https://flyte.org logo
#flyte-on-gcp
Title
# flyte-on-gcp
j

Jake Dodd

12/07/2023, 3:51 PM
Hi again, has anyone been able to connect to Artifact Registry? I have tried giving the
flyte-binary
and
flyte-worker
service accounts permission, and creating an
imagePullSecret
for both
default
and
flyte-binary
serviceaccount on the cluster, but still getting a
403 Forbidden
Error when the task is trying to pull the image
d

David Espejo (he/him)

12/07/2023, 4:30 PM
hey Jake This was overhauled completely in the merged version. In summary, the modules create a `${local.prefix}-artifactwriter`GSA that you can use to obtain a token from and then authenticate to the repo. You can use other GSA but it has to have the `roles/artifactregistry.writer`permission (see https://cloud.google.com/artifact-registry/docs/docker/authentication#token) The next piece is that now the modules add the
roles/artifactregistry.reader
permission to the GSA that the Flyte worker pods will use, enabling them to pull images (see https://github.com/unionai-oss/deploy-flyte/blob/db3132ac910ddb8c68a643990ddf10eafb6163d3/environments/gcp/flyte-core/iam.tf#L131-L135) With that, you can create an ImagePull secret and add it to the
default
KSA. Please note that the merged version uses
flyte-core
(with flyte-binary coming soon), but the IAM module was almost completely refactored