Skip to content

docs(aws-cloud): document minimum permissions for custom EC2 instance profile#1445

Merged
justinegeffen merged 4 commits into
masterfrom
docs/aws-cloud-ce-instance-profile-permissions
May 20, 2026
Merged

docs(aws-cloud): document minimum permissions for custom EC2 instance profile#1445
justinegeffen merged 4 commits into
masterfrom
docs/aws-cloud-ce-instance-profile-permissions

Conversation

@ejseqera
Copy link
Copy Markdown
Member

@ejseqera ejseqera commented May 19, 2026

Summary

  • Adds a new Custom instance profile subsection to the AWS Cloud CE Advanced Options, documenting the minimum IAM permissions required when specifying a custom Instance Profile ARN
  • Documents the trust policy, 3 AWS managed policies, and 3 inline policies (S3 read/write, Secrets Manager, KMS for S3) that mirror what Seqera provisions automatically
  • Adds a note on EBS encryption enforcement (account-default encryption vs SCP) and the additional KMS permissions needed in those cases
  • Fixes a stale cross-reference that incorrectly linked to the AWS Batch manual setup doc

Test plan

  • Verify the new #custom-instance-profile anchor renders and is reachable from the Instance Profile bullet in Advanced Options
  • Verify the fixed cross-reference in the IAM permissions section resolves correctly
  • Technical review: confirm the documented policies match what Platform provisions (source: AwsForgeClientImpl.createCloudInstanceProfileRole(), verified against live staging roles 2026-05-19)
  • Check Netlify preview renders the JSON blocks and table correctly

@ejseqera
docs(aws-cloud): document minimum permissions for custom instance pro…
a4bc2b9 
…file

When users specify a custom Instance Profile ARN in Advanced Options,
the required IAM permissions were not documented. This adds a new
'Custom instance profile' subsection under Advanced Options listing
the trust policy, managed policies, and inline policies (S3 read/write,
Secrets Manager, KMS for S3) that Seqera provisions automatically when
no ARN is specified.

Also adds a note on EBS encryption enforcement (account-default or SCP)
and fixes a stale cross-reference that incorrectly pointed to the AWS
Batch manual setup doc.
gwright99
gwright99 approved these changes May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@gwright99 gwright99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few comments where things could be tightened up but overall (IMO) acceptable to merge.

Comment thread platform-cloud/docs/compute-envs/aws-cloud.md
Comment thread platform-cloud/docs/compute-envs/aws-cloud.md
Comment thread platform-cloud/docs/compute-envs/aws-cloud.md
Comment thread platform-cloud/docs/compute-envs/aws-cloud.md
Comment thread platform-enterprise_docs/compute-envs/aws-cloud.md
@netlify
Copy link
Copy Markdown

netlify Bot commented May 20, 2026
edited
Loading

Deploy Preview for seqera-docs ready!

Name Link
🔨 Latest commit acdafe7
🔍 Latest deploy log https://app.netlify.com/projects/seqera-docs/deploys/6a0dee7400d1f300086ba501
😎 Deploy Preview https://deploy-preview-1445--seqera-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@justinegeffen justinegeffen merged commit 62298d7 into master May 20, 2026
5 of 7 checks passed
@justinegeffen justinegeffen deleted the docs/aws-cloud-ce-instance-profile-permissions branch May 20, 2026 17:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gwright99 gwright99 gwright99 approved these changes

@justinegeffen justinegeffen justinegeffen approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ejseqera @gwright99 @justinegeffen