seqeralabs · gavinelder · Apr 27, 2026 · May 14, 2026
diff --git a/platform-cloud/cloud-sidebar.json b/platform-cloud/cloud-sidebar.json
@@ -31,7 +31,103 @@
       },
       {
         "type": "category",
-        "label": "Credentials",
+        "label": "Integrations",
+        "link": {"type": "doc", "id": "integrations/overview"},
+        "collapsed": true,
+        "items": [
+          {
+            "type": "category",
+            "label": "Cloud providers",
+            "link": {"type": "doc", "id": "integrations/cloud-providers/overview"},
+            "collapsed": true,
+            "items": [
+              {
+                "type": "category",
+                "label": "AWS",
+                "link": {"type": "doc", "id": "integrations/cloud-providers/aws/overview"},
+                "collapsed": true,
+                "items": [
+                  "integrations/cloud-providers/aws/iam-policies",
+                  "integrations/cloud-providers/aws/credentials",
+                  "integrations/cloud-providers/aws/data-access",
+                  "integrations/cloud-providers/aws/eks-additions",
+                  "integrations/cloud-providers/aws/manual-setup"
+                ]
+              },
+              {
+                "type": "category",
+                "label": "Azure",
+                "link": {"type": "doc", "id": "integrations/cloud-providers/azure/overview"},
+                "collapsed": true,
+                "items": [
+                  "integrations/cloud-providers/azure/roles-and-service-principals",
+                  "integrations/cloud-providers/azure/credentials",
+                  "integrations/cloud-providers/azure/storage-access",
+                  "integrations/cloud-providers/azure/manual-setup"
+                ]
+              },
+              {
+                "type": "category",
+                "label": "Google Cloud",
+                "link": {"type": "doc", "id": "integrations/cloud-providers/google/overview"},
+                "collapsed": true,
+                "items": [
+                  "integrations/cloud-providers/google/iam",
+                  "integrations/cloud-providers/google/credentials",
+                  "integrations/cloud-providers/google/storage-access"
+                ]
+              }
+            ]
+          },
+          {
+            "type": "category",
+            "label": "Git providers",
+            "link": {"type": "doc", "id": "integrations/git-providers/overview"},
+            "collapsed": true,
+            "items": [
+              "integrations/git-providers/github",
+              "integrations/git-providers/gitlab",
+              "integrations/git-providers/bitbucket",
+              "integrations/git-providers/gitea",
+              "integrations/git-providers/azure-devops",
+              "integrations/git-providers/codecommit",
+              "integrations/git-providers/multiple-credentials",
+              "integrations/git-providers/seqera-ai"
+            ]
+          },
+          {
+            "type": "category",
+            "label": "Container registries",
+            "link": {"type": "doc", "id": "integrations/container-registries/overview"},
+            "collapsed": true,
+            "items": [
+              "integrations/container-registries/aws",
+              "integrations/container-registries/azure",
+              "integrations/container-registries/docker-hub",
+              "integrations/container-registries/gitea",
+              "integrations/container-registries/github",
+              "integrations/container-registries/gitlab",
+              "integrations/container-registries/google",
+              "integrations/container-registries/quay"
+            ]
+          },
+          "integrations/data-sources/overview",
+          {
+            "type": "category",
+            "label": "Identity & access",
+            "collapsed": true,
+            "items": [
+              "integrations/identity/managed-identities",
+              "integrations/identity/ssh-credentials"
+            ]
+          },
+          "integrations/agent/credentials"
+        ]
+      },
+      {
+        "type": "category",
+        "label": "Credentials (legacy)",
+        "collapsed": true,
         "items": [
           "credentials/overview",
           "git/overview",

diff --git a/platform-cloud/docs/integrations/agent/credentials.md b/platform-cloud/docs/integrations/agent/credentials.md
@@ -0,0 +1,28 @@
+---
+title: "Tower Agent credentials"
+description: "Create Tower Agent credentials in Seqera Platform."
