Skip to content

docs(cloud): align AWS role mode and external ID steps with UI #1179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
llewellyn-sl wants to merge 6 commits into
base: master
Choose a base branch
from
Open

docs(cloud): align AWS role mode and external ID steps with UI #1179

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
cca8995
docs(cloud): align aws role mode and external id steps with ui
llewellyn-sl Mar 6, 2026
ea524de
Apply suggestions from code review
llewellyn-sl Mar 6, 2026
9fbb134
docs(enterprise): align aws external id ui behavior with cloud
llewellyn-sl Mar 6, 2026
044ecf4
docs(aws): refine mode-specific external id wording
llewellyn-sl Mar 6, 2026
7cac99c
docs(aws): restore customer role ARN phrasing in assume role
llewellyn-sl Mar 6, 2026
3d0b17d
docs(enterprise): clarify optional jump role vs assume role arn
llewellyn-sl Mar 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 21 additions & 11 deletions platform-cloud/docs/compute-envs/aws-batch.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -711,12 +711,10 @@ For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access ro

AWS credentials can be configured in two ways:

- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**. `External ID` is optional.
- **Role-based credentials (recommended)**: Assume IAM role ARN. `External ID` is mandatory and generated by Seqera.
- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save.
Copy link
Member

@munishchouhan munishchouhan Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save.
- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically generated when you save.


Seqera Platform generates the `External ID` value during credential creation.

In the credentials form, paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.

Existing credentials created before March 2026 continue to work without changes.

Expand Down Expand Up @@ -746,9 +744,15 @@ Depending on the provided configuration in the UI, Seqera might also create IAM
You can create multiple credentials in your Seqera environment. See [Credentials](../credentials/overview).
:::
1. Enter a name, e.g., _AWS Credentials_.
1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user.
1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources.
1. **External ID**: this value is read-only and generated by Seqera during credential creation. It is optional for key-based credentials.
1. Under **AWS credential mode**, select **Keys** or **Role**.
1. For **Keys** mode:
- Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials).
- Optionally paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
- If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode.
- If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential.
1. For **Role** mode:
- Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
- External ID is generated automatically when you save the credential.
:::note
When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
:::
Expand Down Expand Up @@ -980,9 +984,15 @@ AWS Batch creates resources that you may be charged for in your AWS account. See
You can create multiple credentials in your Seqera environment. See [Credentials](../credentials/overview).
:::
1. Enter a name, e.g., _AWS Credentials_.
1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user.
1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources.
1. **External ID**: this value is read-only and generated by Seqera during credential creation. It is optional for key-based credentials.
1. Under **AWS credential mode**, select **Keys** or **Role**.
1. For **Keys** mode:
- Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials).
- Optionally paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
- If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode.
- If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential.
1. For **Role** mode:
- Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
- External ID is generated automatically when you save the credential.
:::note
When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
:::
Expand Down
8 changes: 3 additions & 5 deletions platform-cloud/docs/compute-envs/aws-cloud.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -419,12 +419,10 @@ For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access ro

AWS credentials can be configured in two ways:

- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**. `External ID` is optional.
- **Role-based credentials (recommended)**: Assume IAM role ARN. `External ID` is mandatory and generated by Seqera.
- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save.

Seqera Platform generates the `External ID` value during credential creation.

In the credentials form, paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.

Existing credentials created before March 2026 continue to work without changes.

Expand Down
20 changes: 12 additions & 8 deletions platform-cloud/docs/compute-envs/eks.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -270,12 +270,10 @@ For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access ro

AWS credentials can be configured in two ways:

- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**. `External ID` is optional.
- **Role-based credentials (recommended)**: Assume IAM role ARN. `External ID` is mandatory and generated by Seqera.
- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save.

Seqera Platform generates the `External ID` value during credential creation.

In the credentials form, paste `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.

Existing credentials created before March 2026 continue to work without changes.

Expand Down Expand Up @@ -411,9 +409,15 @@ Once all prerequisites are met, create a Seqera EKS compute environment:
:::

1. Enter a name, e.g., `EKS Credentials`.
1. Add the **Access key** and **Secret key** obtained from the AWS IAM console. This is the [IAM user](#obtain-iam-user-credentials) with the Service Account role detailed in the requirements section.
1. (Optional) Under **Assume role**, specify the [IAM role](#iam-role-creation-optional) to be assumed by the Seqera IAM user to access the compute environment's AWS resources.
1. **External ID**: this value is read-only and generated by Seqera during credential creation. It is optional for key-based credentials.
1. Under **AWS credential mode**, select **Keys** or **Role**.
1. For **Keys** mode:
- Add the **Access key** and **Secret key** obtained from the AWS IAM console.
- Optionally paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
- If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode.
- If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential.
1. For **Role** mode:
- Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
- External ID is generated automatically when you save the credential.

