https://flyte.org logo
#ask-the-community
Title
# ask-the-community
g

Guy Harel

03/07/2024, 3:07 PM
Hi all, We want to be able to trigger a Flyte launchplan/workflow from a backend server that we control, with no user interaction. Ie - new data comes in to our system, we want to run a bunch of models on it automatically. How would authentication work in this case? We are using the flyte-binary helm chart, which uses the internal authorization server as far as I know. We also configured an external IdP for flyteadmin for actual human users. Any ideas?
b

Blake Jackson

03/07/2024, 3:22 PM
So we do this w/ java backend services. Both our backend services and flyte are using external IdP, so we were able to take a token from one and use it to call the other. Is that an option for you?
g

Guy Harel

03/07/2024, 3:23 PM
Thanks Blake, so you mean that you have an end-user which creates a token in the IdP while working with your Java service, so you "proxy" this token to flyte?
b

Blake Jackson

03/07/2024, 3:27 PM
For our specific use case, our app uses client credentials grant to mint an AT. The AT has all the required flyte scopes built in in order to call flyte. We then call flyte admin gRPC api w/ that token and can invoke flyte executions that way.
So this is application to application flow
g

Guy Harel

03/07/2024, 3:29 PM
OK, so the Java app authenticates with the IdP using a long-lived api key, and gets a short-lived token for flyte?
Oh OK, client credentials grant - got it 🙂 Thank you, I'll see if our IdP supports this
b

Blake Jackson

03/07/2024, 3:31 PM
yep
The key will be to mint an AT that has the required scopes Flyte needs if you are planning to call their gRPC API
the flyte docs should cover all of that in pretty good detail, but reach out if you get stuck
g

Guy Harel

03/07/2024, 3:34 PM
Thanks Blake, I appreciate it 🙏