+date created: "2023-04-21"
+last updated: "2025-10-21"
+tags: [agent, credentials]
+---
+
+[Tower Agent](/platform-cloud/supported_software/agent/overview) enables Seqera Platform to launch pipelines on HPC clusters that do not allow direct access through an SSH client. Tower Agent authenticates a secure connection with Seqera using a Tower Agent credential.
+
+## Tower Agent sharing
+
+You can share a single Tower Agent instance with all members of a workspace. Create a Tower Agent credential, with **Shared agent** enabled, in the relevant workspace. All workspace members can then use this credential (Connection ID + Seqera access token) to use the same Tower Agent instance.
+
+## Create a Tower Agent credential
+
+1.  Add your credentials to your organization or personal workspace:
+    - From an organization workspace: Go to **Credentials > Add Credentials**.
+    - From your personal workspace: From the user menu, go to **Your credentials > Add credentials**.
+
+2.  Complete the following fields:
+    - **Name**: Specify a unique name for the credentials using alphanumeric characters, dashes, or underscores. For example, `my-agent-creds`.
+    - **Provider**: Select **Tower Agent**.
+    - **Agent connection ID**: The connection ID used to run your Tower Agent instance. Must match the connection ID used when running the Agent (see **Usage** below).
+    - **Shared agent**: Enables Tower Agent sharing for all workspace members.
+    - **Usage**: Populates a code snippet for Tower Agent download with your connection ID. Replace `<TOKEN_NAME>` with your [Seqera access token](https://docs.seqera.io/platform-api/create-token).
+
+3. After you've completed all the form fields, select **Add**. The new credential is now listed under the **Credentials** tab.
diff --git a/platform-cloud/docs/integrations/cloud-providers/aws/credentials.md b/platform-cloud/docs/integrations/cloud-providers/aws/credentials.md
@@ -0,0 +1,152 @@
+---
+title: "AWS credentials"
+description: "Create the IAM policy, IAM user, and IAM role for Seqera Platform on AWS, and add credentials in Seqera."
+tags: [aws, iam, credentials, integration]
+---
+
+This page covers how to create the IAM policy, IAM user, and IAM role in AWS, then add the resulting credentials to Seqera Platform. The same procedure applies to AWS Batch, AWS Cloud, and Amazon EKS compute environments — only the underlying [IAM policy](./iam-policies) differs.
+
+## Create the IAM policy
+
+The policy must be created in the AWS account where the Seqera-managed AWS resources will live.
+
+1. Open the [AWS IAM console](https://console.aws.amazon.com/iam) in the target AWS account.
+1. From the left navigation menu, select **Policies** under **Access management**.
+1. Select **Create policy**.
+1. On the **Policy editor** section, select the **JSON** tab.
+1. Replace the default text with a policy adapted to your use case (see [IAM policies](./iam-policies)), then select **Next**.
+1. Enter a name and description on the **Review and create** page, then select **Create policy**.
+
+## IAM user creation
+
+Seqera requires an IAM user to manage AWS resources in your account. We recommend creating a separate IAM policy rather than an IAM user inline policy — inline policies allow only 2,048 characters, which may not be sufficient for the required permissions.
+
+When multiple users need to access the same AWS account, create an [IAM role](#iam-role-creation-optional) with the required permissions instead and let the IAM user assume that role.
+
+### Create an IAM user
+
+1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Users** in the left navigation menu, then select **Create User** at the top right.
+1. Enter a name (e.g., `seqera`) and select **Next**.
+1. Under **Permission options**, select **Attach policies directly**, then search for and select the policy you created above. Select **Next**.
