https://flyte.org logo
#ask-the-community
Title
# ask-the-community
e

Ethan Brown

02/09/2024, 7:58 PM
Quick q - there's a good high-level picture of workflow registration at https://docs.flyte.org/en/latest/flyte_fundamentals/registering_workflows.html#getting-started-package-register. Is there a good graph of the sequence of API calls between
pyflyte run --remote
/
flyteadmin
and blob storage endpoints? I'm mostly trying to have a good picture around when
CreateUploadLocation
gets called /used, etc (i.e. https://github.com/search?q=repo%3Aflyteorg%2Fflytekit%20CreateUploadLocation&type=code)
k

Kevin Su

02/09/2024, 8:42 PM
unf, we don’t have that. basically, dataproxy in the flyteadmin generate a upload link for users, so they can upload a file/directory to s3 without s3 credentials.
mind creating an issue here? we’ll update the doc [flyte-core]
e

Ethan Brown

02/09/2024, 9:08 PM
Ok cool - thanks for confirming. I thought that the sequence of events was essentially - compile / serialize, ask flyteadmin for signed storage URL(s), download / upload metadata for register... And then a similar process for actual user data reads and writes... Just wanted to confirm that there was no other mechanisms for storage access
I think the other question I had was around cluster resource manager and how it's configured to set the arns for IRSA
d

David Espejo (he/him)

02/09/2024, 9:23 PM
cluster resource manager and how it's configured to set the arns for IRSA
you mean like this block where you indicate the default Role's ARN for each domain? And then this block automates the annotations in the `default`KSA
e

Ethan Brown

02/09/2024, 9:25 PM
Yes that's correct @David Espejo (he/him)
Sorry, I should have written that better. I'm aware of those configuration settings, but am trying to understand their usage. They're to grant running tasks the necessary IAM role to access the data storage for inputs and outputs?
d

David Espejo (he/him)

02/09/2024, 10:41 PM
Yes Running tasks (Pods) will use the
default
SA available on each
project-domain
namespace (unless you indicate something different at registration time using --service-account) That SA is then annotated with the ARN of the
defaultIAMRole
The role should enable access to the S3 bucket(s)
Is something like that what you're looking for?
e

Ethan Brown

02/09/2024, 10:49 PM
Yup, that's exactly the part I wanted to make sure I understood - thanks!