Flyte enables production-grade orchestration for machine learning workflows and data processing created to accelerate local workflows to production.

Flyte

Hey everyone!
I have a question regarding RBAC in Flyte (I know it’s not supported). How do you manage permissions for different domains (development, staging, production)?

Workload identities and dedicated gcp + k8s service accounts for the different domains.

<https://docs.flyte.org/en/v1.0.0/deployment/gcp/manual.html>

I saw that’s v.1.0.0, is it up to date?

I can’t say for sure about the entire guide but the workfload identity setup is what we use in production.

So you configure this binding somewhere in the chart values?

```cluster_resource_manager:
  config:
    cluster_resources:
      customData:
        - development:
          - projectQuotaCpu:
              value: "5"
          - projectQuotaMemory:
              value: 4000Mi
          - defaultIamRole:
              value: XXX@PROJECT_ID.iam.gserviceaccount.com```

```flytepropeller:
  serviceAccount:
    create: true
    annotations:
      # Needed for gcp workload identity to function
      # <https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity>
      <http://iam.gke.io/gcp-service-account|iam.gke.io/gcp-service-account>: gsa-flytepropeller@{{ .Values.userSettings.googleProjectId }}.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>```

We have something like this in our helm values for each service

+ creation of gcp service accounts and workload identity binding via terraform.

Because as far as I understand, this is the the access of the services (flyteadmin, flytepropeller etc.)
Not for users logging into Flyte

I totally agreed, this is exactly what I did (even with Terraform)

But I’m trying to give the developer team “admin” access (register and run a workflow) on *non-prod* domain, but “view-only” for *prod* domain…