+   - To make the IAM user assume a role to manage AWS resources (see [IAM role creation (optional)](#iam-role-creation-optional)), instead create a policy with the following content (edit the AWS principal with the role's ARN) and attach it to the IAM user:
+
+   ```json
+   {
+     "Sid": "AssumeRoleToManageBatchResources",
+     "Effect": "Allow",
+     "Action": "sts:AssumeRole",
+     "Resource": "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>",
+     "Condition": {
+       "StringEquals": {
+         "sts:ExternalId": "<EXTERNAL_ID>"
+       }
+     }
+   }
+   ```
+1. On the last page, review the user details and select **Create user**.
+
+For more details, see the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html).
+
+### Obtain IAM user credentials
+
+1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Users** in the left navigation menu, then select the newly created user.
+1. Select the **Security credentials** tab, then select **Create access key** under the **Access keys** section.
+1. In the **Use case** dialog, select **Command line interface (CLI)**, tick the confirmation checkbox, and select **Next**.
+1. Optionally provide a description, then select **Create access key**.
+1. Save the **Access key** and **Secret access key** in a secure location — you will provide them when creating credentials in Seqera.
+
+## IAM role creation (optional)
+
+Rather than attaching permissions directly to the IAM user, create an IAM role with the required permissions and let the IAM user assume that role. This is useful when multiple IAM users access the same AWS account: actual permissions to operate on resources are granted only to a single centralized role.
+
+1. From the [AWS IAM console](https://console.aws.amazon.com/iam), select **Roles** in the left navigation menu, then select **Create role**.
+1. Select **Custom trust policy** as the type of trusted entity. Provide the following policy and edit the AWS principal with the IAM user ARN:
+
+   ```json
+   {
+     "Version": "2012-10-17",
+     "Statement": [
+       {
+         "Effect": "Allow",
+         "Principal": {
+           "AWS": [
+              "arn:aws:iam::<ACCOUNT_ID>:user/<IAM_USER_NAME>"
+            ]
+         },
+         "Action": "sts:AssumeRole",
+         "Condition": {
+           "StringEquals": {
+             "sts:ExternalId": "<EXTERNAL_ID>"
+           }
+         }
+       },
+       {
+         "Effect": "Allow",
+         "Principal": {
+           "AWS": [
+              "arn:aws:iam::<ACCOUNT_ID>:user/<IAM_USER_NAME>"
+            ]
+         },
+         "Action": "sts:TagSession"
+       }
+     ]
+   }
+   ```
+
+1. On the **Permissions** page, search for and select the policy created in [IAM user creation](#iam-user-creation). Select **Next**.
+1. Give the role a name and optionally a description and tags, then select **Create role**.
+
+Multiple users can be specified in the trust policy by adding more ARNs to the `Principal` section.
+
+:::note
+Seqera Platform generates the `External ID` value during AWS credential creation. For role-based credentials, use this exact value in your IAM trust policy (`sts:ExternalId`).
+:::
+
+### Role-based trust policy example (Seqera Cloud)
+
+For role-based AWS credentials in Seqera Cloud, allow the Seqera Cloud access role `arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole` in your trust policy and enforce the External ID generated during credential creation:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "<ExternalId>"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::161471496260:role/SeqeraPlatformCloudAccessRole"
+      },
+      "Action": "sts:TagSession"
+    }
+  ]
+}
+```
+
+## AWS credential options
+
+AWS credentials can be configured in two ways:
+
+- **Key-based credentials**: Access key and secret key with direct IAM permissions. If you provide a role ARN in **Assume role**, the **Generate External ID** switch is displayed and External ID generation is optional.
+- **Role-based credentials (recommended)**: Use role assumption only (no static keys). Paste the IAM role ARN in **Assume role**. External ID is generated automatically when you save.
+
+The **Assume role** field is available for both modes. It is optional for key-based credentials and required for role-based credentials.
+
+Existing credentials created before March 2026 continue to work without changes.
+
+## Next steps
+
+- [Set up S3, EFS, or FSx work directories](./data-access).
+- For Amazon EKS, complete [Kubernetes RBAC and Service Account setup](./eks-additions).
+- For AWS Batch with manually-managed resources, see [AWS Batch manual setup](./manual-setup).
