Hi, I'm encountering a permission issue while running the official

llm-fine-tuning

example (https://github.com/unionai-oss/llm-fine-tuning/tree/main/flyte_llama). Error:

FlyteAssertion: Failed to put data from /tmp/flyte-gq7dpdhx/sandbox/local_flytekit/engine_dir to <gs://flyte-metadata-bucket-skypilot-375902/metadata/propeller/flytesnacks-development-f9db1a147b0c9404e811/n1/data/0> (recursive=True).

Original exception: Forbidden: <https://storage.googleapis.com/upload/storage/v1/b/flyte-metadata-bucket-skypilot-375902/o>
Access denied.

Environment: - GKE cluster using default compute service account (88945870421-compute@developer.gserviceaccount.com) - Not using Workload Identity - GCS bucket: flyte-metadata-bucket-skypilot-375902 It seems the service account doesn't have write permissions to the GCS bucket. What shoud I do?

hey @salmon-greece-67273 the Flyte execution Pod needs access to write/read to the GCS bucket and typically stock compute service accounts won't have that permission OOB. We maintain a reference implementation for GCP that uses Workload Identity. Maybe the blog gives you a better idea of how it looks like but in essence, you need to "connect" some elements so the service account in your GKE cluster can impersonate a Google Service Account with the proper permissions