https://flyte.org logo
#ask-the-community
Title
# ask-the-community
v

Victor Gustavo da Silva Oliveira

05/18/2023, 1:15 PM
Hello all Which variable should I set on my
values.yaml
to change the default service account? I have tried
k8sServiceAccount
but it is not working...
@Dan Rammer (hamersaw) it's only this that's keeping me from test the things that we talked about. When I'm running the workflow, instead of using the service account that I've setted on
values.yaml
, it keeps using the default service account...
d

Dan Rammer (hamersaw)

05/18/2023, 2:45 PM
that is the correct key, but probably set at the wrong location. can you show how you're setting it in the
values.yaml
file?
v

Victor Gustavo da Silva Oliveira

05/18/2023, 2:47 PM
Sure! Can I send you the .yaml files in DM?
Or we can schedule a call, if you prefer
cc @Yee correct?
v

Victor Gustavo da Silva Oliveira

05/18/2023, 2:55 PM
Yes, I'm setting here, using
k8sServiceAccount: service_account_name
. Is that correct?
Copy code
flyteadmin:
      roleNameKey: "<http://iam.amazonaws.com/role|iam.amazonaws.com/role>"
      profilerPort: 10254
      metricsScope: "flyte:"
      metadataStoragePrefix:
        - "metadata"
        - "admin"
      eventVersion: 2
      testing:
        host: <http://flyteadmin>
      k8sServiceAccount: service_account_name
d

Dan Rammer (hamersaw)

05/18/2023, 2:58 PM
That should be the correct place. Let me do some testing here quick.
y

Yee

05/18/2023, 4:23 PM
what do you mean by default service account?
the one that the users uses or the one that flyte uses?
v

Victor Gustavo da Silva Oliveira

05/18/2023, 4:24 PM
The one that flyte uses
y

Yee

05/18/2023, 4:24 PM
and you’re on the flyte/flyte-core helm chart?
v

Victor Gustavo da Silva Oliveira

05/18/2023, 4:25 PM
When I launch a workflow, instead of
default
, I wanted to use
service_account_name
(just a name)
Yup, using flyte-core helm chart
y

Yee

05/18/2023, 4:25 PM
so you want to change the one that users use
v

Victor Gustavo da Silva Oliveira

05/18/2023, 4:27 PM
Ow, right! Sorry, yes
those values get sent to the template here
v

Victor Gustavo da Silva Oliveira

05/18/2023, 4:31 PM
Yeah, I've tried it, but with no success I've tried this too:
Copy code
- key: aab_default_service_account
      value: |
        apiVersion: v1
        kind: ServiceAccount
        metadata:
          name: flytepropeller
          namespace: {{ namespace }}
          annotations:
            # Needed for gcp workload identity to function
            # <https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity>
            <http://iam.gke.io/gcp-service-account|iam.gke.io/gcp-service-account>: {{ gsa }}
y

Yee

05/18/2023, 4:31 PM
what happens?
v

Victor Gustavo da Silva Oliveira

05/18/2023, 4:32 PM
It is still using the default service account
y

Yee

05/18/2023, 4:32 PM
why is the name “flytepropeller”?
user pods should use the default one
v

Victor Gustavo da Silva Oliveira

05/18/2023, 4:33 PM
It was the name setted previously for the service account by a previous engineer, and I cannot change it...
I cannot change because things can get messy if I do
Is this service account that I need to change
In the previous version, it was automatically setted by
k8sServiceAccount
y

Yee

05/18/2023, 4:54 PM
you can always check to see if the cluster resource controller is doing the right thing by creating a new project in flyte admin
when the cluster resource controller runs next it’ll create new namespaces, along with the service account
yeah that’s the user service account.
v

Victor Gustavo da Silva Oliveira

05/18/2023, 5:03 PM
I've just created a new project, uploaded the workflow, and got the same results
y

Yee

05/18/2023, 5:05 PM
can you check the definition of the service account? just to make sure the cluster creation side is working.
https://github.com/flyteorg/flyteadmin/pull/566 thank you @Dan Rammer (hamersaw) who found the issue
we’ll be cutting a patch release on monday
can you set the service account using matchable resources for now?
on the project level?
v

