ b/platform-enterprise_docs/compute-envs/aws-cloud.md
@@ -90,6 +90,12 @@ For role-based AWS credentials in Enterprise, use the AWS IAM role configured in
 }
 ```
 
+:::info
+In Seqera Enterprise, a jump role is optional. If you configure one, use your own jump role ARN as the trusted principal in the trust policy.
+
+The **Assume role** value in the credential form is the customer IAM role ARN in your AWS account. It is separate from any optional jump role configuration.
+:::
+
 :::info
 To use role-based access with no External ID, set `TOWER_ALLOW_INSTANCE_CREDENTIALS=true` in your deployment [configuration](../enterprise/configuration/overview#compute-environments).
 Then create AWS credentials using an IAM role ARN only (no access key, secret key, or External ID), and remove the entire `Condition` block for `sts:ExternalId` from your trust policy.
diff --git a/platform-enterprise_docs/compute-envs/eks.md b/platform-enterprise_docs/compute-envs/eks.md
index cdd85c40a..a07458c4d 100644
--- a/platform-enterprise_docs/compute-envs/eks.md
+++ b/platform-enterprise_docs/compute-envs/eks.md
@@ -266,6 +266,12 @@ For role-based AWS credentials in Enterprise, use the AWS IAM role configured in
 }
 ```
 
+:::info
+In Seqera Enterprise, a jump role is optional. If you configure one, use your own jump role ARN as the trusted principal in the trust policy.
+
+The **Assume role** value in the credential form is the customer IAM role ARN in your AWS account. It is separate from any optional jump role configuration.
+:::
+
 :::info
 To use role-based access with no External ID, set `TOWER_ALLOW_INSTANCE_CREDENTIALS=true` in your deployment [configuration](../enterprise/configuration/overview#compute-environments).
 Then create AWS credentials using an IAM role ARN only (no access key, secret key, or External ID), and remove the entire `Condition` block for `sts:ExternalId` from your trust policy.