Studios deployment
Enable Studios as part of your Seqera Platform Enterprise instance. You must have Data Explorer enabled to use Studios. Only the AWS public cloud is currently supported.
You must upgrade your Seqera Enterprise installation to version 24.2 before you enable and configure Studios.
DNS configuration
Each Studio is reachable at a unique URL that includes a randomly generated subdomain name. For example: https://abcd.example.com/, where example.com is your Seqera base domain name.
Provide a wildcard TLS certificate to allow for uniquely generated subdomains. A wildcard certificate common name includes *. in the domain name, such as *.example.com, thereby securing any subdomain name at this level.
Studios uses the following set of domains and subdomains:
- The domain that you set for TOWER_SERVER_URL, such asexample.com.
- A wildcard subdomain that you must configure specifically for Studios. This wildcard subdomain is the parent for each unique session URL, such as abcd.example.com.
- The connection proxy, defined by CONNECT_PROXY_URL. This URL is a first-level subdomain of yourTOWER_SERVER_URL. For example,https://connect.example.com.
Studios workspace availability
You can configure which organizational workspaces have access to Studios. This configuration is set in the tower.yml file. The tower.data-studio.allowed-workspaces field supports the following options:
- allowed-workspaces: []: Disables Studios. This is the default if the- allowed-workspacesfield is not specified.
- allowed-workspaces: [ <WORKSPACE_ID>,<WORKSPACE_ID> ]: Enables Studios for the comma-separated list of organizational workspace IDs.
- allowed-workspaces: null: Enables Studios for all organizational workspaces.
Available Studio environment images
Each of the provided environments includes a particular version of the underlying software package and the version of Seqera Connect, an integrated web- and file-server.
To quickly identify which version of the software an image includes, the version string for each container is in the form of <software_version>-<seqera_connect_version>. For example, if the version string for the R-IDE is 2025.04.1-0.8, version 2025.04.01 is the R-IDE version and 0.8 is the Connect version of this Seqera-built container image. Learn more about Studios environment versioning.
The latest environment versions are listed below:
- JupyterLab: public.cr.seqera.io/platform/data-studio-jupyter:4.2.5-0.8
- R-IDE: public.cr.seqera.io/platform/data-studio-ride:2025.04.1-0.8
- Visual Studio Code: public.cr.seqera.io/platform/data-studio-vscode:1.93.1-0.8
- Xpra: public.cr.seqera.io/platform/data-studio-xpra:6.2.0-r2-1-0.8
When adding a new Studio, the latest environment versions are tagged recommended, and earlier compatible versions are tagged deprecated.
Security scans and container inspection reports (including container specifications, configuration, and manifest) are available on-demand at public.cr.seqera.io/platform for each environment images by selecting the Scan and Inspect icons respectively.
Docker Compose
This guide assumes that all services will be run in the same container as the rest of your Seqera Platform services.
Prerequisites
- Allow inbound traffic to port 9090 on the EC2 instance
- Allow traffic on port 9090 through the AWS LB (Load Balancer)
- An AWS Route53 wildcard DNS record, such as *.<seqera_platform_domain>
Procedure
- 
Download the Studios environment configuration file. 
- 
Create an initial OIDC registration token, which can be any secure random string. For example, using openssl: oidc_registration_token=$(openssl rand -base64 32 | tr -d /=+ | cut -c -32)
- 
Generate an RSA public/private key pair. A key size of at least 2048 bits is recommended. For example, use opensslto generate the key pair:openssl genrsa -out private.pem 2048
 openssl rsa -pubout -in private.pem -out public.pem
- 
Download the data-studios-rsa.pem file and replace its contents with the content of your private and public key files, in the same order (private key on top, public key directly beneath it). Save the file as data-studios-rsa.pem, in the same directory as yourdocker-compose.ymlfile.
- 
Open the docker-compose.ymland uncomment the volume mount for the PEM key file for thebackendandcronservices in thevolumeslist. Your PEM file must be nameddata-studios-rsa.pem.volumes:
 - $PWD/tower.yml:/tower.yml
 # An RSA key is required for Studios functionality. Uncomment the line below to mount the key.
 #- $PWD/data-studios-rsa.pem:/data-studios-rsa.pem
- 
Open data-studios.envin an editor, and make the following changes:- Uncomment the connect-proxyandconnect-serverservices.
- Set the following environment variables:
- PLATFORM_URL: The same value assigned to- TOWER_SERVER_URL. For example,- https://example.com.
- CONNECT_PROXY_URL: A URL for the connect proxy subdomain. We recommend you set a first-level subdomain of your- PLATFORM_URLfor your connect proxy. For example,- https://connect.example.com.
- CONNECT_OIDC_CLIENT_REGISTRATION_TOKEN: The same value set in the- oidc_registration_tokenenvironment variable.
 
 
- Uncomment the 
- 
Open tower.envin an editor and set the following variables:- TOWER_DATA_EXPLORER_ENABLED: Set- trueto enable Data Explorer. You must enable Data Explorer to mount data inside a Studio.
- TOWER_DATA_STUDIO_CONNECT_URL: The URL of the Studios connect proxy, such as- https://connect.example.com/.
- TOWER_OIDC_REGISTRATION_INITIAL_ACCESS_TOKEN: The same value set in the- oidc_registration_tokenenvironment variable.
- TOWER_OIDC_PEM_PATH: The file path to a PEM certificate used for signing the OIDC tokens for the OpenID connect provider, mounted as a volume inside the container.
 
