# ask-the-community

Garret Cook

02/06/2024, 12:05 AM
I host flyte-binary on a local k3s cluster. I have amazon-eks-pod-identity-webhook working really well using the self hosted setup guide. Each project/environment combination can run under a different aws role. How do I give the notifications config block access to AWS? I don't see an credential option in the config block example (just region and SNS ARN). I was expecting something like the providerConfig for the storage module, but I can't find it. When I run flyte-binary with notifications enabled, I get this error, which I believe is just a lack of credentials:
Copy code
  "json": {
    "src": "factory.go:114"
  "level": "warning",
  "msg": "Failed to initialize new gizmo aws subscriber with config [{Config:{AccessKey: MFASerialNumber: Region:us-west-1 RoleARN: SecretKey: SessionToken: EndpointURL:<nil>} QueueName:<arn.....:flyte-notifications> QueueOwnerAccountID:<accountid> QueueURL: MaxMessages:<nil> TimeoutSeconds:<nil> SleepInterval:<nil> DeleteBufferSize:<nil> ConsumeBase64:0x62d2535}] and err: NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors",
  "ts": "2024-02-05T23:40:34Z"


02/06/2024, 5:16 PM
the binary just runs with one role
(user tasks can run with any number of roles, but flyte itself runs with one role)
you’ll somehow have to auth your local k3s cluster to aws.
in eks, it works through iam roles for service accounts

Garret Cook

02/06/2024, 5:48 PM
I think I can annotate flyte-binary service account with an AWS role and IRSA will pick it up, I"ll try that, thank you.