On to the next question. I am setting up Flyte to ...
# announcementsh
Hampus Rosvall
08/18/2022, 9:15 AMOn to the next question. I am setting up Flyte to be used by many different teams. My idea was use the same service account for each of the projects i.e., use the https://docs.flyte.org/en/latest/deployment/aws/manual.html#flyte-user-role the pods are assuming and pass IAM roles in the launch plan that the service account assumes during execution, I remembered that there were some problems with this a while back. Is this working or is there a better way to achieve project specific permissions?
s
Samhita Alla
08/18/2022, 10:06 AM
@Prafulla Mahindrakar, is setting project-level perms possible?
p
Prafulla Mahindrakar
08/18/2022, 10:06 AMPassing IAM permissions i believe and is no longer supported and you can instead define service accounts for each project and annotate them with different env-user-role
s
Samhita Alla
08/18/2022, 10:07 AM
Do we have docs for this?
p
Prafulla Mahindrakar
08/18/2022, 10:09 AMI think our docs only mention with one account but for gcp we have with different service accounts https://docs.flyte.org/en/latest/deployment/gcp/manual.html#deployment-gcp-manual
Prafulla Mahindrakar
08/18/2022, 10:10 AM Copy code
cluster_resource_manager:
enabled: true
config:
cluster_resources:
customData:
- development:
- projectQuotaCpu:
value: "5"
- projectQuotaMemory:
value: "4000Mi"
- defaultIamRole:
value: "gsa-development@{{ .Values.userSettings.googleProjectId }}.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>"
- staging:
- projectQuotaCpu:
value: "2"
- projectQuotaMemory:
value: "3000Mi"
- defaultIamRole:
value: "gsa-staging@{{ .Values.userSettings.googleProjectId }}.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>"
- production:
- projectQuotaCpu:
value: "2"
- projectQuotaMemory:
value: "3000Mi"
- defaultIamRole:
value: "gsa-production@{{ .Values.userSettings.googleProjectId }}.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>"Prafulla Mahindrakar
08/18/2022, 10:10 AMthis would be at the project-domain level
Prafulla Mahindrakar
08/18/2022, 10:11 AMexplicitly only at project level is not possible
Prafulla Mahindrakar
08/18/2022, 10:15 AMDuring the execution time or in the launchplan you can specify the serviceaccount which exists and rightfully annotated with the IAM role .
eg : instead of passing IAM-role-1 in launch plan .
create a ksa ksa1 annotatetd with IAM-role-1 and pass that in the launchplan.
this you can even override during execution time . so you can pass ksa2 annotated with another iam-role-2 and this will override the ksa1 which is there in the launchplan .
h
Hampus Rosvall
08/18/2022, 11:13 AMRight, that sounds good. In my use case the resource I want to access is Redshift, which is deployed in one account. The EKS cluster with Flyte is deployed in another one. Redshift can only be accessed within the same account, and I would then like to enable a trust relationship between the two accounts so that the role assumed by my service account can assume the role in the account where Redshift is deployed. This is not possible AFAIK using service accounts due to OIDC provider needs to be in same account as the EKS cluster
p
Prafulla Mahindrakar
08/18/2022, 11:51 AMI think you can . Check these docs https://aws.amazon.com/blogs/containers/enabling-cross-account-access-to-amazon-eks-cluster-resources/
👍 1
k
Ketan (kumare3)
08/18/2022, 2:15 PM
@Samhita Alla let's make sure we make docs for all of this or tickets for this
👍 1
Ketan (kumare3)
08/18/2022, 2:16 PM
@Hampus Rosvall you can use the same service account
Ketan (kumare3)
08/18/2022, 2:16 PM
Power of Flyte is to use different service accouoif you want
h
Hampus Rosvall
08/18/2022, 3:09 PMYes, but I don’t think it works across accounts i.e., EKS is deployed in account A. Account B has some resources that we need, but are not available cross account. Then I don’t think there is a way to create a service account in account A with a role in account B due to OIDC provider in AWS
237 Views