Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update README.md w/ Forge details and differences with launch #9

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update README.md w/ Forge details and differences with launch #9

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 26 additions & 2 deletions forge/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
Tower Forge automates the configuration of [AWS Batch](https://aws.amazon.com/batch/) compute environments and queues
required for the deployment of Nextflow pipelines.

To enable this feature Tower requires the permissions listed in [this policy](forge-policy.json) file.
To enable this feature Tower requires the permissions listed in [this policy](forge-policy.json) file.

Attach the policy to the AWS user account associated to your Tower configuration as described below:

Expand All @@ -17,7 +17,13 @@ Attach the policy to the AWS user account associated to your Tower configuration
> **Note**
> This policy also includes the mininal permissions required to allow the user to submit
> Batch jobs, gather containers execution metadata, read CloudWatch logs and access the S3 bucket in your AWS
> account in read-only mode.
> account in read-only mode.

> **Note**
> With this policy in place, you *do not* also need the policies in
> [`launch/`](https://github.com/seqeralabs/nf-tower-aws/tree/master/launch) to launch pipelines on Tower.
> The only other AWS resource that is required for a minimal setup is a "scratch" bucket in S3 that Tower jobs
> use as a work directory.

> **Important**
> You may need to further customised the IAM permissions to access private ECR registries,
Expand All @@ -32,3 +38,21 @@ Add the custom policy at [this link](../launch/secrets-policy-account.json) to t
access to your AWS account to Tower (the one specified in the Tower credentials).

See [Tower Launch](../launch/README.md) for more details.

---

### How Forge works

When using Seqera Forge to stand up infrastructure, Forge uses the permissions allowed by `forge-policy.json` to
create required AWS Batch queues for a Seqera Platform Compute Environment (CE).
Forge will, as part of that process create IAM roles specifically for that CE.

For example, when a user uses Forge to create a CE with ID `2CeQImw0JjWrMM0tRDGRZ7`, Forge creates three
corresponding IAM roles:

- `TowerForge-2CeQImw0JjWrMM0tRDGRZ7-ExecutionRole`
- `TowerForge-2CeQImw0JjWrMM0tRDGRZ7-InstanceRole`
- `TowerForge-2CeQImw0JjWrMM0tRDGRZ7-ServiceRole`

When using Forge, the permissions allowed by the EC2 instances launched in Compute Environment with ID `XX` are set by
the role `TowerForge-XX-InstanceRole`, and not by the policy you give to Seqera Platform.