- 
Edit the tower.ymlfile and include the following snippet to enable Studios in all organization workspaces:tower:
 data-studio:
 allowed-workspaces: null
- 
Start your Platform instance: docker compose -d up.
- 
Confirm that the Platform containers are running: docker ps
- 
To confirm that Studios is available, log in to your Platform instance and navigate to an organizational workspace that has Studios enabled. The Studios tab is included with the available tabs. 
Kubernetes
This procedure describes how to configure Studios for Kubernetes deployments of Seqera Platform.
Procedure
- 
Download the Kubernetes manifests for the Studios service: 
- 
Change your Kubernetes context to the namespace where your Platform instance runs: kubectl config set-context --current --namespace=<namespace>
- 
Edit the server.ymlfile and set theCONNECT_REDIS_ADDRESSenvironment variable to the hostname or IP address of the Redis server configured for Platform.
- 
Create an initial OIDC registration token, which can be any secure random string. For example, using openssl: oidc_registration_token=$(openssl rand -base64 32 | tr -d /=+ | cut -c -32)
- 
Edit the proxy.ymlfile and set the following variables:- CONNECT_REDIS_ADDRESS: The hostname or IP address of the Redis server configured for Platform.
- CONNECT_PROXY_URL: A URL for the connect proxy subdomain. We recommend you set a first-level subdomain of your Platform installation domain (- PLATFORM_URLbelow) for your connect proxy, to be able to use the same wildcard TLS certificate for all session URLs and avoid additional domain nesting. For example,- https://connect.example.com.
- PLATFORM_URL: The base URL for your Platform installation, such as- https://example.com/.
- CONNECT_OIDC_CLIENT_REGISTRATION_TOKEN: The same value as the- oidc_registration_tokenvalue created previously.
 
- 
Edit your Platform installation's ingress.eks.ymlfile:- Uncomment the hostsection at the bottom of the file.
- Replace <YOUR-TOWER-HOST-NAME>with the base domain of your Platform installation. For example,example.com.
 noteThis assumes that you have an existing Platform installation Ingress already configured with the following fields: - alb.ingress.kubernetes.io/certificate-arn: The ARN of a wildcard TLS certificate that secures your Platform URL and connect proxy URL. For example, if- CONNECT_PROXY_URL=https://example.com, the certificate must secure both- example.comand- *.example.com.
- alb.ingress.kubernetes.io/load-balancer-attributes: The attributes of the ALB Load Balancer used in your Platform installation.
 
- Uncomment the 
- 
Generate an RSA public/private key pair. A key size of at least 2048 bits is recommended. In the following example, the opensslcommand is used to generate the key pair:openssl genrsa -out private.pem 2048
 openssl rsa -pubout -in private.pem -out public.pem
- 
Download the data-studios-rsa.pem file and replace its contents with the content of your private and public key files created in the previous step, in the same order (private key on top, public key directly beneath it). 
- 
Apply a base64 encoding to the PEM file that you created in the previous step: base64_pem=$(cat data-studios-rsa.pem | base64)
- 
Create a secret file named secret.ymland set theoidc.pemkey by pasting the contents of the base64-encoded public/private key pair:apiVersion: v1
 kind: Secret
 metadata:
 name: platform-oidc-certs
 namespace: platform-stage
 data:
 oidc.pem: <BASE64_ENCODED_PEM_FILE>
- 
Create the secret: kubectl apply -f secret.yml
- 
Edit the tower-svc.ymlfile and uncomment thevolumes.cert-volume,volumeMounts.cert-volume, andenv.TOWER_OIDC_PEM_PATHfields so that the public/private key pair is available to Platform.
- 
Edit the ConfigMap named platform-backend-cfgin theconfigmap.ymlfor Platform by editing the following environment variables:- TOWER_DATA_STUDIO_CONNECT_URL: The URL of the Studios connect proxy, such as- https://connect.example.com/.
- TOWER_OIDC_REGISTRATION_INITIAL_ACCESS_TOKEN: The same value as the- oidc_registration_tokenvalue created previously.
 
- 
Edit the ConfigMap named tower-ymlin theconfigmap.ymland include the following snippet:data:
 tower.yml: |-
 tower:
 data-studio:
 allowed-workspaces: null
- 
Apply the updated configuration: kubectl apply -f configmap.yml
- 
Apply the configuration change to Platform: kubectl apply -f tower-svc.yml
- 
Restart the cron service of your Platform deployment to load the updated configuration. For example: kubectl delete -f tower-cron.yml
 kubectl apply -f tower-cron.yml
- 
Restart the backend service of your Platform deployment to load the updated configuration. For example: kubectl scale --replicas=0 deployment/backend
 kubectl scale --replicas=1 deployment/backend
- 
Apply the Studios manifests: kubectl apply -f ingress.aks.yml proxy.yml server.ymlIt can take several minutes for Kubernetes to apply your changes, during which new pods are rolled out. 
- 
To confirm that Studios is available, log in to your Platform instance and navigate to an organizational workspace that has Studios enabled. The Studios tab is included with the available tabs.