From 2d404aa9390f2a6ff813e2bee6de39f0f93b794e Mon Sep 17 00:00:00 2001 From: MichaelTansiniSeqera Date: Fri, 12 Jun 2026 17:02:34 +0100 Subject: [PATCH 1/4] docs: add serviceAccountTokenCreator requirement for WIF + Data Explorer on GCP When WIF credentials are used for Data Explorer, Platform has no embedded private key and must call the GCP IAM signBlob API to generate presigned URLs. roles/iam.serviceAccountTokenCreator on the SA itself is required for this to succeed. Without it, file viewing and download fail silently with a signing error. Running pipelines is unaffected. Updates both Cloud and Enterprise Google Cloud Batch docs. Co-Authored-By: Claude Sonnet 4.6 --- platform-cloud/docs/compute-envs/google-cloud-batch.md | 9 +++++++++ .../compute-envs/google-cloud-batch.md | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/platform-cloud/docs/compute-envs/google-cloud-batch.md b/platform-cloud/docs/compute-envs/google-cloud-batch.md index 13a2aa078..5a008f10c 100644 --- a/platform-cloud/docs/compute-envs/google-cloud-batch.md +++ b/platform-cloud/docs/compute-envs/google-cloud-batch.md @@ -112,6 +112,15 @@ Setting up WIF requires the following steps in the GCP Console: tityPools/{POOL}/providers/{PROVIDER}`. If you specify a custom value, it must match exactly what you enter in the Token audience field when creating the Google WIF credential in Seqera. 4. Define an attribute mapping and condition. At a minimum set `google.subject=assertion.sub`. This maps the subject claim from Seqera's JWT to GCP's identity space. For more information see [here](https://docs.cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#mappings-and-conditions). You may see a pop-up asking to configure your application and provide an OIDC ID token path. This pop-up can be dismissed. 5. Grant `roles/iam.workloadIdentityUser` on the service account that WIF will impersonate to the Workload Identity Pool principal. This can be set for all pool identities or for a specific workspace. If you have not yet created a service account do so following the guidelines above. +6. If you use the same WIF credential for Data Explorer, grant `roles/iam.serviceAccountTokenCreator` on the service account to itself: + + ```bash + gcloud iam service-accounts add-iam-policy-binding SA_EMAIL \ + --member="serviceAccount:SA_EMAIL" \ + --role="roles/iam.serviceAccountTokenCreator" + ``` + + Replace `SA_EMAIL` with the service account email. Without this role, viewing or downloading file contents in Data Explorer fails with a signing error. Running pipelines is not affected. After setting up WIF in the GCP Console, you need the following information to create a credential in Seqera Platform: diff --git a/platform-enterprise_docs/compute-envs/google-cloud-batch.md b/platform-enterprise_docs/compute-envs/google-cloud-batch.md index 9f89ce681..f58311f98 100644 --- a/platform-enterprise_docs/compute-envs/google-cloud-batch.md +++ b/platform-enterprise_docs/compute-envs/google-cloud-batch.md @@ -107,6 +107,15 @@ Workload Identity Federation (WIF) is the recommended authentication method for 3. Set the Allowed audiences. If left empty, GCP derives a default audience from the provider resource path in the format `//iam.googleapis.com/projects/{PROJECT}/locations/global/workloadIdentityPools/{POOL}/providers/{PROVIDER}`. If you specify a custom value, it must match exactly what you enter in the Token audience field when creating the Google WIF credential in Seqera. 4. Define an attribute mapping and condition. At a minimum set `google.subject=assertion.sub`. This maps the subject claim from Seqera's JWT to GCP's identity space. For more information see [here](https://docs.cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#mappings-and-conditions) 5. Grant `roles/iam.workloadIdentityUser` on the service account created above to the Workload Identity Pool principal. This can be set for all pool identities or for a specific workspace. +6. If you use the same WIF credential for Data Explorer, grant `roles/iam.serviceAccountTokenCreator` on the service account to itself: + + ```bash + gcloud iam service-accounts add-iam-policy-binding SA_EMAIL \ + --member="serviceAccount:SA_EMAIL" \ + --role="roles/iam.serviceAccountTokenCreator" + ``` + + Replace `SA_EMAIL` with the service account email. Without this role, viewing or downloading file contents in Data Explorer fails with a signing error. Running pipelines is not affected. WIF requires an OIDC signing key and for Seqera Platform's OIDC provider to be configured. See [Cryptographic options](https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview#cryptographic-options). From b7a395c79711b6977ec95fe2c396819ade358b70 Mon Sep 17 00:00:00 2001 From: MichaelTansiniSeqera Date: Mon, 15 Jun 2026 09:28:17 +0100 Subject: [PATCH 2/4] docs: use principalSet:// binding for WIF + Data Explorer signBlob role Switch from self-grant (serviceAccount:SA_EMAIL) to the WIF pool principal (principalSet://...) for the serviceAccountTokenCreator binding. This scopes the permission to federated identities from the pool rather than the SA itself, matching what actually calls signBlob at runtime and making it easier to narrow scope per workspace later. Co-Authored-By: Claude Sonnet 4.6 --- platform-cloud/docs/compute-envs/google-cloud-batch.md | 6 +++--- platform-enterprise_docs/compute-envs/google-cloud-batch.md | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/platform-cloud/docs/compute-envs/google-cloud-batch.md b/platform-cloud/docs/compute-envs/google-cloud-batch.md index 5a008f10c..93f0dab29 100644 --- a/platform-cloud/docs/compute-envs/google-cloud-batch.md +++ b/platform-cloud/docs/compute-envs/google-cloud-batch.md @@ -112,15 +112,15 @@ Setting up WIF requires the following steps in the GCP Console: tityPools/{POOL}/providers/{PROVIDER}`. If you specify a custom value, it must match exactly what you enter in the Token audience field when creating the Google WIF credential in Seqera. 4. Define an attribute mapping and condition. At a minimum set `google.subject=assertion.sub`. This maps the subject claim from Seqera's JWT to GCP's identity space. For more information see [here](https://docs.cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#mappings-and-conditions). You may see a pop-up asking to configure your application and provide an OIDC ID token path. This pop-up can be dismissed. 5. Grant `roles/iam.workloadIdentityUser` on the service account that WIF will impersonate to the Workload Identity Pool principal. This can be set for all pool identities or for a specific workspace. If you have not yet created a service account do so following the guidelines above. -6. If you use the same WIF credential for Data Explorer, grant `roles/iam.serviceAccountTokenCreator` on the service account to itself: +6. If you use the same WIF credential for Data Explorer, grant `roles/iam.serviceAccountTokenCreator` on the service account to the Workload Identity Pool principal: ```bash gcloud iam service-accounts add-iam-policy-binding SA_EMAIL \ - --member="serviceAccount:SA_EMAIL" \ + --member="principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/*" \ --role="roles/iam.serviceAccountTokenCreator" ``` - Replace `SA_EMAIL` with the service account email. Without this role, viewing or downloading file contents in Data Explorer fails with a signing error. Running pipelines is not affected. + Replace `SA_EMAIL`, `PROJECT_NUMBER`, and `POOL_ID` with your values. Without this role, viewing or downloading file contents in Data Explorer fails with a signing error. Running pipelines is not affected. After setting up WIF in the GCP Console, you need the following information to create a credential in Seqera Platform: diff --git a/platform-enterprise_docs/compute-envs/google-cloud-batch.md b/platform-enterprise_docs/compute-envs/google-cloud-batch.md index f58311f98..8adafb39a 100644 --- a/platform-enterprise_docs/compute-envs/google-cloud-batch.md +++ b/platform-enterprise_docs/compute-envs/google-cloud-batch.md @@ -107,15 +107,15 @@ Workload Identity Federation (WIF) is the recommended authentication method for 3. Set the Allowed audiences. If left empty, GCP derives a default audience from the provider resource path in the format `//iam.googleapis.com/projects/{PROJECT}/locations/global/workloadIdentityPools/{POOL}/providers/{PROVIDER}`. If you specify a custom value, it must match exactly what you enter in the Token audience field when creating the Google WIF credential in Seqera. 