https://flyte.org logo
#ask-the-community
Title
# ask-the-community
h

HIMANSHU JOSHI

11/28/2023, 3:59 PM
hey, we have flyte setup on gcp with service account configured and bindings with default k8s serviceaccount in [dev / prpd / stag] is also done. but when we run a python task it gives an error of anonoymous doesn't have access to storage.objects.read . but we have bindings with gcp SA with default k8s SA, than why is it using anonymous ?
for using simple tensorflow function tf.io.Gfile. will we need tfjob integeration?
h

Haytham Abuelfutuh

11/28/2023, 4:54 PM
Does propeller's SA also have a KSA that has GSA bindings with the right permissions? Propeller also reads/writes to google storage (how it reads outputs and assembles inputs for the following tasks)
d

David Espejo (he/him)

11/28/2023, 6:09 PM
@HIMANSHU JOSHI what permissions are part of the role you're binding the GSA to?
h

HIMANSHU JOSHI

11/29/2023, 5:24 AM
@David Espejo (he/him) storage admin permission
@Haytham Abuelfutuh yes propeller SA also has the permission
basically we created single GSA with all the permissions and binded it with needful k8s SA
d

David Espejo (he/him)

11/29/2023, 3:06 PM
is the
default
SA on each namespace annotated with the corresponding GSA?
also @HIMANSHU JOSHI you can find here a reference on how to handle IAM permissions on GCP for Flyte
h

HIMANSHU JOSHI

12/02/2023, 8:45 AM
is the
default
SA on each namespace annotated with the corresponding GSA?
yes
the problem only occurrs if we use tensorflow python code [like tf.io.GFile to read from gcs]
h

Haytham Abuelfutuh

12/08/2023, 6:57 PM
Hey @HIMANSHU JOSHI did you manage to get this working? if not, happy to jump on a call
3 Views