Shahwar Saleem08/02/2022, 4:59 PM
flytectl get project Error: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority"
Prafulla Mahindrakar08/03/2022, 5:51 AM
flag https://github.com/flyteorg/flyteidl/blob/7b1fd01ff429d28755765204f00dea57598d8851/clients/go/admin/config.go#L41 But its not recommended for prod usecases and should be used only for testing.
more flags are available through help https://docs.flyte.org/projects/flytectl/en/latest/gen/flytectl.html
Shahwar Saleem08/03/2022, 2:44 PM
Prafulla Mahindrakar08/03/2022, 4:24 PM
Shahwar Saleem08/04/2022, 5:21 PM
root@0d4683ee86d5:/# flytectl get project Error: rpc error: code = Unauthenticated desc = token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken
is used within Flyte to talk to FlyteCTL? I talked to a person who handles Auth within my company, they have never seen Pkce on a Command Line. Could you please advise on this?
Prafulla Mahindrakar08/05/2022, 5:57 AM
admin: # For GRPC endpoints you might want to use dns:///flyte.myexample.com endpoint: dns:///flyte.org # Change insecure flag to ensure that you use the right setting for your environment insecure: false clientId: ********* authType: ClientSecret clientSecretLocation: /home/runner/secret_location logger: # Logger settings to control logger output. Useful to debug logger: show-source: true level: 1
Shahwar Saleem08/31/2022, 5:52 PM
. This is a suffix to baseURL internally. ◦ Needed to add new clientId which was provided by Auth Server App. ◦ Needed to change the flyteadmin image to a new one corresponding to DeviceFlow changes:
. This change needs to happen in flyteadmin deployment accross all occurrences of the flyteadmin image. ◦ Needed to change FlyteCTL config to something like this:
After authenticating, I am getting an error which does signify there is an issue with JWT response. Apparently, for our usecase an
admin: endpoint: <URL> authType: DeviceFlow insecure: false caCertFilePath: <certfilepath> deviceFlowConfig: deviceFlowTimeout: 200s logger: show-source: true level: 20
needs to be specified while requesting auth from Auth0 server. Currently,
is not using audience field and due to missing Audience, Auth Server is not able to complete the Device Authentication flow, because the token after authorization is a default one, which Auth server is not accepting. A few things: • We would need full Auth support including Audience field to fully utilize Authentication with Flytectl. • The team is now outside POC and implementing a full Flyte Deployment which will need full Authentication capability for Flyteconsole as well as FlyteCTL. CC: @Andrew Achkar @Geoff Salmon @Haytham Abuelfutuh
Prafulla Mahindrakar09/01/2022, 7:04 AM
https://github.com/golang/oauth2/blob/master/clientcredentials/clientcredentials.go#L44 which gets used here https://github.com/golang/oauth2/blob/master/clientcredentials/clientcredentials.go#L97 Sample test with aud https://github.com/golang/oauth2/blob/master/clientcredentials/clientcredentials_test.go#L25 But none of this config is passed from flyteadmin which is why i am uncertain that adding the aud field is going to solve the device flow issue. Wanted to test this with a custom build and verify before making a configurable change. Let me know what you all think .
// EndpointParams specifies additional parameters for requests to the token endpoint. EndpointParams url.Values
Shahwar Saleem09/02/2022, 3:03 PM
Prafulla Mahindrakar09/02/2022, 6:38 PM
And then run using the audience by passing the right aud field for your app
go mod edit -replace <http://github.com/flyteorg/flyteidl=github.com/flyteorg/flyteidl@4b475700a8df0e7736fed995ee84a4cc22e453fd|github.com/flyteorg/flyteidl=github.com/flyteorg/flyteidl@4b475700a8df0e7736fed995ee84a4cc22e453fd> go mod tidy
Ref used on how to pass aud https://auth0.com/docs/secure/tokens/access-tokens/get-access-tokens
flytectl get projects --logger.level=6 --admin.authType DeviceFlow --admin.deviceFlowConfig.audience <aud>