Skip to content

docs(aws-cloud): grant Secrets Manager write for pipeline secrets#1643

Draft
pditommaso wants to merge 1 commit into
masterfrom
docs/intelligent-compute-pipeline-secrets-iam
Draft

docs(aws-cloud): grant Secrets Manager write for pipeline secrets#1643
pditommaso wants to merge 1 commit into
masterfrom
docs/intelligent-compute-pipeline-secrets-iam

Conversation

@pditommaso

Copy link
Copy Markdown
Contributor

What

Updates the Secrets Manager inline policy in the AWS Cloud / Intelligent Compute IAM setup so that Seqera Platform pipeline secrets work on these compute environments.

Applies to both current pages (versioned snapshots left unchanged):

  • platform-enterprise_docs/compute-envs/aws-cloud.md
  • platform-cloud/docs/compute-envs/aws-cloud.mdx

Why

The documented Secrets Manager inline policy only granted read (GetSecretValue, ListSecrets). But at launch Seqera creates each referenced pipeline secret in AWS Secrets Manager (as tower-<workflowId>/<name>) and deletes it on completion — so the Seqera IAM credential also needs CreateSecret and DeleteSecret. Without them, pipelines that reference Seqera pipeline secrets fail to launch on AWS Cloud / Intelligent Compute.

This mirrors the scheduler-side change in seqeralabs/sched (the seqera-aws-cloud-policy in the CloudFormation stack gains the same grants). The scheduler-created ECS execution role's GetSecretValue grant is attached by the scheduler itself and needs no customer-facing change.

Changes

  • Add secretsmanager:CreateSecret and secretsmanager:DeleteSecret (scoped to tower-*) alongside the existing GetSecretValue.
  • Split secretsmanager:ListSecrets into its own statement on Resource: "*"ListSecrets does not support resource-level permissions, so scoping it to tower-* (as before) silently denied the list call used during secret cleanup.
  • Reword the policy description to explain the store/read lifecycle.

Notes

Draft: the Intelligent Compute pipeline-secrets feature is in preview and the scheduler-side support is not yet released. Merge alongside that release. Ready to flip out of draft on request.

🤖 Generated with Claude Code

The AWS Cloud Secrets Manager inline policy only granted read
(GetSecretValue/ListSecrets). Seqera also creates each referenced pipeline secret
in Secrets Manager when a pipeline launches and deletes it on completion, so the
credential needs CreateSecret + DeleteSecret (scoped to tower-*). This is what
enables Seqera Platform pipeline secrets on AWS Cloud / Intelligent Compute
compute environments.

Also splits ListSecrets into its own statement scoped to '*': secretsmanager:ListSecrets
does not support resource-level permissions, so scoping it to tower-* (as before)
denied the call used during secret cleanup.

Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
@netlify

netlify Bot commented Jul 9, 2026

Copy link
Copy Markdown

Deploy Preview for seqera-docs ready!

Name Link
🔨 Latest commit ca92877
🔍 Latest deploy log https://app.netlify.com/projects/seqera-docs/deploys/6a4f3d5fa6feb400088db276
😎 Deploy Preview https://deploy-preview-1643--seqera-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants