:face_with_head_bandage: Issue: Authentification inside AWS Codebuild Hi, we have implemented Flyt...

curved-easter-24577

12/14/2023, 1:49 PM

🤕 Issue: Authentification inside AWS Codebuild Hi, we have implemented Flyte on EKS with the chart flyte-core. We have been able to implement authentification with Okta and works perfect locally. The problem is that we have an AWS Codebuild, that deploys a workflow (CD), which we are not able to deploy the workflow to the remote cluster. The error:

Copy code

Unauthenticated desc = Request unauthenticated with IDToken, Auth Error: failed to initialized token source provider. Err: open /etc/secrets/client_secret: no such file or directory","ts":"2023-12-14T10:35:47Z"}

When we define our client_secret in the specified path:

Copy code

{
  "json": {},
  "level": "warning",
  "msg": "failed to cache token: %!w(*fmt.wrapError=&{unable to save token. Error: Failed to execute program org.freedesktop.secrets: Operation not permitted {org.freedesktop.DBus.Error.Spawn.ExecFailed [Failed to execute program org.freedesktop.secrets: Operation not permitted]}})",
  "ts": "2023-12-14T11:59:51Z"
}

And the script that deploys the workflow gets stuck 🥲 Our current flyte config:

Copy code

admin:
  # For GRPC endpoints you might want to use dns:///flyte.myexample.com
  endpoint: dns:///<our flyte dns>
  authType: Pkce
  insecure: false
logger:
  show-source: true
  level: 0

freezing-airport-6809

12/14/2023, 2:44 PM

You will have to use client app id and secret - check okta docs

curved-easter-24577

12/14/2023, 2:55 PM

okay so i have my okta client id and client secret. Where I define them in my codebuild? In the same

secrets/client_secret

folder?

freezing-airport-6809

12/14/2023, 3:58 PM

No you can set them in the config

curved-easter-24577

12/14/2023, 3:59 PM

can you give me an example pls?

curved-easter-24577

12/14/2023, 4:10 PM

also, we have not implemented Custom Authorization Server is this required for CICD?

freezing-airport-6809

12/14/2023, 4:12 PM

We recommend, but otherwise you can use the configured app ids and secrets just like you did for propeller

curved-easter-24577

12/14/2023, 4:23 PM

Can we do a port fordward with the

flyte-core

chart as we do with the

flyte-binary

Copy code

kubectl -n flyte port-forward service/flyte-binary 8088:8088 8089:8089

freezing-airport-6809

12/14/2023, 4:26 PM

https://github.com/flyteorg/flytekit/blob/6cd0a60b801729cffcc9387cc477f2ea9a6d5142/flytekit/clients/auth/authenticator.py#L193

curved-easter-24577

12/15/2023, 1:04 PM

Hi, I have solve it with the following config:

Copy code

admin:
                      endpoint: dns:///${FlyteDNS}
                      authType: ClientSecret
                      clientId: flytepropeller
                      clientSecretLocation: /etc/secrets/client_secret
                      scopes: all
                      insecure: false
                    logger:
                      show-source: true
                      level: 0

Thank youuu for your time 🫶

🙌🏽 1

15 Views

Open in Slack

Previous Next

Flyte

Flyte enables production-grade orchestration for machine learning workflows and data processing created to accelerate local workflows to production.