dry-ability-69144
05/18/2023, 1:15 PMvalues.yaml
to change the default service account? I have tried k8sServiceAccount
but it is not working...dry-ability-69144
05/18/2023, 1:22 PMvalues.yaml
, it keeps using the default service account...hallowed-mouse-14616
05/18/2023, 2:45 PMvalues.yaml
file?dry-ability-69144
05/18/2023, 2:47 PMdry-ability-69144
05/18/2023, 2:47 PMhallowed-mouse-14616
05/18/2023, 2:53 PMhallowed-mouse-14616
05/18/2023, 2:53 PMdry-ability-69144
05/18/2023, 2:55 PMk8sServiceAccount: service_account_name
. Is that correct?dry-ability-69144
05/18/2023, 2:56 PMflyteadmin:
roleNameKey: "<http://iam.amazonaws.com/role|iam.amazonaws.com/role>"
profilerPort: 10254
metricsScope: "flyte:"
metadataStoragePrefix:
- "metadata"
- "admin"
eventVersion: 2
testing:
host: <http://flyteadmin>
k8sServiceAccount: service_account_name
hallowed-mouse-14616
05/18/2023, 2:58 PMthankful-minister-83577
thankful-minister-83577
dry-ability-69144
05/18/2023, 4:24 PMthankful-minister-83577
dry-ability-69144
05/18/2023, 4:25 PMdefault
, I wanted to use service_account_name
(just a name)dry-ability-69144
05/18/2023, 4:25 PMthankful-minister-83577
dry-ability-69144
05/18/2023, 4:27 PMthankful-minister-83577
thankful-minister-83577
dry-ability-69144
05/18/2023, 4:31 PM- key: aab_default_service_account
value: |
apiVersion: v1
kind: ServiceAccount
metadata:
name: flytepropeller
namespace: {{ namespace }}
annotations:
# Needed for gcp workload identity to function
# <https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity>
<http://iam.gke.io/gcp-service-account|iam.gke.io/gcp-service-account>: {{ gsa }}
thankful-minister-83577
dry-ability-69144
05/18/2023, 4:32 PMthankful-minister-83577
thankful-minister-83577
dry-ability-69144
05/18/2023, 4:33 PMdry-ability-69144
05/18/2023, 4:34 PMdry-ability-69144
05/18/2023, 4:35 PMdry-ability-69144
05/18/2023, 4:39 PMk8sServiceAccount
thankful-minister-83577
thankful-minister-83577
thankful-minister-83577
dry-ability-69144
05/18/2023, 5:03 PMthankful-minister-83577
thankful-minister-83577
thankful-minister-83577
thankful-minister-83577
thankful-minister-83577
dry-ability-69144
05/18/2023, 7:53 PMdry-ability-69144
05/18/2023, 7:53 PMthankful-minister-83577
project: flytesnacks
# domain: development
security_context:
run_as:
k8s_service_account: myserviceaccount
(can uncomment the domain too if you want) and then run
flytectl -c ~/.flyte/yourconfig.yaml upd
ate workflow-execution-config --attrFile yourfile.yaml
then you can see it here
<http://localhost:30080/api/v1/project_attributes/flytesnacks?resource_type=6>
replacing your domain ofc. The 6
corresponds to the matchable type. If you uncomment the domain you’ll need to hit api/v1/project_domain_attributes
and post-pend with the domain in the url. these endpoints should already be called by the frontend as well so they should show up on the project page to confirm they’ve been set correctlydry-ability-69144
05/18/2023, 8:06 PMdry-ability-69144
05/30/2023, 4:49 PMelegant-toddler-67101
06/01/2023, 4:21 PMelegant-toddler-67101
06/01/2023, 4:27 PMcluster_resource_manager
(which I attached), should I configure something more? In the config.yaml
for pyflyte or in the values.yaml
of the chart? It’s not documented straight forward…
cluster_resource_manager:
config:
cluster_resources:
customData:
- devleopment:
- projectQuotaCpu:
value: "5"
- projectQuotaMemory:
value: 4000Mi
- gsa:
value: flyte@project_name.iam.gserviceaccount.com
- staging:
- projectQuotaCpu:
value: "5"
- projectQuotaMemory:
value: 4000Mi
- gsa:
value: flyte@project_name@retrain-utils.iam.gserviceaccount.com
Thank you!dry-ability-69144
06/01/2023, 4:35 PMk8sServiceAccount
valuedry-ability-69144
06/01/2023, 4:35 PMelegant-toddler-67101
06/01/2023, 4:38 PMk8sServiceAccount
value?elegant-toddler-67101
06/01/2023, 4:39 PMdry-ability-69144
06/01/2023, 4:40 PMdry-ability-69144
06/01/2023, 4:41 PMelegant-toddler-67101
06/01/2023, 5:47 PMdetails: failed to create a signed url. Error: unable to sign bytes: googleapi: Error 403: Permission 'iam.serviceAccounts.signBlob' denied on resource (or it may not exist).
It is clearly not using the defined serviceaccount I configured in the values.yaml (which is flyte@project_name.iam.gserviceaccount.com
)dry-ability-69144
06/01/2023, 6:00 PMelegant-toddler-67101
06/04/2023, 12:09 PMelegant-toddler-67101
06/04/2023, 12:09 PMelegant-toddler-67101
06/08/2023, 2:35 PMpyflyte/flytectl
it uses flyteadmin in order to get the gcs bucket. The error I got is: details: failed to create a signed url. Error: unable to sign bytes: googleapi: Error 403: Permission 'iam.serviceAccounts.signBlob' denied on resource (or it may not exist).
I use workload identity (Flyte is running on GKE) and the access to the bucket is using a signed url. but this does not work with workload identity!
So I created a key.json to the IAM serviceaccount and added an env var called GCLOUD_OAUTH_CREDS
which contains the path to the key.json file. Then, pyflyte/flytectl
work perfectly!