hey, we have flyte setup on gcp with service accou...
# ask-the-communityh
HIMANSHU JOSHI
11/28/2023, 3:59 PMhey, we have flyte setup on gcp with service account configured and bindings with default k8s serviceaccount in [dev / prpd / stag] is also done. but when we run a python task it gives an error of anonoymous doesn't have access to storage.objects.read . but we have bindings with gcp SA with default k8s SA, than why is it using anonymous ?
HIMANSHU JOSHI
11/28/2023, 4:08 PMfor using simple tensorflow function tf.io.Gfile. will we need tfjob integeration?
h
Haytham Abuelfutuh
11/28/2023, 4:54 PM
Does propeller's SA also have a KSA that has GSA bindings with the right permissions?
Propeller also reads/writes to google storage (how it reads outputs and assembles inputs for the following tasks)
Haytham Abuelfutuh
11/28/2023, 4:56 PM
We do have Distributed TensorFlow job integration: https://docs.flyte.org/projects/cookbook/en/latest/auto_examples/kftensorflow_plugin/index.html#install-the-plugin
d
David Espejo (he/him)
11/28/2023, 6:09 PM@HIMANSHU JOSHI what permissions are part of the role you're binding the GSA to?
h
HIMANSHU JOSHI
11/29/2023, 5:24 AM@David Espejo (he/him) storage admin permission
HIMANSHU JOSHI
11/29/2023, 5:25 AM@Haytham Abuelfutuh yes propeller SA also has the permission
HIMANSHU JOSHI
11/29/2023, 5:25 AMbasically we created single GSA with all the permissions and binded it with needful k8s SA
d
David Espejo (he/him)
11/29/2023, 3:06 PMis the
defaultDavid Espejo (he/him)
11/29/2023, 4:39 PMalso @HIMANSHU JOSHI you can find here a reference on how to handle IAM permissions on GCP for Flyte
h
HIMANSHU JOSHI
12/02/2023, 8:45 AMis theyesSA on each namespace annotated with the corresponding GSA?default
HIMANSHU JOSHI
12/02/2023, 8:45 AMthe problem only occurrs if we use tensorflow python code [like tf.io.GFile to read from gcs]
h
Haytham Abuelfutuh
12/08/2023, 6:57 PM
Hey @HIMANSHU JOSHI did you manage to get this working? if not, happy to jump on a call
4 Views