+- Add the credentials to Seqera Platform: see [the AWS Batch compute environment guide](/platform-cloud/compute-envs/aws-batch) (or [AWS Cloud](/platform-cloud/compute-envs/aws-cloud) / [EKS](/platform-cloud/compute-envs/eks)) for the in-product steps.
diff --git a/platform-cloud/docs/integrations/cloud-providers/aws/data-access.md b/platform-cloud/docs/integrations/cloud-providers/aws/data-access.md
@@ -0,0 +1,61 @@
+---
+title: "AWS data access"
+description: "S3 bucket, EFS, and FSx prerequisites for Seqera Platform on AWS."
+tags: [aws, s3, efs, fsx, integration]
+---
+
+Set up an S3 bucket, EFS, or FSx file system to use as the Nextflow work directory and to store input and output data. The IAM permissions to access these resources are documented in [AWS IAM policies](./iam-policies#s3-access-optional).
+
+## S3 bucket creation
+
+AWS S3 (Simple Storage Service) is a type of **object storage**. Use one or more **S3 buckets** to access input and output files with [Studios](/platform-cloud/studios/overview) and [Data Explorer](/platform-cloud/data/data-explorer). An S3 bucket can also store intermediate Nextflow files, as an alternative to EFS or FSx.
+
+:::note
+EFS and FSx work directories are incompatible with Studios.
+:::
+
+1. Navigate to the [AWS S3 console](https://console.aws.amazon.com/s3/home).
+1. In the top right, select the same region where you plan to create your AWS Batch compute environment.
+1. Select **Create bucket**.
+1. Enter a unique name for your bucket.
+1. Leave the rest of the options as default and select **Create bucket**.
+
+:::note
+Nextflow uses S3 to store intermediate files. In production pipelines, this can amount to a lot of data. Consider a retention policy to automatically delete intermediate files after 30 days. See the [AWS documentation](https://aws.amazon.com/premiumsupport/knowledge-center/s3-empty-bucket-lifecycle-rule/) for more information.
+:::
+
+## EFS or FSx file system creation
+
+[AWS Elastic File System (EFS)](https://aws.amazon.com/efs/) and [AWS FSx for Lustre](https://aws.amazon.com/fsx/lustre/) are types of **file storage** that can be used as a Nextflow work directory, as an alternative to S3 buckets.
+
+:::note
+EFS and FSx work directories are incompatible with Studios.
+:::
+
+To use EFS or FSx as your Nextflow work directory, create the file system in the same region as your AWS Batch compute environment.
+
+You can let Seqera create EFS or FSx automatically when creating the AWS Batch compute environment, or create them manually. If Seqera creates the file system, it is also deleted when the compute environment is removed from Platform, unless **Dispose Resources** is disabled in the advanced options.
+
+### Creating an EFS file system
+
+To create an EFS file system manually, visit the [EFS console](https://console.aws.amazon.com/efs/home).
+
+1. Select **Create file system**.
+1. Optionally give it a name, then select the VPC where your AWS Batch compute environment will be created.
+1. Leave the rest of the options as default and select **Create file system**.
+
+### Creating an FSx file system
+
+To create an FSx for Lustre file system manually, visit the [FSx console](https://console.aws.amazon.com/fsx/home).
+
+1. Select **Create file system**.
+1. Select **FSx for Lustre**.
+1. Follow the prompts to configure the file system, then select **Next**.
+1. Review the configuration and select **Create file system**.
+
+Make sure the [Lustre client](https://docs.aws.amazon.com/fsx/latest/LustreGuide/install-lustre-client.html) is available in the AMIs used by your AWS Batch compute environment to mount FSx file systems.
+
+## Next steps
+
+- [Configure required IAM permissions for S3, EFS, and FSx](./iam-policies#s3-access-optional).
+- Create your [AWS Batch compute environment](/platform-cloud/compute-envs/aws-batch) and reference the bucket or file system as the work directory.