I would like to securely communicate with Flyte Admin (using Flytekit Remote or the gRPC service directly), I tied to wrap my head around the options, but the auth guide seems to be written with mostly end users (rather than services) in mind. Ideally, I would like to avoid any external IdPs and just have a static set of API keys (or even just a single API key, for now) set in flyte config / read from env variable. I stumbled on https://github.com/flyteorg/flyte/issues/3805 which makes me think this might be possible -- is it?

Hey Petr, happy to help... Have you configured SSO in flyte? for user auth/interaction I mean? By default, flyte ships with an internal OAuth Authorization Server Implementation, you can configure credentials for client id and secrets in the config map. You can then use these in flytekit remote or flytectl or directly coding against the gRPC endpoint (not recommended)...

Hi Haytham! I have not setup my GKE cluster yet, so I am still on the sandbox and exploring what's feasible. I was hoping to avoid SSO for now and rely on rotating api keys, but if it's a hard requirement, I will set it up. Based on what you say, I will be able to setup e.g. client is

internal

with a secret that I can then share with my other api service, allowing it to use flytekit/etc. without going through OAuth flow?

It's going through the OAuth flow, it's just a ClientCredentials oauth flow which doesn't require a user to use the browser to click a button... but you are right yes!