I see that there's support for domains. https://github.com/flyteorg/flyte/blob/4fc4988400b9f448f61fe796d5252c1aa075fe6f/charts/flyte-core/values-eks.yaml#L343-L365 looks like you can specify roles for diff domains

just set the default service accounts

Oh, I can use podtemplate's serviceAccountName?

We also have an additional requirement that we're building towards where writes to our data warehouse will require scoped credentials, but in that case we're planning on using an init container (where the init container has broader permissions but generates scoped credentials to a specific s3 prefix), and then mounts that in the main workflow container. That way, the user-controlled application code can only write to a specific location in our bucket but we can use a common serviceaccount for the pod across the board (in this case, however, we likely won't use IRSA)

Would the right approach be defining the service accounts in PodTemplates?

Check flytectl

We are working on improving the UX

If I do choose to use PodTemplates or something to set it, would flytectl override it with the default serviceaccount. Or more generally, is there a way to disallow other overrides of the serviceaccount after I set it once in some infra level