Skip to content

docs(aws-cloud): grant Secrets Manager write for pipeline secrets#1643

Open
pditommaso wants to merge 2 commits into
masterfrom
docs/intelligent-compute-pipeline-secrets-iam
Open

docs(aws-cloud): grant Secrets Manager write for pipeline secrets#1643
pditommaso wants to merge 2 commits into
masterfrom
docs/intelligent-compute-pipeline-secrets-iam

Conversation

@pditommaso

Copy link
Copy Markdown
Contributor

What

Updates the Secrets Manager inline policy in the AWS Cloud / Intelligent Compute IAM setup so that Seqera Platform pipeline secrets work on these compute environments.

Applies to both current pages (versioned snapshots left unchanged):

  • platform-enterprise_docs/compute-envs/aws-cloud.md
  • platform-cloud/docs/compute-envs/aws-cloud.mdx

Why

The documented Secrets Manager inline policy only granted read (GetSecretValue, ListSecrets). But at launch Seqera creates each referenced pipeline secret in AWS Secrets Manager (as tower-<workflowId>/<name>) and deletes it on completion — so the Seqera IAM credential also needs CreateSecret and DeleteSecret. Without them, pipelines that reference Seqera pipeline secrets fail to launch on AWS Cloud / Intelligent Compute.

This mirrors the scheduler-side change in seqeralabs/sched (the seqera-aws-cloud-policy in the CloudFormation stack gains the same grants). The scheduler-created ECS execution role's GetSecretValue grant is attached by the scheduler itself and needs no customer-facing change.

Changes

  • Add secretsmanager:CreateSecret and secretsmanager:DeleteSecret (scoped to tower-*) alongside the existing GetSecretValue.
  • Split secretsmanager:ListSecrets into its own statement on Resource: "*"ListSecrets does not support resource-level permissions, so scoping it to tower-* (as before) silently denied the list call used during secret cleanup.
  • Reword the policy description to explain the store/read lifecycle.

Notes

Draft: the Intelligent Compute pipeline-secrets feature is in preview and the scheduler-side support is not yet released. Merge alongside that release. Ready to flip out of draft on request.

🤖 Generated with Claude Code

The AWS Cloud Secrets Manager inline policy only granted read
(GetSecretValue/ListSecrets). Seqera also creates each referenced pipeline secret
in Secrets Manager when a pipeline launches and deletes it on completion, so the
credential needs CreateSecret + DeleteSecret (scoped to tower-*). This is what
enables Seqera Platform pipeline secrets on AWS Cloud / Intelligent Compute
compute environments.

Also splits ListSecrets into its own statement scoped to '*': secretsmanager:ListSecrets
does not support resource-level permissions, so scoping it to tower-* (as before)
denied the call used during secret cleanup.

Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
@netlify

netlify Bot commented Jul 9, 2026

Copy link
Copy Markdown

Deploy Preview for seqera-docs ready!

Name Link
🔨 Latest commit 29c0463
🔍 Latest deploy log https://app.netlify.com/projects/seqera-docs/deploys/6a5127f137600a0008c7079c
😎 Deploy Preview https://deploy-preview-1643--seqera-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@justinegeffen

Copy link
Copy Markdown
Contributor

Thanks, @pditommaso! Is this good to merge now or is there a specific date in mind?

@pditommaso pditommaso marked this pull request as ready for review July 10, 2026 17:10
@pditommaso

Copy link
Copy Markdown
Contributor Author

Leaving to @MichaelTansiniSeqera that's coordinating this

@justinegeffen justinegeffen added 1. Editor review Needs a language review do not merge Do not merge until this label is removed 3. Dev/PM/SME reviews complete SMEs have reviewed and approved. labels Jul 10, 2026
Rewrite the introducer for the Secrets Manager inline policy to match
the label→purpose shape of the sibling S3 and KMS entries: swap
"lets Seqera manage" for "grants access to", drop the semicolon-joined
"reads it at task startup" clause (implied by GetSecretValue in the
policy below), and cut the trailing "Required for..." fragment that
restated the opening clause. Wording kept identical across the
cloud (.mdx) and enterprise (.md) mirrors.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

1. Editor review Needs a language review 3. Dev/PM/SME reviews complete SMEs have reviewed and approved. do not merge Do not merge until this label is removed

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants