On to the next question I am setting up Flyte to be used by

Question

On to the next question I am setting up Flyte to be used by many different teams My idea was use the same service account for each of the projects i e use the <https docs flyte org en latest deployment aws manual html flyte user role> the pods are assuming and pass IAM roles in the launch plan that the service account assumes during execution I remembered that there were some problems with this a while back Is this working or is there a better way to achieve project specific permissions

Samhita Alla · Answer

< Prafulla Mahindrakar> is setting project level perms possible

Prafulla Mahindrakar · Answer

Passing IAM permissions i believe and is no longer supported and you can instead define service accounts for each project and annotate them with different env user role

Samhita Alla · Answer

Do we have docs for this

Prafulla Mahindrakar · Answer

I think our docs only mention with one account but for gcp we have with different service accounts <https docs flyte org en latest deployment gcp manual html deployment gcp manual>

Prafulla Mahindrakar · Answer

```cluster resource manager enabled true config cluster resources customData development projectQuotaCpu value 5 projectQuotaMemory value 4000Mi defaultIamRole value gsa development Values userSettings googleProjectId staging projectQuotaCpu value 2 projectQuotaMemory value 3000Mi defaultIamRole value gsa staging Values userSettings googleProjectId production projectQuotaCpu value 2 projectQuotaMemory value 3000Mi defaultIamRole value gsa production Values userSettings googleProjectId ```

Prafulla Mahindrakar · Answer

this would be at the project domain level

Prafulla Mahindrakar · Answer

explicitly only at project level is not possible

Prafulla Mahindrakar · Answer

During the execution time or in the launchplan you can specify the serviceaccount which exists and rightfully annotated with the IAM role eg instead of passing IAM role 1 in launch plan create a ksa ksa1 annotatetd with IAM role 1 and pass that in the launchplan this you can even override during execution time so you can pass ksa2 annotated with another iam role 2 and this will override the ksa1 which is there in the launchplan

Hampus Rosvall · Answer

Right that sounds good In my use case the resource I want to access is Redshift which is deployed in one account The EKS cluster with Flyte is deployed in another one Redshift can only be accessed within the same account and I would then like to enable a trust relationship between the two accounts so that the role assumed by my service account can assume the role in the account where Redshift is deployed This is not possible AFAIK using service accounts due to OIDC provider needs to be in same account as the EKS cluster

Prafulla Mahindrakar · Answer

I think you can Check these docs <https aws amazon com blogs containers enabling cross account access to amazon eks cluster resources >

Ketan (kumare3) · Answer

< Samhita Alla> let s make sure we make docs for all of this or tickets for this

Ketan (kumare3) · Answer

< Hampus Rosvall> you can use the same service account

Ketan (kumare3) · Answer

Power of Flyte is to use different service accouoif you want

Hampus Rosvall · Answer

Yes but I don t think it works across accounts i e EKS is deployed in account A Account B has some resources that we need but are not available cross account Then I don t think there is a way to create a service account in account A with a role in account B due to OIDC provider in AWS