Hey Flyte on Azure warriors wave I am now at the point where

Question

Hey Flyte on Azure warriors wave I am now at the point where i have a healthy Flyte deployment on Azure with ingress and tls in place With the custom stow storage configuration for azure i am also able to run simple workflows To make it work i needed to set env variables `AZURE STORAGE ACCOUNT NAME` `AZURE STORAGE ACCOUNT KEY` in the pods that run my Flyte Tasks In the future i would like to use w<https github com flyteorg flyte issues 3962|orkload identities instead of storage account keys> but thats another topic My Question Is it even possible to connect to 2 different azure storage accounts with flytekit fsspec and the way flyte works What i have in mind is having a cluster storage account for Flyte metadata and a some user storage account where i upload and download user data via Flytefile Flytedirectories Hope this made sense slightly smiling face

Thomas Newton · Answer

Did you make any progress on this I ve been working on the same problem I found that setting `AZURE STORAGE ACCOUNT NAME` and `AZURE STORAGE ACCOUNT KEY` cause varying levels of disruption to other libraries that try to authenticate to Azure I concluded that I can t accept a solution that sets any pod level Azure auth e g standard environment variables I can think of 2 ways to do this 1 Use a single credential and fix so that Azure default credentials works in flyte a Use your fix from b Fix how paths and fsspec filesystems are managed so that it extracts the storage account name from the path c Use one role based authentication method e g service principal or workload identity for everything in the pod d This almost worked apart from the `outputPrefix` is not a valid Azure fsspec path It looks like its ` configmap remoteData schema storage custom container configmap cor propeller metadata prefix some unique ID ` but a valid path would look something like `abfs lt container gt lt storage account gt lt path within container gt ` I think this is generated somewhere in flytepropellor 2 Add explicit Azure storage configs that don t overlap with Azure defaults a Add an Azure config similar to `GCSConfig` and `S3Config` that has authentication attributes b Set the new flyte specific Azure config options using the pod template c Tasks are now free to use whatever azure authentication they like for everything else d For flyte s authentication we can use any method that does not require pod level configuration e g pod identity or workload identity e I actually have a working version of this Use `FLYTE AZURE ACCOUNT NAME` and `FLYTE AZURE ACCOUNT KEY` environment variables

Thomas Newton · Answer

cc < Victor Delépine> and maybe < Yee> is interested too

Jan Fiedler · Answer

Definitely sounds like the right approach Haven t found time yet to tackle this and won t until mid of next week

Jan Fiedler · Answer

Hey Tom i am back from vacation Im interested what do you think about my <https github com flyteorg flyte issues 3962 issuecomment 1725840937|comment>