Victor Gustavo da Silva Oliveira

05/18/2023, 7:53 PM
Wow, so it has a issue? Cool
What do you mean by use matchable resources?
y

Yee

05/18/2023, 8:05 PM
Docs here, basically make a file that looks like
Copy code
project: flytesnacks
# domain: development
security_context:
  run_as:
    k8s_service_account: myserviceaccount
(can uncomment the domain too if you want) and then run
Copy code
flytectl -c ~/.flyte/yourconfig.yaml upd
ate workflow-execution-config --attrFile yourfile.yaml
then you can see it here
Copy code
<http://localhost:30080/api/v1/project_attributes/flytesnacks?resource_type=6>
replacing your domain ofc. The
6
corresponds to the matchable type. If you uncomment the domain you’ll need to hit
api/v1/project_domain_attributes
and post-pend with the domain in the url. these endpoints should already be called by the frontend as well so they should show up on the project page to confirm they’ve been set correctly
v

Victor Gustavo da Silva Oliveira

05/18/2023, 8:06 PM
Alright, I was setting the service account manually. Will do this instead. Thanks a lot you guys!
Guys, just an update After the newest versions in core versions, the service account is been setted the right way Thank you guys for this fast solution!
a

Ariel Kaspit

06/01/2023, 4:21 PM
Hey! I just encountered the same issue. Can I please ask which chart version are you using? @Victor Gustavo da Silva Oliveira
@Yee I’m also trying to configure the default service account for users (I deployed flyte chart on GKE). Except for the
cluster_resource_manager
(which I attached), should I configure something more? In the
config.yaml
for pyflyte or in the
values.yaml
of the chart? It’s not documented straight forward…
Copy code
cluster_resource_manager:
  config:
    cluster_resources:
      customData:
        - devleopment:
          - projectQuotaCpu:
              value: "5"
          - projectQuotaMemory:
              value: 4000Mi
          - gsa:
              value: flyte@project_name.iam.gserviceaccount.com
        - staging:
          - projectQuotaCpu:
              value: "5"
          - projectQuotaMemory:
              value: 4000Mi
          - gsa:
              value: flyte@project_name@retrain-utils.iam.gserviceaccount.com
Thank you!
v

Victor Gustavo da Silva Oliveira

06/01/2023, 4:35 PM
For me, whats worked was updating the components version and setting the
k8sServiceAccount
value
There is an updated values file in flyte repo
a

Ariel Kaspit

06/01/2023, 4:38 PM
Where did you set the
k8sServiceAccount
value?
In the values.yaml or the workflow/config?
v

Victor Gustavo da Silva Oliveira

06/01/2023, 4:40 PM
In the values.yaml
In the beginning of this thread, I've posted an snippet
a

Ariel Kaspit

06/01/2023, 5:47 PM
Hmm not sure I understand… The error I’m getting from running pyflyte is:
details: failed to create a signed url. Error: unable to sign bytes: googleapi: Error 403: Permission 'iam.serviceAccounts.signBlob' denied on resource (or it may not exist).
It is clearly not using the defined serviceaccount I configured in the values.yaml (which is
flyte@project_name.iam.gserviceaccount.com
)
v

Victor Gustavo da Silva Oliveira

06/01/2023, 6:00 PM
In the workflow execution instance page, in the console, what service account name is shown?
a

Ariel Kaspit

06/04/2023, 12:09 PM
none!
Can you share with me please your configuration for helm values? Maybe I’m missing something…
I got the issue! When using
pyflyte/flytectl
it uses flyteadmin in order to get the gcs bucket. The error I got is:
details: failed to create a signed url. Error: unable to sign bytes: googleapi: Error 403: Permission 'iam.serviceAccounts.signBlob' denied on resource (or it may not exist).
I use workload identity (Flyte is running on GKE) and the access to the bucket is using a signed url. but this does not work with workload identity! So I created a key.json to the IAM serviceaccount and added an env var called
GCLOUD_OAUTH_CREDS
which contains the path to the key.json file. Then,
pyflyte/flytectl
work perfectly!
9 Views