hey, we have flyte setup on gcp with service accou...
# flyte-supporte
echoing-river-3611
11/28/2023, 3:59 PMhey, we have flyte setup on gcp with service account configured and bindings with default k8s serviceaccount in [dev / prpd / stag] is also done. but when we run a python task it gives an error of anonoymous doesn't have access to storage.objects.read . but we have bindings with gcp SA with default k8s SA, than why is it using anonymous ?
echoing-river-3611
11/28/2023, 4:08 PMfor using simple tensorflow function tf.io.Gfile. will we need tfjob integeration?
h
high-park-82026
11/28/2023, 4:54 PM
Does propeller's SA also have a KSA that has GSA bindings with the right permissions?
Propeller also reads/writes to google storage (how it reads outputs and assembles inputs for the following tasks)
high-park-82026
11/28/2023, 4:56 PM
We do have Distributed TensorFlow job integration: https://docs.flyte.org/projects/cookbook/en/latest/auto_examples/kftensorflow_plugin/index.html#install-the-plugin
a
average-finland-92144
11/28/2023, 6:09 PM@echoing-river-3611 what permissions are part of the role you're binding the GSA to?
e
echoing-river-3611
11/29/2023, 5:24 AM@average-finland-92144 storage admin permission
echoing-river-3611
11/29/2023, 5:25 AM@high-park-82026 yes propeller SA also has the permission
echoing-river-3611
11/29/2023, 5:25 AMbasically we created single GSA with all the permissions and binded it with needful k8s SA
a
average-finland-92144
11/29/2023, 3:06 PMis the
defaultaverage-finland-92144
11/29/2023, 4:39 PMalso @echoing-river-3611 you can find here a reference on how to handle IAM permissions on GCP for Flyte
e
echoing-river-3611
12/02/2023, 8:45 AMis theyesSA on each namespace annotated with the corresponding GSA?default
echoing-river-3611
12/02/2023, 8:45 AMthe problem only occurrs if we use tensorflow python code [like tf.io.GFile to read from gcs]
h
high-park-82026
12/08/2023, 6:57 PM
Hey @echoing-river-3611 did you manage to get this working? if not, happy to jump on a call
4 Views