Really close to getting my first deployment up. On startup I'm currently getting:

"Container [<bucket-name>] lookup failed. Error googleapi: Error 403: Caller does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist)., forbidden"

I gave the service account that's the default SA all the necessary permissions though. Feel that once this is resolved, I've got something going 🙂

Thanks for sharing and contributing!

Hey @David Espejo (he/him) I've got another issue relating to worker KSAs not being annotated on GCP. Getting an error that the main flyte-binary KSA does not have the permission to create/edit the worker KSAs (in e.g. flytesnacks-production/development/staging namespaces). I've already tried a few things by adding extra rules to the

values.yaml

file, but each time I add a rule some other error pops up (e.g. this is after adding

rbac:
  # create Create ClusterRole and ClusterRoleBinding resources
  create: true
  # extraRules Add additional rules to the ClusterRole
  extraRules: 
   - apiGroups:
      - ""
     resources:
      - serviceaccounts
     verbs:
      - create
      - get

to the values.yaml file

"Failed cluster resource creation loop with: serviceaccounts "default" is forbidden: User "system:serviceaccount:flyte:flyte-backend-flyte-binary" cannot patch resource "serviceaccounts" in API group "" in the namespace "flytesnacks-staging", serviceaccounts "default" is forbidden: User "system:serviceaccount:flyte:flyte-backend-flyte-binary" cannot patch resource "serviceaccounts" in API group "" in the namespace "flytesnacks-production""