:::note
When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
Expand Down
38 changes: 27 additions & 11 deletions platform-enterprise_docs/compute-envs/aws-batch.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -707,6 +707,12 @@ For role-based AWS credentials in Enterprise, use the AWS IAM role configured in
}
```

:::info
In Seqera Enterprise, a jump role is optional. If you configure one, use your own jump role ARN as the trusted principal in the trust policy.

The **Assume role** value in the credential form is the customer IAM role ARN in your AWS account. It is separate from any optional jump role configuration.
:::

:::info
To use role-based access with no External ID, set `TOWER_ALLOW_INSTANCE_CREDENTIALS=true` in your deployment [configuration](../enterprise/configuration/overview#compute-environments).
Then create AWS credentials using an IAM role ARN only (no access key, secret key, or External ID), and remove the entire `Condition` block for `sts:ExternalId` from your trust policy.
Expand All @@ -716,12 +722,10 @@ Then create AWS credentials using an IAM role ARN only (no access key, secret ke

AWS credentials can be configured in two ways:

- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**. `External ID` is optional.
- **Role-based credentials (recommended)**: IAM role ARN with required permissions. `External ID` is mandatory and generated by Seqera.

Seqera Platform generates the `External ID` value during credential creation.
- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save.

In the credentials form, add the IAM role ARN which Seqera must use for accessing AWS resources in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.

Existing credentials created before March 2026 continue to work without changes. `TOWER_ALLOW_INSTANCE_CREDENTIALS=true` configuration behavior remains unchanged.

Expand Down Expand Up @@ -749,9 +753,15 @@ Depending on the provided configuration in the UI, Seqera might also create IAM
You can create multiple credentials in your Seqera environment. See [Credentials](../credentials/overview).
:::
1. Enter a name, e.g., _AWS Credentials_.
1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user.
1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources.
1. **External ID**: this value is read-only and generated by Seqera during credential creation. It is optional for key-based credentials.
1. Under **AWS credential mode**, select **Keys** or **Role**.
1. For **Keys** mode:
- Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials).
- Optionally paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
- If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode.
- If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential.
1. For **Role** mode:
- Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
- External ID is generated automatically when you save the credential.
:::note
When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
:::
Expand Down Expand Up @@ -983,9 +993,15 @@ AWS Batch creates resources that you may be charged for in your AWS account. See
You can create multiple credentials in your Seqera environment. See [Credentials](../credentials/overview).
:::
1. Enter a name, e.g., _AWS Credentials_.
1. Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials) when you created the Seqera IAM user.
1. (Optional) Under **Assume role**, specify the IAM role to be assumed by the Seqera IAM user to access the compute environment's AWS resources.
1. **External ID**: this value is read-only and generated by Seqera during credential creation. It is optional for key-based credentials.
1. Under **AWS credential mode**, select **Keys** or **Role**.
1. For **Keys** mode:
- Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials).
- Optionally paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
- If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode.
- If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential.
1. For **Role** mode:
- Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
- External ID is generated automatically when you save the credential.
:::note
When using AWS keys without an assumed role, the associated AWS user must have been granted permissions to operate on the cloud resources directly. When an assumed role is provided, the IAM user keys are only used to retrieve temporary credentials impersonating the role specified: this could be useful when e.g. multiple IAM users are used to access the same AWS account, and the actual permissions to operate on the resources are only granted to the role.
:::
Expand Down
14 changes: 9 additions & 5 deletions platform-enterprise_docs/compute-envs/aws-cloud.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,12 +52,10 @@ To create and launch pipelines or Studio sessions with this compute environment

AWS credentials can be configured in two ways:

- **Key-based credentials**: Access key and secret key with direct IAM permissions, with an optional IAM role in **Assume role**. `External ID` is optional.
- **Role-based credentials (recommended)**: IAM role ARN with required permissions. `External ID` is mandatory and generated by Seqera.
- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save.

Seqera Platform generates the `External ID` value during credential creation.

In the credentials form, add the IAM role ARN which Seqera must use for accessing AWS resources in the **Assume role** field. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.

Existing credentials created before March 2026 continue to work without changes. `TOWER_ALLOW_INSTANCE_CREDENTIALS=true` configuration behavior remains unchanged.

Expand Down Expand Up @@ -92,6 +90,12 @@ For role-based AWS credentials in Enterprise, use the AWS IAM role configured in
}
```

:::info
In Seqera Enterprise, a jump role is optional. If you configure one, use your own jump role ARN as the trusted principal in the trust policy.

The **Assume role** value in the credential form is the customer IAM role ARN in your AWS account. It is separate from any optional jump role configuration.
:::

:::info
To use role-based access with no External ID, set `TOWER_ALLOW_INSTANCE_CREDENTIALS=true` in your deployment [configuration](../enterprise/configuration/overview#compute-environments).
Then create AWS credentials using an IAM role ARN only (no access key, secret key, or External ID), and remove the entire `Condition` block for `sts:ExternalId` from your trust policy.
Expand Down
Loading
Loading