seqeralabs · MichaelTansiniSeqera · Jun 3, 2026 · Jun 3, 2026 · Jun 3, 2026 · Jun 3, 2026
diff --git a/platform-cloud/docs/compute-envs/aws-batch.mdx b/platform-cloud/docs/compute-envs/aws-batch.mdx
@@ -75,7 +75,7 @@ Make sure the [Lustre client](https://docs.aws.amazon.com/fsx/latest/LustreGuide
 
 To create and launch pipelines, explore buckets with Data Explorer or run Studio sessions with the AWS Batch compute environment, an IAM user with specific permissions must be provided. Some permissions are mandatory for the compute environment to be created and function correctly, while others are optional and used for example to provide list of values to pick from in the Platform UI.
 
-Permissions can be attached directly to an [IAM user](#iam-user-creation), or to an [IAM role](#iam-role-creation-optional) that the IAM user can assume when accessing AWS resources.
+Permissions can be attached directly to an [IAM user](#iam-user-creation), or to an [IAM role](#iam-role-based-credential-creation) that the IAM user can assume when accessing AWS resources.
 
 A permissive and broad policy with all the required permissions is provided here for a quick start. However, we recommend following the principle of least privilege and only granting the necessary permissions for your use case, as shown in the following sections.
 
@@ -458,19 +458,29 @@ The policy above must be created in the AWS account where the AWS Batch resource
 
 ## IAM user creation
 
-Seqera requires an Identity and Access Management (IAM) User to create and manage AWS Batch resources in your AWS account. We recommend creating a separate IAM policy rather an IAM User inline policy, as the latter only allows 2048 characters, which may not be sufficient for all the required permissions.
+For key-based credentials only, Seqera requires an Identity and Access Management (IAM) User to create and manage AWS Batch resources in your AWS account. We recommend creating a separate IAM policy rather an IAM User inline policy, as the latter only allows 2048 characters, which may not be sufficient for all the required permissions.
 
-In certain scenarios, for example when multiple users need to access the same AWS account and provision AWS Batch resources, an IAM role with the required permissions can be created instead, and the IAM user can assume that role when accessing AWS resources, as detailed in the [IAM role creation (optional)](#iam-role-creation-optional) section.
+In certain scenarios, for example when multiple users need to access the same AWS account and provision AWS Batch resources, an IAM role with the required permissions can be created instead, and the IAM user can assume that role when accessing AWS resources, as detailed in the [IAM role creation (optional)](#iam-role-based-credential-creation) section. For Cloud deployments, Seqera Cloud is the user that will manage resources with the permissions you give it, managed through a trust policy.
 
-Depending whether you choose to let Seqera automatically create the required AWS Batch resources in your account, or prefer to set them up manually, the IAM user must have specific permissions as detailed in the [Required Platform IAM permissions](#required-platform-iam-permissions) section. Alternatively, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources, as detailed in the [IAM role creation (optional)](#iam-role-creation-optional) section.
+Depending whether you choose to let Seqera automatically create the required AWS Batch resources in your account, or prefer to set them up manually, the IAM user must have specific permissions as detailed in the [Required Platform IAM permissions](#required-platform-iam-permissions) section. Alternatively, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources, as detailed in the [IAM role creation (optional)](#iam-role-based-credential-creation) section.
 
-### Create an IAM user
+## AWS credential options
+
+AWS credentials can be configured in two ways:
+
+- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
+- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save.
+
+Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
+
+Existing credentials created before March 2026 continue to work without changes.
+
+### Create an IAM user (key-based)
 
 1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Users** in the left navigation menu, then select **Create User** at the top right of the page.
 1. Enter a name for your user (e.g., _seqera_) and select **Next**.
 1. Under **Permission options**, select **Attach policies directly**, then search for and select the policy created above, and select **Next**.
-   * If you prefer to make the IAM user assume a role to manage AWS resources (see the [IAM role creation (optional)](#iam-role-creation-optional) section), create a policy with the following content (edit the AWS principal with the ARN of the role created) and attach it to the IAM user:
-
+  * Optionally, if you want to use an ARN and External ID with key based access, add the following to the user's Permission policy. This will allow the IAM User to assume a role in order to manage batch resources
    ```json
    {
      "Sid": "AssumeRoleToManageBatchResources",
@@ -488,7 +498,7 @@ Depending whether you choose to let Seqera automatically create the required AWS
 
 The user has now been created. The most up-to-date instructions for creating an IAM user can be found in the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html).
 
-### Obtain IAM user credentials
+### Obtain IAM user credentials (key-based)
 
 To get the credentials needed to connect Seqera to your AWS account, follow these steps:
 
@@ -498,22 +508,20 @@ To get the credentials needed to connect Seqera to your AWS account, follow thes
 1. Optionally provide a description for the access key, like the reason for creating it, then select **Create access key**.
 1. Save the **Access key** and **Secret access key** in a secure location as you will need to provide them when creating credentials in Seqera.
 
