AWS Cloud
This compute environment type is currently in public preview. Please consult this guide for the latest information on recommended configuration and limitations. This guide assumes you already have an AWS account with a valid AWS subscription.
Many of the current implementations of compute environments for cloud providers rely on the use of batch services such as AWS Batch, Azure Batch, and Google Batch for the execution and management of submitted jobs, including pipelines and Studio session environments. Batch services are suitable for large-scale workloads, but they add management complexity. In practical terms, the currently used batch services result in some limitations:
- Long launch delay: When you launch a pipeline or Studio in a batch compute environment, there's a delay of several minutes before the pipeline or Studio session environment is in a running state. This is caused by the batch services that need to provision the associated compute service to run a single job.
- Complex setup: Standard batch services require complex identity management policies and configuration of multiple services including compute environments, job queues, job definitions, etc.
- Allocation constraints: AWS Batch and other cloud batch services have strict resource quotas. For example, a hard limit of 50 job queues per account per region. This means that no new compute environment can be created when this quota limit is reached.
The AWS Cloud compute environment addresses these pain points with:
- Faster startup time: Nextflow pipelines reach a Runningstatus and Studio sessions connect in under a minute (a 4x improvement compared to classic AWS Batch compute environments).
- Simplified configuration: Fewer configurable options, with opinionated defaults, provide the best Nextflow pipeline and Studio session execution environment, with both Wave and Fusion enabled.
- Fewer AWS dependencies: Only one IAM role in AWS is required. IAM roles are subject to a 1000 soft limit per account.
- Spot instances: Studios can be launched on a Spot instance.
This type of compute environment is best suited to run Studios and small to medium-sized pipelines. It offers more predictable compute pricing, given the fixed instance types. It spins up a standalone EC2 instance and executes a Nextflow pipeline or Studio session with a local executor on the EC2 machine. At the end of the execution, the instance is terminated.
Limitations
- The Nextflow pipeline will run entirely on a single EC2 instance. If the instance does not have sufficient resources, the pipeline execution will fail. For this reason, the number of tasks Nextflow can execute in parallel is limited by the number of cores of the instance type selected. If you need more computing resources, you must create a new compute environment with a larger instance type. This makes the compute environment less suited for larger, more complex pipelines.
Supported regions
The following regions are currently supported:
- eu-west-1
- us-east-1
- us-west-2
- eu-west-2
- us-east-2
- eu-central-1
- us-west-1
- eu-west-3
- ap-southeast-1
Requirements
Platform credentials
To create and launch pipelines or Studio sessions with this compute environment type, you must attach Seqera credentials for the cloud provider. Some permissions are mandatory for the compute environment to be created and function correctly; others are optional and used to pre-fill options in Platform.
Required permissions
Compute environment creation
The following permissions are required to provision resources in the AWS account. Only IAM roles that will be assumed by the EC2 instance must be provisioned:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AwsCloudCreate",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:AddRoleToInstanceProfile",
                "iam:CreateInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:PassRole",
                "iam:TagRole",
                "iam:TagInstanceProfile"
            ],
            "Resource": "*"
        }
    ]
}
Compute environment validation
The following permissions are required to validate the compute environment at creation time. Seqera validates the input provided and that the resource ARNs exist in the target AWS account:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AwsCloudValidate",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeImages",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups"
            ],
            "Resource": "*"
        }
    ]
}
Pipeline and Studio session management
The following permissions are required to launch pipelines, run Studio sessions, fetch live execution logs from CloudWatch, download logs from S3, and stop the execution:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AwsCloudLaunch",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:DescribeInstances",
                "ec2:CreateTags",
                "ec2:TerminateInstances",
                "ec2:DeleteTags",
                "logs:GetLogEvents",
                "s3:GetObject"
            ],
            "Resource": "*"
        }
    ]
}
Compute environment termination and resource disposal
The following permissions are required to remove resources created by Seqera when the compute environment is deleted:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AwsCloudDelete",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:ListRolePolicies",
                "iam:DeleteRole",
                "iam:DeleteInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:DetachRolePolicy",
                "iam:DeleteRolePolicy"
            ],
            "Resource": "*"
        }
    ]
}
Optional permissions
The following permissions enable Seqera to populate values for dropdown fields. If missing, the input fields will not be auto-populated but can still be manually entered. Though optional, these permissions are recommended for a smoother and less error-prone user experience:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AwsCloudRead",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeVpcs",
                "ec2:DescribeImages",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        }
    ]
}