I host flyte-binary on a local k3s cluster. I have amazon-eks-pod-identity-webhook working really well using the self hosted setup guide. Each project/environment combination can run under a different aws role. How do I give the notifications config block access to AWS? I don't see an credential option in the config block example (just region and SNS ARN). I was expecting something like the providerConfig for the storage module, but I can't find it. When I run flyte-binary with notifications enabled, I get this error, which I believe is just a lack of credentials:

{
  "json": {
    "src": "factory.go:114"
  },
  "level": "warning",
  "msg": "Failed to initialize new gizmo aws subscriber with config [{Config:{AccessKey: MFASerialNumber: Region:us-west-1 RoleARN: SecretKey: SessionToken: EndpointURL:<nil>} QueueName:<arn.....:flyte-notifications> QueueOwnerAccountID:<accountid> QueueURL: MaxMessages:<nil> TimeoutSeconds:<nil> SleepInterval:<nil> DeleteBufferSize:<nil> ConsumeBase64:0x62d2535}] and err: NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors",
  "ts": "2024-02-05T23:40:34Z"
}

the binary just runs with one role

I think I can annotate flyte-binary service account with an AWS role and IRSA will pick it up, I"ll try that, thank you.