https://flyte.org logo
Join Slack
Powered by
New RunLLM response generated: >>>*# Question* He...
# runllm-flyte-trial
j
New RunLLM response generated: >>>*# Question* Hey there, I'm trying to setup 
FlyteRemote()
with client credentials, but I'm struggling with getting things right for the control plane auth. My code for creating the connection is essentially the following (where the setting module has the correct values for the endpoint and bytes values for CLIENT_* values):
Copy code
In [28]: remote = FlyteRemote(Config(platform=PlatformConfig(
    ...:     endpoint=settings.FLYTE_ENDPOINT,
    ...:     client_id=settings.FLYTE_CLIENT_ID,
    ...:     client_credentials_secret=settings.FLYTE_CLIENT_SECRET.get_secret_value(),
    ...:     auth_mode=AuthType.CLIENT_CREDENTIALS,
    ...: )))
The client id is currently set to 
flytepropeller
and the secret matches the value our k8s setup injects as a secret, but I have a feeling that the static clients isn't setup correctly for what I want to do. This is the config we have for auth + the secret being included:
Copy code
auth:
      appAuth:
        selfAuthServer:
          staticClients:
            flytepropeller:
              grant_types:
                - refresh_token
                - client_credentials
              id: flytepropeller
              response_types:
                - token
              scopes:
                - all
                - offline
                - access_token
            flyte-cli:
              grant_types:
                - refresh_token
                - authorization_code
              id: flyte-cli
              public: true
              redirect_uris:
                - <http://localhost:53593/callback>
                - <http://localhost:12345/callback>
              response_types:
                - code
                - token
              scopes:
                - all
                - offline
                - access_token
            flytectl:
              grant_types:
                - refresh_token
                - authorization_code
              id: flytectl
              public: true
              redirect_uris:
                - <http://localhost:53593/callback>
                - <http://localhost:12345/callback>
              response_types:
                - code
                - token
              scopes:
                - all
                - offline
                - access_token
        thirdPartyConfig:
          flyteClient:
            audience: ""
            clientId: flytectl
            redirectUri: <http://localhost:53593/callback>
            scopes:
              - all
      userAuth:
        openId:
          baseUrl: "<https://accounts.google.com>"
          scopes:
            - profile
            - openid
    server:
      security:
        useAuth: true
Secret that gets merged in
Copy code
auth:
            appAuth:
              selfAuthServer:
                staticClients:
                  flytepropeller:
                    client_secret: "{{ .AUTH_CLIENT_SECRET }}"
When running this and trying a call I get
>>```FlyteSystemException: SYSTEMUnknown error=None, cause=Status Code (401) received from IDP: {"error":"invalid_client","error_description":"Client authentication failed (e.g.,
unknown client, no client authentication included, or unsupported authentication method)."}``` I also tried reading up on fosite to see if the docks for their 
DefaultClient
provide more instructions than the Flyte auth documentation. Presumably I would want to add a new static client similar to the 
flyte-cli
one, just with a client secret so we can have our API talk to flyte with 
FlyteRemote
? Or is there some other things I would need to configure to get this working nicely? And no, PKCE isn't an option here, since this is for machine to machine access # Answer The error you're encountering suggests that the client authentication is not being recognized by the Identity Provider (IDP). According to the Flyte documentation, the 
flytepropeller
client is configured with 
client_credentials
and 
refresh_token
grant types, which should be suitable for machine-to-machine communication. Ensure that the 
client_secret
is correctly set in your Kubernetes secret and matches the one used in your FlyteRemote configuration. You might need to verify that the 
client_id
and 
client_secret
are correctly configured in both your Flyte setup and the FlyteRemote connection. Additionally, ensure that the 
auth_mode
is set to 
AuthType.CLIENT_CREDENTIALS
as you have done. If the issue persists, consider adding a new static client configuration similar to 
flyte-cli
but with a 
client_secret
for secure communication. Would you like more detailed guidance on setting up a new static client? Sources: - FlyteAdmin Config OAuth2Options Slack Link https://.slack.com/archives/CP2HDHKE1/p1731483932.789359 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.
5 Views
Open in Slack
PreviousNext
Powered by