Seqera Platform Feature Requests

Anonymous

Feature requests for the Seqera Platform (https://cloud.seqera.io)
Managed (AKA passthrough) identity for all Seqera-supported infra providers
We’d love to see Seqera Platform support cloud identity passthrough, allowing pipelines to securely access cloud resources (like storage, compute, secrets) using native identity mechanisms from AWS, Azure, and GCP — without needing to manage long-lived credentials. (Seqera Platform already supports this for HPC). This would allow access to cloud services to be governed directly by cloud IAM policies, improving both security and enterprise integration. Why this matters Today, jobs typically authenticate to cloud services using infrastructure-level credentials (e.g., an IAM role or service principal attached to the compute environment). These credentials are: Shared across users Often over-permissioned Not user-aware — cloud services can’t tell who requested access This limits enterprises from applying their existing IAM policies and can create operational or audit complexity. ✅ What we’re asking for Enable Seqera Platform to support cloud-native, credential-less authentication, such as: AWS: IAM Roles with identity federation (e.g., via IAM Identity Center or OIDC) Azure: System- and user-assigned Managed Identities GCP: Workload Identity Federation tied to user or workspace context This would allow: Per-user or per-pipeline IAM role/identity selection Fine-grained access controls to cloud resources, managed entirely in the cloud provider’s IAM system Removal of static secrets (like service principal keys or access tokens)
8
·
Authentication
·
acknowledged
Google Cloud CE: support a customer-provided service account instead of Forge creating one (to avoid requiring project-level setIamPolicy / Project IAM Admin)
Problem / motivation Creating a Google Cloud compute environment (the single-VM google-cloud type, which is the only GCP CE that Studios supports) requires the provisioning credential to hold resourcemanager.projects.setIamPolicy - i.e. the "Project IAM Admin" role. Several customers consider this too broad to grant, since whoever holds it can bind any role to any principal across the whole project. There is currently no way to provision this CE type without it. for exactly this reason. Current behavior The google-cloud CE is always Forge-provisioned ( isForgeEnv is unconditionally true). During creation, Forge: Creates a new, per-CE service account ( iam.serviceAccounts.create ). Grants it roles/storage.objectAdmin on the work-dir bucket (bucket-level setIamPolicy ). Edits the project IAM policy to grant that SA four roles — logging.logWriter , monitoring.metricWriter , storage.bucketViewer , storage.objectViewer — which is what requires resourcemanager.projects.setIamPolicy . The same project-level setIamPolicy is invoked again at teardown to remove the bindings before deleting the SA. GoogleCloudConfig.serviceAccountEmail exists but is an output (populated by Forge), not an input — there is no path for a user to supply an existing SA and have Forge skip steps 1 and 3. Code (platform/master): modules/platform-compute-platforms/impl/src/main/groovy/io/seqera/tower/service/platform/gcp/GoogleCloudForgeClientImpl.groovy — createServiceAccount L392; project setIamPolicy L520; removal L570 .../service/forge/GoogleCloudForgeDelegate.groovy — isForgeEnv L125; serviceAccountEmail set from Forge result L68 Requested behavior Add an option on the Google Cloud (single-VM) CE to use a customer-provided service account instead of creating one. When a service account is supplied: Forge skips SA creation and skips the project-level IAM policy edit. The customer is responsible for pre-granting that SA the required roles (we document the exact set). Provisioning then only needs permissions to attach the existing SA to the VM, not resourcemanager.projects.setIamPolicy . This mirrors how the Google Batch CE already behaves — it reuses the credential's own service account ( GoogleBatchPlatformProvider.groovy:717 ) and never touches the project IAM policy. Acceptance criteria A google-cloud CE can be created with a user-supplied service account and no use of resourcemanager.projects.setIamPolicy at create or delete time. When no SA is supplied, behaviour is unchanged (Forge creates and binds as today), so this is backward compatible. Docs list the exact roles the supplied SA must already hold. Teardown does not attempt to remove project bindings it did not create. Notes / scope This is the CE that GCP Studios runs on; there is no GoogleBatchStudioProvider , so customers can't sidestep it by switching CE type. setIamPolicy is inherently project-scoped, so a narrower-scope grant is not possible — a BYO-SA path is the only way to remove the requirement.
1
·
Compute Environments
·
acknowledged
Load More