Intelligent Compute

Preview

Seqera Intelligent Compute is in preview and must be enabled for your organization by Seqera before you can use it. Contact your account manager to request access.

caution

Intelligent Compute may assign different CPU and memory values to tasks than those specified in your pipeline's process directives. The scheduler selects the most cost-effective instance that meets each task's resource request rather than provisioning exactly what the directive specifies.

Intelligent Compute is supported on AWS Cloud compute environments only.

What is Intelligent Compute

Intelligent Compute is a scheduling service that runs Nextflow pipelines on a Seqera-managed Amazon ECS cluster. It allocates compute resources based on what each task actually needs rather than what the pipeline requests, reducing cost and improving utilization across a run.

Unlike the standard AWS Cloud compute environment, which runs a pipeline on a single EC2 instance with a local executor, Intelligent Compute provisions and manages multi-node clusters. This allows pipelines to scale beyond a single instance while preserving fast startup times.

When Intelligent Compute is enabled on an AWS Cloud compute environment, Seqera provisions and manages the following resources in your AWS account on first use:

• An Amazon ECS cluster per compute environment configuration
• ECS capacity providers (Managed Instances or Auto Scaling Groups)
• ECS task definitions per container image and resource shape
• IAM roles for ECS task execution, EC2 instance profiles, and infrastructure management
• CloudWatch log groups under /seqera/sched

All managed resources use the seqera-sched- prefix. Seqera creates them on first use and removes them automatically when no longer needed.

IAM permissions

In addition to the standard AWS Cloud IAM permissions, Intelligent Compute requires an additional policy attached to the same IAM user or role that Seqera uses to access your AWS account.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ECSScopedOperations",
      "Effect": "Allow",
      "Action": [
        "ecs:CreateCluster",
        "ecs:DeleteCluster",
        "ecs:DescribeClusters",
        "ecs:PutClusterCapacityProviders",
        "ecs:CreateCapacityProvider",
        "ecs:DeleteCapacityProvider",
        "ecs:DescribeCapacityProviders",
        "ecs:RunTask",
        "ecs:StopTask",
        "ecs:DescribeTasks",
        "ecs:DescribeContainerInstances",
        "ecs:TagResource"
      ],
      "Resource": "arn:aws:ecs:*:*:*/seqera-sched-*"
    },
    {
      "Sid": "ECSUnscopedOperations",
      "Effect": "Allow",
      "Action": [
        "ecs:RegisterTaskDefinition",
        "ecs:DeregisterTaskDefinition",
        "ecs:DescribeTaskDefinition",
        "ecs:ListTaskDefinitions",
        "ecs:ListTaskDefinitionFamilies",
        "ecs:ListTasks"
      ],
      "Resource": "*"
    },
    {
      "Sid": "IAMRoleManagement",
      "Effect": "Allow",
      "Action": [
        "iam:CreateRole",
        "iam:GetRole",
        "iam:DeleteRole",
        "iam:PutRolePolicy",
        "iam:DeleteRolePolicy",
        "iam:ListRolePolicies",
        "iam:AttachRolePolicy",
        "iam:DetachRolePolicy",
        "iam:ListAttachedRolePolicies",
        "iam:CreateInstanceProfile",
        "iam:GetInstanceProfile",
        "iam:AddRoleToInstanceProfile",
        "iam:ListInstanceProfilesForRole",
        "iam:RemoveRoleFromInstanceProfile",
        "iam:DeleteInstanceProfile"
      ],
      "Resource": [
        "arn:aws:iam::*:role/seqera-sched-*",
        "arn:aws:iam::*:instance-profile/seqera-sched-*"
      ]
    },
    {
      "Sid": "PassRoleToECS",
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": [
        "arn:aws:iam::*:role/seqera-sched-*",
        "arn:aws:iam::*:role/TowerForge-*"
      ],
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": [
            "ecs-tasks.amazonaws.com",
            "ecs.amazonaws.com",
            "ec2.amazonaws.com"
          ]
        }
      }
    },
    {
      "Sid": "ServiceLinkedRoles",
      "Effect": "Allow",
      "Action": "iam:CreateServiceLinkedRole",
      "Resource": "arn:aws:iam::*:role/aws-service-role/*",
      "Condition": {
        "StringEquals": {
          "iam:AWSServiceName": [
            "ecs.amazonaws.com",
            "ecs-compute.amazonaws.com",
            "autoscaling.amazonaws.com",
            "spot.amazonaws.com"
          ]
        }
      }
    },
    {
      "Sid": "CloudWatchLogs",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:DeleteLogGroup",
        "logs:PutRetentionPolicy",
        "logs:DescribeLogStreams",
        "logs:GetLogEvents",
        "logs:TagResource"
      ],
      "Resource": "arn:aws:logs:*:*:log-group:/seqera/sched*"
    },
    {
      "Sid": "EC2NetworkDiscovery",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeImages",
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeRouteTables",
        "ec2:DescribeVpcEndpoints",
        "ec2:DescribeInstances",
        "ec2:CreateSecurityGroup",
        "ec2:CreateVpcEndpoint",
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:CreateTags"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ECRAccess",
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage"
      ],
      "Resource": "*"
    },
    {
      "Sid": "S3Access",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ASGEC2Operations",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstanceTypes",
        "ec2:CreateLaunchTemplate",
        "ec2:DeleteLaunchTemplate",
        "ec2:RunInstances"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ASGManagement",
      "Effect": "Allow",
      "Action": [
        "autoscaling:CreateAutoScalingGroup",
        "autoscaling:UpdateAutoScalingGroup",
        "autoscaling:DeleteAutoScalingGroup",
        "autoscaling:CreateOrUpdateTags"
      ],
      "Resource": "arn:aws:autoscaling:*:*:*/seqera-sched-*"
    },
    {
      "Sid": "ASGDescribe",
      "Effect": "Allow",
      "Action": "autoscaling:DescribeAutoScalingGroups",
      "Resource": "*"
    },
    {
      "Sid": "SSMECSOptimizedAmi",
      "Effect": "Allow",
      "Action": "ssm:GetParameter",
      "Resource": "arn:aws:ssm:*:*:parameter/aws/service/ecs/optimized-ami/*"
    },
    {
      "Sid": "CostExplorer",
      "Effect": "Allow",
      "Action": "ce:GetCostAndUsage",
      "Resource": "*"
    }
  ]
}