-## IAM role creation (optional)
+## IAM role-based credential creation
 
-Rather than attaching permissions directly to the IAM user, you can create an IAM role with the required permissions and allow the IAM user to assume that role when accessing AWS resources. This is useful when multiple IAM users are used to access the same AWS account: this way the actual permissions to operate on the resources are only granted to a single centralized role.
+Rather than attaching permissions directly to the IAM user, you can create an IAM role with the required permissions and allow the Seqera Cloud to assume that role when accessing AWS resources. This is useful when multiple third parties access the same AWS account: this way the actual permissions to operate on the resources are only granted to a single centralized role.
 
 1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Roles** in the left navigation menu, then select **Create role** at the top right of the page.
-1. Select **Custom trust policy** as the type of trusted entity, provide the following policy and edit the AWS principal with the ARN of the IAM user created in the [IAM user creation](#iam-user-creation) section, then select **Next**.
+1. Select **Custom trust policy** as the trusted entity type in the AWS Console. Allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy as shown below, then select **Next**.
    ```json
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
-           "AWS": [
-              "arn:aws:iam::<ACCOUNT_ID>:user/<IAM_USER_NAME>"
-            ]
+           "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
@@ -525,65 +533,23 @@ Rather than attaching permissions directly to the IAM user, you can create an IA
        {
          "Effect": "Allow",
          "Principal": {
-           "AWS": [
-              "arn:aws:iam::<ACCOUNT_ID>:user/<IAM_USER_NAME>"
-            ]
+           "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole"
          },
          "Action": "sts:TagSession"
        }
      ]
    }
    ```
-1. On the **Permissions** page, search for and select the policy created in the [IAM user creation](#iam-user-creation) section, then select **Next**.
-1. Give the role a name and optionally a description, review the details of the role, optionally provide tags to help you identify the role, then select **Create role**.
 
-Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section.
+1. On the **Permissions** page, search for and select the policy created in the [Create the IAM policy](#create-the-iam-policy) section, then select **Next**.
+1. Give the role a name and optionally a description, review the details of the role, optionally provide tags to help you identify the role, then select **Create role**.
 
 :::note
-Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in your IAM trust policy (`sts:ExternalId`).
-:::
-
-### Role-based trust policy example (Seqera Cloud)
+The External ID is generated by Seqera when you save your credentials. Complete the following steps to finalize the trust policy:
 
-For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the `External ID` generated during credential creation:
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole"
-      },
-      "Action": "sts:AssumeRole",
-      "Condition": {
-        "StringEquals": {
-          "sts:ExternalId": "<ExternalId>"
-        }
-      }
-    },
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole"
-      },
-      "Action": "sts:TagSession"
-    }
-  ]
-}
-```
-
-## AWS credential options
-
-AWS credentials can be configured in two ways:
-
-- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
-- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. External ID is generated automatically when you save.
-
-Use the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**. This field is available for both key-based and role-based credentials. It is optional for key-based credentials and required for role-based credentials.
-
-Existing credentials created before March 2026 continue to work without changes.
+  1. In Seqera, create new AWS credentials, select Role mode, paste the role ARN, and save. Seqera generates and displays a unique External ID.
+  2. Return to the IAM role's trust policy in AWS and replace the `<EXTERNAL_ID>` placeholder with the generated value.
+:::
 
 ## Automatic configuration of Batch resources
 
@@ -595,7 +561,7 @@ AWS Batch creates resources that you may be charged for in your AWS account. See
 
 ### AWS Batch
 
-Seqera automates the configuration of an [AWS Batch](https://aws.amazon.com/batch/) compute environment and the queues required to deploy Nextflow pipelines. After your IAM user and S3 bucket have been set up, create a new **AWS Batch** compute environment in Seqera.
+Seqera automates the configuration of an [AWS Batch](https://aws.amazon.com/batch/) compute environment and the queues required to deploy Nextflow pipelines. After your IAM User or Role and S3 bucket have been set up, create a new **AWS Batch** compute environment in Seqera.
 
 #### Create a Seqera AWS Batch compute environment
 
@@ -613,7 +579,7 @@ Depending on the provided configuration in the UI, Seqera might also create IAM
 1. Enter a name, e.g., _AWS Credentials_.
 1. Under **AWS credential mode**, select **Keys** or **Role**.
 1. For **Keys** mode:
-   - Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials).
+   - Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials-key-based).
    - Optionally paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
    - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode.
    - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential.
@@ -861,7 +827,7 @@ AWS Batch creates resources that you may be charged for in your AWS account. See
 1. Enter a name, e.g., _AWS Credentials_.
 1. Under **AWS credential mode**, select **Keys** or **Role**.
 1. For **Keys** mode:
-   - Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials).
+   - Add the **Access key** and **Secret key** you [previously obtained](#obtain-iam-user-credentials-key-based).
    - Optionally paste the IAM role ARN which Seqera must use for accessing your AWS resources in **Assume role**.
    - If you paste a role ARN in **Assume role**, the **Generate External ID** switch is displayed. Generating an External ID is optional in **Keys** mode.
    - If **Generate External ID** is selected, an External ID is automatically generated and shown after you save the credential.