On to the next question. I am setting up Flyte to ...
# announcements
h
On to the next question. I am setting up Flyte to be used by many different teams. My idea was use the same service account for each of the projects i.e., use the https://docs.flyte.org/en/latest/deployment/aws/manual.html#flyte-user-role the pods are assuming and pass IAM roles in the launch plan that the service account assumes during execution, I remembered that there were some problems with this a while back. Is this working or is there a better way to achieve project specific permissions?
s
@Prafulla Mahindrakar, is setting project-level perms possible?
p
Passing IAM permissions i believe and is no longer supported and you can instead define service accounts for each project and annotate them with different env-user-role
s
Do we have docs for this?
p
I think our docs only mention with one account but for gcp we have with different service accounts https://docs.flyte.org/en/latest/deployment/gcp/manual.html#deployment-gcp-manual
Copy code
cluster_resource_manager:
  enabled: true
  config:
    cluster_resources:
       customData:
         - development:
             - projectQuotaCpu:
               value: "5"
             - projectQuotaMemory:
               value: "4000Mi"
             - defaultIamRole:
               value: "gsa-development@{{ .Values.userSettings.googleProjectId }}.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>"
         - staging:
             - projectQuotaCpu:
               value: "2"
             - projectQuotaMemory:
               value: "3000Mi"
             - defaultIamRole:
               value: "gsa-staging@{{ .Values.userSettings.googleProjectId }}.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>"
         - production:
             - projectQuotaCpu:
               value: "2"
             - projectQuotaMemory:
               value: "3000Mi"
             - defaultIamRole:
               value: "gsa-production@{{ .Values.userSettings.googleProjectId }}.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>"
this would be at the project-domain level
explicitly only at project level is not possible
During the execution time or in the launchplan you can specify the serviceaccount which exists and rightfully annotated with the IAM role . eg : instead of passing IAM-role-1 in launch plan . create a ksa ksa1 annotatetd with IAM-role-1 and pass that in the launchplan. this you can even override during execution time . so you can pass ksa2 annotated with another iam-role-2 and this will override the ksa1 which is there in the launchplan .
h
Right, that sounds good. In my use case the resource I want to access is Redshift, which is deployed in one account. The EKS cluster with Flyte is deployed in another one. Redshift can only be accessed within the same account, and I would then like to enable a trust relationship between the two accounts so that the role assumed by my service account can assume the role in the account where Redshift is deployed. This is not possible AFAIK using service accounts due to OIDC provider needs to be in same account as the EKS cluster
p
k
@Samhita Alla let's make sure we make docs for all of this or tickets for this
👍 1
@Hampus Rosvall you can use the same service account
Power of Flyte is to use different service accouoif you want
h
Yes, but I don’t think it works across accounts i.e., EKS is deployed in account A. Account B has some resources that we need, but are not available cross account. Then I don’t think there is a way to create a service account in account A with a role in account B due to OIDC provider in AWS
179 Views