Is there any recommendation for how to support pro...
# flyte-deploymentn
numerous-hamburger-7178
10/24/2023, 6:10 PMIs there any recommendation for how to support project specific IAM roles? e.g. right now, all flyte pods use
flyte-user-rolenumerous-hamburger-7178
10/24/2023, 6:16 PMI see that there's support for domains. https://github.com/flyteorg/flyte/blob/4fc4988400b9f448f61fe796d5252c1aa075fe6f/charts/flyte-core/values-eks.yaml#L343-L365 looks like you can specify roles for diff domains
f
freezing-airport-6809
10/24/2023, 6:58 PM
@numerous-hamburger-7178 every execution can use special iam roles, we recommend using service accounts for iam roles on eks
freezing-airport-6809
10/24/2023, 6:59 PM
just set the default service accounts
n
numerous-hamburger-7178
10/24/2023, 8:01 PMHow would I set it up so that a certain namespace uses a certain iam role?
numerous-hamburger-7178
10/24/2023, 8:03 PMOh, I can use podtemplate's serviceAccountName?
e
elegant-australia-91422
10/24/2023, 11:55 PMThe idea is that each (project, domain) pair defines a unique namespace, but you can have a common service account across thee namespaces so you don't need to set a different value in the pod template per project/domain pair.
elegant-australia-91422
10/24/2023, 11:56 PMWe also have an additional requirement that we're building towards where writes to our data warehouse will require scoped credentials, but in that case we're planning on using an init container (where the init container has broader permissions but generates scoped credentials to a specific s3 prefix), and then mounts that in the main workflow container. That way, the user-controlled application code can only write to a specific location in our bucket but we can use a common serviceaccount for the pod across the board (in this case, however, we likely won't use IRSA)
n
numerous-hamburger-7178
10/25/2023, 1:00 AMIn this case, I would like to set different service accounts across projects.
numerous-hamburger-7178
10/25/2023, 1:00 AMWould the right approach be defining the service accounts in PodTemplates?
f
freezing-airport-6809
10/25/2023, 1:04 AM
Laura you can simply set it as a project config
freezing-airport-6809
10/25/2023, 1:04 AM
Check flytectl
freezing-airport-6809
10/25/2023, 1:04 AM
We are working on improving the UX
n
numerous-hamburger-7178
10/25/2023, 3:14 PM Copy code
--files.k8sServiceAccountnumerous-hamburger-7178
10/25/2023, 3:14 PMIf I do choose to use PodTemplates or something to set it, would flytectl override it with the default serviceaccount. Or more generally, is there a way to disallow other overrides of the serviceaccount after I set it once in some infra level
5 Views