Quick q - there's a good high-level picture of workflow registration at https://docs.flyte.org/en/latest/flyte_fundamentals/registering_workflows.html#getting-started-package-register. Is there a good graph of the sequence of API calls between

pyflyte run --remote

/

flyteadmin

and blob storage endpoints? I'm mostly trying to have a good picture around when

CreateUploadLocation

gets called /used, etc (i.e. https://github.com/search?q=repo%3Aflyteorg%2Fflytekit%20CreateUploadLocation&type=code)

unf, we don’t have that. basically, dataproxy in the flyteadmin generate a upload link for users, so they can upload a file/directory to s3 without s3 credentials.

⭐ Create a new Flyte Core Feature issue: https://github.com/flyteorg/flyte/issues/new?assignees=&labels=enhancement%2Cuntriaged&template=feature_request.yaml&title=%5BCore+feature%5D+

Ok cool - thanks for confirming. I thought that the sequence of events was essentially - compile / serialize, ask flyteadmin for signed storage URL(s), download / upload metadata for register... And then a similar process for actual user data reads and writes... Just wanted to confirm that there was no other mechanisms for storage access

cluster resource manager and how it's configured to set the arns for IRSA

you mean like this block where you indicate the default Role's ARN for each domain? And then this block automates the annotations in the `default`KSA

Yes that's correct @David Espejo (he/him)

Yes Running tasks (Pods) will use the

default

SA available on each

project-domain

namespace (unless you indicate something different at registration time using --service-account) That SA is then annotated with the ARN of the

defaultIAMRole

The role should enable access to the S3 bucket(s)

Yup, that's exactly the part I wanted to make sure I understood - thanks!