4. Define an attribute mapping and condition. At a minimum set `google.subject=assertion.sub`. This maps the subject claim from Seqera's JWT to GCP's identity space. For more information see [here](https://docs.cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#mappings-and-conditions) 5. Grant `roles/iam.workloadIdentityUser` on the service account created above to the Workload Identity Pool principal. This can be set for all pool identities or for a specific workspace. -6. If you use the same WIF credential for Data Explorer, grant `roles/iam.serviceAccountTokenCreator` on the service account to itself: +6. If you use the same WIF credential for Data Explorer, grant `roles/iam.serviceAccountTokenCreator` on the service account to the Workload Identity Pool principal: ```bash gcloud iam service-accounts add-iam-policy-binding SA_EMAIL \ - --member="serviceAccount:SA_EMAIL" \ + --member="principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/*" \ --role="roles/iam.serviceAccountTokenCreator" ``` - Replace `SA_EMAIL` with the service account email. Without this role, viewing or downloading file contents in Data Explorer fails with a signing error. Running pipelines is not affected. + Replace `SA_EMAIL`, `PROJECT_NUMBER`, and `POOL_ID` with your values. Without this role, viewing or downloading file contents in Data Explorer fails with a signing error. Running pipelines is not affected. WIF requires an OIDC signing key and for Seqera Platform's OIDC provider to be configured. See [Cryptographic options](https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview#cryptographic-options). From a1ecbacae8763d8964fe6f4a4d34fd1756c0cca7 Mon Sep 17 00:00:00 2001 From: MichaelTansiniSeqera Date: Tue, 16 Jun 2026 09:27:16 +0100 Subject: [PATCH 3/4] docs: apply Jon Marti's review suggestions to WIF Data Explorer step - Add workspace-scoping note for serviceAccountTokenCreator binding (mirrors step 5's "all pool identities or a specific workspace" framing) - Replace vague "signing error" with exact log phrases for searchability: SigningException + iam.serviceAccounts.signBlob permission denial Applies to both cloud and enterprise GCB docs. Co-Authored-By: Claude Sonnet 4.6 --- platform-cloud/docs/compute-envs/google-cloud-batch.md | 4 +++- platform-enterprise_docs/compute-envs/google-cloud-batch.md | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/platform-cloud/docs/compute-envs/google-cloud-batch.md b/platform-cloud/docs/compute-envs/google-cloud-batch.md index 93f0dab29..36fc0808f 100644 --- a/platform-cloud/docs/compute-envs/google-cloud-batch.md +++ b/platform-cloud/docs/compute-envs/google-cloud-batch.md @@ -120,7 +120,9 @@ Setting up WIF requires the following steps in the GCP Console: --role="roles/iam.serviceAccountTokenCreator" ``` - Replace `SA_EMAIL`, `PROJECT_NUMBER`, and `POOL_ID` with your values. Without this role, viewing or downloading file contents in Data Explorer fails with a signing error. Running pipelines is not affected. + Replace `SA_EMAIL`, `PROJECT_NUMBER`, and `POOL_ID` with your values. Without this role, viewing or downloading file contents in Data Explorer fails. The Platform backend logs the underlying error as `SigningException: Failed to sign the provided bytes` caused by `Permission 'iam.serviceAccounts.signBlob' denied`. Running pipelines is not affected. + + As with step 5, you can scope this binding to a specific workspace by replacing `principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/*` with `principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/org:{ORG_ID}:wsp:{WORKSPACE_ID}:workflow`. After setting up WIF in the GCP Console, you need the following information to create a credential in Seqera Platform: diff --git a/platform-enterprise_docs/compute-envs/google-cloud-batch.md b/platform-enterprise_docs/compute-envs/google-cloud-batch.md index 8adafb39a..99c52caaf 100644 --- a/platform-enterprise_docs/compute-envs/google-cloud-batch.md +++ b/platform-enterprise_docs/compute-envs/google-cloud-batch.md @@ -115,7 +115,9 @@ Workload Identity Federation (WIF) is the recommended authentication method for --role="roles/iam.serviceAccountTokenCreator" ``` - Replace `SA_EMAIL`, `PROJECT_NUMBER`, and `POOL_ID` with your values. Without this role, viewing or downloading file contents in Data Explorer fails with a signing error. Running pipelines is not affected. + Replace `SA_EMAIL`, `PROJECT_NUMBER`, and `POOL_ID` with your values. Without this role, viewing or downloading file contents in Data Explorer fails. The Platform backend logs the underlying error as `SigningException: Failed to sign the provided bytes` caused by `Permission 'iam.serviceAccounts.signBlob' denied`. Running pipelines is not affected. + + As with step 5, you can scope this binding to a specific workspace by replacing `principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/*` with `principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/org:{ORG_ID}:wsp:{WORKSPACE_ID}:workflow`. WIF requires an OIDC signing key and for Seqera Platform's OIDC provider to be configured. See [Cryptographic options](https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview#cryptographic-options). From 3bc5b383fecbfb6f72dffddbef62efa3cb452bcb Mon Sep 17 00:00:00 2001 From: MichaelTansiniSeqera Date: Tue, 16 Jun 2026 09:28:14 +0100 Subject: [PATCH 4/4] docs: fix wording - "Seqera Platform logs" not "Platform backend logs" Co-Authored-By: Claude Sonnet 4.6 --- platform-cloud/docs/compute-envs/google-cloud-batch.md | 2 +- platform-enterprise_docs/compute-envs/google-cloud-batch.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/platform-cloud/docs/compute-envs/google-cloud-batch.md b/platform-cloud/docs/compute-envs/google-cloud-batch.md index 36fc0808f..a3f61b990 100644 --- a/platform-cloud/docs/compute-envs/google-cloud-batch.md +++ b/platform-cloud/docs/compute-envs/google-cloud-batch.md @@ -120,7 +120,7 @@ Setting up WIF requires the following steps in the GCP Console: --role="roles/iam.serviceAccountTokenCreator" ``` - Replace `SA_EMAIL`, `PROJECT_NUMBER`, and `POOL_ID` with your values. Without this role, viewing or downloading file contents in Data Explorer fails. The Platform backend logs the underlying error as `SigningException: Failed to sign the provided bytes` caused by `Permission 'iam.serviceAccounts.signBlob' denied`. Running pipelines is not affected. + Replace `SA_EMAIL`, `PROJECT_NUMBER`, and `POOL_ID` with your values. Without this role, viewing or downloading file contents in Data Explorer fails. Seqera Platform logs the underlying error as `SigningException: Failed to sign the provided bytes` caused by `Permission 'iam.serviceAccounts.signBlob' denied`. Running pipelines is not affected. As with step 5, you can scope this binding to a specific workspace by replacing `principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/*` with `principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/org:{ORG_ID}:wsp:{WORKSPACE_ID}:workflow`. diff --git a/platform-enterprise_docs/compute-envs/google-cloud-batch.md b/platform-enterprise_docs/compute-envs/google-cloud-batch.md index 99c52caaf..68ca6b87b 100644 --- a/platform-enterprise_docs/compute-envs/google-cloud-batch.md +++ b/platform-enterprise_docs/compute-envs/google-cloud-batch.md @@ -115,7 +115,7 @@ Workload Identity Federation (WIF) is the recommended authentication method for --role="roles/iam.serviceAccountTokenCreator" ``` - Replace `SA_EMAIL`, `PROJECT_NUMBER`, and `POOL_ID` with your values. Without this role, viewing or downloading file contents in Data Explorer fails. The Platform backend logs the underlying error as `SigningException: Failed to sign the provided bytes` caused by `Permission 'iam.serviceAccounts.signBlob' denied`. Running pipelines is not affected. + Replace `SA_EMAIL`, `PROJECT_NUMBER`, and `POOL_ID` with your values. Without this role, viewing or downloading file contents in Data Explorer fails. Seqera Platform logs the underlying error as `SigningException: Failed to sign the provided bytes` caused by `Permission 'iam.serviceAccounts.signBlob' denied`. Running pipelines is not affected. As with step 5, you can scope this binding to a specific workspace by replacing `principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/*` with `principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/org:{ORG_ID}:wsp:{WORKSPACE_ID}:workflow`.