Flyte enables production-grade orchestration for machine learning workflows and data processing created to accelerate local workflows to production.

Flyte

Hi again, has anyone been able to connect to Artifact Registry? I have tried giving the `flyte-binary` and `flyte-worker` service accounts permission, and creating an `imagePullSecret` for both `default` and `flyte-binary` serviceaccount on the cluster, but still getting a `403 Forbidden` Error when the task is trying to pull the image

hey Jake

This was overhauled completely in the merged version.

In summary, the modules create a `${local.prefix}-artifactwriter`GSA that you can use to obtain a token from and then authenticate to the repo. You can use other GSA but it has to have the `roles/artifactregistry.writer`permission (see <https://cloud.google.com/artifact-registry/docs/docker/authentication#token>)

The next piece is that now the modules add the `roles/artifactregistry.reader` permission to the GSA that the Flyte worker pods will use, enabling them to pull images (see <https://github.com/unionai-oss/deploy-flyte/blob/db3132ac910ddb8c68a643990ddf10eafb6163d3/environments/gcp/flyte-core/iam.tf#L131-L135>)

With that, you can create an ImagePull secret and add it to the `default` KSA.
Please note that the merged version uses `flyte-core` (with flyte-binary coming soon), but the IAM module was almost completely refactored