From 685d41845c735368381b5bced80c60028625591f Mon Sep 17 00:00:00 2001 From: Mark P Date: Tue, 14 Oct 2025 11:20:58 -0400 Subject: [PATCH] docs: clarification on scoping list secret for secrets --- platform-cloud/docs/secrets/overview.md | 7 +++++++ platform-enterprise_docs/secrets/overview.md | 7 +++++++ .../version-23.2/secrets/overview.md | 7 +++++++ .../version-23.3/secrets/overview.md | 7 +++++++ .../version-23.4/secrets/overview.md | 7 +++++++ .../version-24.1/secrets/overview.md | 7 +++++++ .../version-24.2/secrets/overview.md | 7 +++++++ .../version-25.1/secrets/overview.md | 7 +++++++ .../version-25.2/secrets/overview.md | 7 +++++++ 9 files changed, 63 insertions(+) diff --git a/platform-cloud/docs/secrets/overview.md b/platform-cloud/docs/secrets/overview.md index 35c05b2ec..7ba61f4ee 100644 --- a/platform-cloud/docs/secrets/overview.md +++ b/platform-cloud/docs/secrets/overview.md @@ -69,6 +69,13 @@ Augment the permissions given to Seqera with the following Sid: } ``` +:::note +If you plan to limit the scope of this IAM policy, please ensure that the ListSecrets action remains granted on all resources (`"Resource": "*"`). +Otherwise, the Seqera Platform will be unable to delete secrets, which can cause workflows to remain in a running (stuck) state. + +For more details, see the AWS documentation: [AWS Secrets Manager actions and permissions reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) +::: + ### ECS Agent permissions The ECS Agent uses the [Batch Execution role](https://docs.aws.amazon.com/batch/latest/userguide/execution-IAM-role.html#create-execution-role) to communicate with AWS Secrets Manager. diff --git a/platform-enterprise_docs/secrets/overview.md b/platform-enterprise_docs/secrets/overview.md index 35c05b2ec..7ba61f4ee 100644 --- a/platform-enterprise_docs/secrets/overview.md +++ b/platform-enterprise_docs/secrets/overview.md @@ -69,6 +69,13 @@ Augment the permissions given to Seqera with the following Sid: } ``` +:::note +If you plan to limit the scope of this IAM policy, please ensure that the ListSecrets action remains granted on all resources (`"Resource": "*"`). +Otherwise, the Seqera Platform will be unable to delete secrets, which can cause workflows to remain in a running (stuck) state. + +For more details, see the AWS documentation: [AWS Secrets Manager actions and permissions reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) +::: + ### ECS Agent permissions The ECS Agent uses the [Batch Execution role](https://docs.aws.amazon.com/batch/latest/userguide/execution-IAM-role.html#create-execution-role) to communicate with AWS Secrets Manager. diff --git a/platform-enterprise_versioned_docs/version-23.2/secrets/overview.md b/platform-enterprise_versioned_docs/version-23.2/secrets/overview.md index db68565a6..a7015ad69 100644 --- a/platform-enterprise_versioned_docs/version-23.2/secrets/overview.md +++ b/platform-enterprise_versioned_docs/version-23.2/secrets/overview.md @@ -59,6 +59,13 @@ Augment the existing Tower instance [permissions](https://github.com/seqeralabs/ } ``` +:::note +If you plan to limit the scope of this IAM policy, please ensure that the ListSecrets action remains granted on all resources (`"Resource": "*"`). +Otherwise, the Seqera Platform will be unable to delete secrets, which can cause workflows to remain in a running (stuck) state. + +For more details, see the AWS documentation: [AWS Secrets Manager actions and permissions reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) +::: + ### ECS Agent permissions The ECS Agent uses the [Batch Execution role](https://docs.aws.amazon.com/batch/latest/userguide/execution-IAM-role.html#create-execution-role) to communicate with AWS Secrets Manager. diff --git a/platform-enterprise_versioned_docs/version-23.3/secrets/overview.md b/platform-enterprise_versioned_docs/version-23.3/secrets/overview.md index 3f7281041..d237367e2 100644 --- a/platform-enterprise_versioned_docs/version-23.3/secrets/overview.md +++ b/platform-enterprise_versioned_docs/version-23.3/secrets/overview.md @@ -65,6 +65,13 @@ Augment the permissions given to Seqera with the following Sid: } ``` +:::note +If you plan to limit the scope of this IAM policy, please ensure that the ListSecrets action remains granted on all resources (`"Resource": "*"`). +Otherwise, the Seqera Platform will be unable to delete secrets, which can cause workflows to remain in a running (stuck) state. + +For more details, see the AWS documentation: [AWS Secrets Manager actions and permissions reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) +::: + ### ECS Agent permissions The ECS Agent uses the [Batch Execution role](https://docs.aws.amazon.com/batch/latest/userguide/execution-IAM-role.html#create-execution-role) to communicate with AWS Secrets Manager. diff --git a/platform-enterprise_versioned_docs/version-23.4/secrets/overview.md b/platform-enterprise_versioned_docs/version-23.4/secrets/overview.md index 35c05b2ec..7ba61f4ee 100644 --- a/platform-enterprise_versioned_docs/version-23.4/secrets/overview.md +++ b/platform-enterprise_versioned_docs/version-23.4/secrets/overview.md @@ -69,6 +69,13 @@ Augment the permissions given to Seqera with the following Sid: } ``` +:::note +If you plan to limit the scope of this IAM policy, please ensure that the ListSecrets action remains granted on all resources (`"Resource": "*"`). +Otherwise, the Seqera Platform will be unable to delete secrets, which can cause workflows to remain in a running (stuck) state. + +For more details, see the AWS documentation: [AWS Secrets Manager actions and permissions reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) +::: + ### ECS Agent permissions The ECS Agent uses the [Batch Execution role](https://docs.aws.amazon.com/batch/latest/userguide/execution-IAM-role.html#create-execution-role) to communicate with AWS Secrets Manager. diff --git a/platform-enterprise_versioned_docs/version-24.1/secrets/overview.md b/platform-enterprise_versioned_docs/version-24.1/secrets/overview.md index 35c05b2ec..7ba61f4ee 100644 --- a/platform-enterprise_versioned_docs/version-24.1/secrets/overview.md +++ b/platform-enterprise_versioned_docs/version-24.1/secrets/overview.md @@ -69,6 +69,13 @@ Augment the permissions given to Seqera with the following Sid: } ``` +:::note +If you plan to limit the scope of this IAM policy, please ensure that the ListSecrets action remains granted on all resources (`"Resource": "*"`). +Otherwise, the Seqera Platform will be unable to delete secrets, which can cause workflows to remain in a running (stuck) state. + +For more details, see the AWS documentation: [AWS Secrets Manager actions and permissions reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) +::: + ### ECS Agent permissions The ECS Agent uses the [Batch Execution role](https://docs.aws.amazon.com/batch/latest/userguide/execution-IAM-role.html#create-execution-role) to communicate with AWS Secrets Manager. diff --git a/platform-enterprise_versioned_docs/version-24.2/secrets/overview.md b/platform-enterprise_versioned_docs/version-24.2/secrets/overview.md index 35c05b2ec..7ba61f4ee 100644 --- a/platform-enterprise_versioned_docs/version-24.2/secrets/overview.md +++ b/platform-enterprise_versioned_docs/version-24.2/secrets/overview.md @@ -69,6 +69,13 @@ Augment the permissions given to Seqera with the following Sid: } ``` +:::note +If you plan to limit the scope of this IAM policy, please ensure that the ListSecrets action remains granted on all resources (`"Resource": "*"`). +Otherwise, the Seqera Platform will be unable to delete secrets, which can cause workflows to remain in a running (stuck) state. + +For more details, see the AWS documentation: [AWS Secrets Manager actions and permissions reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) +::: + ### ECS Agent permissions The ECS Agent uses the [Batch Execution role](https://docs.aws.amazon.com/batch/latest/userguide/execution-IAM-role.html#create-execution-role) to communicate with AWS Secrets Manager. diff --git a/platform-enterprise_versioned_docs/version-25.1/secrets/overview.md b/platform-enterprise_versioned_docs/version-25.1/secrets/overview.md index 35c05b2ec..7ba61f4ee 100644 --- a/platform-enterprise_versioned_docs/version-25.1/secrets/overview.md +++ b/platform-enterprise_versioned_docs/version-25.1/secrets/overview.md @@ -69,6 +69,13 @@ Augment the permissions given to Seqera with the following Sid: } ``` +:::note +If you plan to limit the scope of this IAM policy, please ensure that the ListSecrets action remains granted on all resources (`"Resource": "*"`). +Otherwise, the Seqera Platform will be unable to delete secrets, which can cause workflows to remain in a running (stuck) state. + +For more details, see the AWS documentation: [AWS Secrets Manager actions and permissions reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) +::: + ### ECS Agent permissions The ECS Agent uses the [Batch Execution role](https://docs.aws.amazon.com/batch/latest/userguide/execution-IAM-role.html#create-execution-role) to communicate with AWS Secrets Manager. diff --git a/platform-enterprise_versioned_docs/version-25.2/secrets/overview.md b/platform-enterprise_versioned_docs/version-25.2/secrets/overview.md index 35c05b2ec..7ba61f4ee 100644 --- a/platform-enterprise_versioned_docs/version-25.2/secrets/overview.md +++ b/platform-enterprise_versioned_docs/version-25.2/secrets/overview.md @@ -69,6 +69,13 @@ Augment the permissions given to Seqera with the following Sid: } ``` +:::note +If you plan to limit the scope of this IAM policy, please ensure that the ListSecrets action remains granted on all resources (`"Resource": "*"`). +Otherwise, the Seqera Platform will be unable to delete secrets, which can cause workflows to remain in a running (stuck) state. + +For more details, see the AWS documentation: [AWS Secrets Manager actions and permissions reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) +::: + ### ECS Agent permissions The ECS Agent uses the [Batch Execution role](https://docs.aws.amazon.com/batch/latest/userguide/execution-IAM-role.html#create-execution-role) to communicate with AWS Secrets Manager.