Download aws-cloud-intelligent-compute-policy.json

What each permission group does

Group	Purpose
ECSScopedOperations	Create, delete, describe, and tag ECS clusters, capacity providers, and tasks. Scoped to seqera-sched-* resources.
ECSUnscopedOperations	Register, deregister, list, and describe ECS task definitions. ECS task definition APIs do not support resource-level permissions.
IAMRoleManagement	Create, update, and delete IAM roles and instance profiles scoped to seqera-sched-*. Seqera creates four role types on first use: execution role, infrastructure role, per-cluster instance role, and per-cluster task role.
PassRoleToECS	Pass seqera-sched-* and TowerForge-* roles to ECS, ECS tasks, and EC2. Required to attach roles to ECS infrastructure and task definitions.
ServiceLinkedRoles	Create service-linked roles for ECS, autoscaling, and Spot. Required only if these roles do not already exist in your account.
CloudWatchLogs	Create and manage log groups under /seqera/sched, and read log events. Task stdout and stderr are written to CloudWatch.
EC2NetworkDiscovery	Describe VPCs, subnets, security groups, and route tables. Create security groups and VPC endpoints. Used for VPC auto-discovery and network setup.
ECRAccess	Authorize ECR and pull container images. ECS tasks pull images from ECR.
S3Access	Read objects and list buckets. Used to read Fusion trace files and pipeline work directory content.
ASGEC2Operations	Describe instance types and create or delete EC2 launch templates. Required only for Auto Scaling Group-backed clusters.
ASGManagement	Create, update, and delete Auto Scaling Groups scoped to seqera-sched-*. Required only for Auto Scaling Group-backed clusters.
ASGDescribe	Describe Auto Scaling Groups. Required only for Auto Scaling Group-backed clusters.
SSMECSOptimizedAmi	Read the ECS-optimized AMI ID from SSM Parameter Store. Used to look up the latest Amazon Linux 2023 ECS-optimized AMI.
CostExplorer	Query ce:GetCostAndUsage. Used to display cost predictions at pipeline launch. If this permission is absent, cost predictions do not appear. No error is surfaced to users.

Conditional statements:

• ASGEC2Operations, ASGManagement, and ASGDescribe are required only if Auto Scaling Group-backed clusters are enabled. You can omit them for Managed Instances deployments.
• ServiceLinkedRoles is required only if the listed service-linked roles do not already exist in your AWS account.
• CostExplorer is required only if you want cost predictions shown at pipeline launch.

Create the additional IAM policy

1. Open the AWS IAM console.
2. Select Policies under Access management, then select Create policy.
3. Select the JSON tab and paste the Intelligent Compute policy.
4. Select Next, enter a name (for example, SeqeraIntelligentComputePolicy), then select Create policy.
5. Attach the policy to the same IAM user or role that Seqera uses for your AWS Cloud compute environment.

Set up an AWS Cloud compute environment with Intelligent Compute

Confirm with your account manager that Intelligent Compute is enabled for your organization before proceeding.

1. In your Seqera workspace, select Compute Environments, then Add compute environment.
2. Enter a name and select AWS Cloud as the platform.
3. Select your AWS credentials. The credential must have both the standard AWS Cloud permissions and the Intelligent Compute permissions attached.
4. Select the Region where the ECS cluster will be provisioned.
5. Enter a Work directory (S3 URI, for example s3://my-bucket/work).
6. Under Intelligent Compute, enable the Seqera Intelligent Compute toggle.
7. Configure the Intelligent Compute options below as needed.
8. Select Add.

Seqera validates credentials and configuration on save. On first use, it provisions the required IAM roles and ECS cluster in your account. Provisioning is automatic and does not require additional steps.

Resource metrics

The Metrics tab for a workflow run on Intelligent Compute shows three resource values for CPU and memory: Requested, Allocated, and Used.

Metric	Source	What it represents
Requested	Pipeline process directives	The CPU and memory your pipeline asked for, as written in your process directives (for example, cpus = 4, memory = 8 GB).
Allocated	Scheduler decision	The CPU and memory the scheduler actually assigned to the task container. Intelligent Compute may assign values different from what was requested — it selects the most cost-effective instance shape that satisfies the task's requirements.
Used	Nextflow trace data	The CPU and memory the task actually consumed, measured from Nextflow's trace metrics (pcpu × realtime for CPU, peakRss for memory). Requires Fusion to be enabled. Absent for tasks that did not produce trace data.

How to read the numbers:

• If Requested is much higher than Allocated, the scheduler found a more efficient instance shape than your directives implied.
• If Allocated is much higher than Used, the task ran with significant idle headroom. You may be able to reduce your process resource directives on future runs to lower cost.
• If Used is close to Allocated, resource utilization is near-optimal for that task.

Configuration options

Option	Values	Default	Description
Seqera Intelligent Compute	Enabled / Disabled	Disabled	Enables the Intelligent Compute scheduler for this compute environment. This option only appears if Intelligent Compute is enabled for your organization.
Provisioning model	spotFirst, spot, ondemand	spotFirst	Instance procurement strategy. spotFirst uses Spot instances and falls back to On-Demand if Spot capacity is unavailable. spot uses Spot instances only. ondemand uses On-Demand instances only.
Instance types	Comma-separated EC2 instance type identifiers (for example, m5.xlarge, c5.2xlarge)	Empty	Restricts which instance types the scheduler can select. When empty, the scheduler selects the most cost-effective type for each task automatically. Specifying types here overrides automatic selection.

Task and run statuses

Task statuses

Status	Description
SUBMITTED	Task is queued or submitted to the compute backend.
RUNNING	Task is actively executing on a compute instance.
SUCCEEDED	Task completed with exit code 0.
FAILED	Task failed. This covers non-retriable execution failures (non-zero exit code, container startup errors) and spot quota exhaustion after retries are exhausted.
CANCELLED	Task was cancelled by the user.
PREEMPTED	The Spot instance running this task was reclaimed by AWS. The scheduler retries the task automatically. If the retry limit is reached, the task transitions to FAILED.
UNSCHEDULABLE	No instance type could satisfy the task's placement constraints. This occurs when the requested resources exceed what any available instance type can provide, or when specified instance types are unavailable in the region. Check your Instance types configuration and the cpus and memory directives in the failing process.
UNKNOWN	Task status could not be determined, typically due to a transient backend failure.

Run statuses

Status	Description
ACTIVE	The run is in progress.
TERMINATING	The run is shutting down — final tasks are completing or being cancelled.
TERMINATED	The run ended normally.
FAILED	The run failed.
DANGLING	The Nextflow process stopped sending heartbeats. This typically means the launcher process crashed or lost connectivity. Tasks already dispatched to ECS may still be running. Check CloudWatch logs under /seqera/sched for details.