On to the next question. I am setting up Flyte to ...
# announcementsh
helpful-crowd-74546
08/18/2022, 9:15 AMOn to the next question. I am setting up Flyte to be used by many different teams. My idea was use the same service account for each of the projects i.e., use the https://docs.flyte.org/en/latest/deployment/aws/manual.html#flyte-user-role the pods are assuming and pass IAM roles in the launch plan that the service account assumes during execution, I remembered that there were some problems with this a while back. Is this working or is there a better way to achieve project specific permissions?
t
tall-lock-23197
08/18/2022, 10:06 AM
@icy-agent-73298, is setting project-level perms possible?
i
icy-agent-73298
08/18/2022, 10:06 AMPassing IAM permissions i believe and is no longer supported and you can instead define service accounts for each project and annotate them with different env-user-role
t
tall-lock-23197
08/18/2022, 10:07 AM
Do we have docs for this?
i
icy-agent-73298
08/18/2022, 10:09 AMI think our docs only mention with one account but for gcp we have with different service accounts https://docs.flyte.org/en/latest/deployment/gcp/manual.html#deployment-gcp-manual
icy-agent-73298
08/18/2022, 10:10 AM Copy code
cluster_resource_manager:
enabled: true
config:
cluster_resources:
customData:
- development:
- projectQuotaCpu:
value: "5"
- projectQuotaMemory:
value: "4000Mi"
- defaultIamRole:
value: "gsa-development@{{ .Values.userSettings.googleProjectId }}.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>"
- staging:
- projectQuotaCpu:
value: "2"
- projectQuotaMemory:
value: "3000Mi"
- defaultIamRole:
value: "gsa-staging@{{ .Values.userSettings.googleProjectId }}.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>"
- production:
- projectQuotaCpu:
value: "2"
- projectQuotaMemory:
value: "3000Mi"
- defaultIamRole:
value: "gsa-production@{{ .Values.userSettings.googleProjectId }}.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>"icy-agent-73298
08/18/2022, 10:10 AMthis would be at the project-domain level
icy-agent-73298
08/18/2022, 10:11 AMexplicitly only at project level is not possible
icy-agent-73298
08/18/2022, 10:15 AMDuring the execution time or in the launchplan you can specify the serviceaccount which exists and rightfully annotated with the IAM role .
eg : instead of passing IAM-role-1 in launch plan .
create a ksa ksa1 annotatetd with IAM-role-1 and pass that in the launchplan.
this you can even override during execution time . so you can pass ksa2 annotated with another iam-role-2 and this will override the ksa1 which is there in the launchplan .
h
helpful-crowd-74546
08/18/2022, 11:13 AMRight, that sounds good. In my use case the resource I want to access is Redshift, which is deployed in one account. The EKS cluster with Flyte is deployed in another one. Redshift can only be accessed within the same account, and I would then like to enable a trust relationship between the two accounts so that the role assumed by my service account can assume the role in the account where Redshift is deployed. This is not possible AFAIK using service accounts due to OIDC provider needs to be in same account as the EKS cluster
i
icy-agent-73298
08/18/2022, 11:51 AMI think you can . Check these docs https://aws.amazon.com/blogs/containers/enabling-cross-account-access-to-amazon-eks-cluster-resources/
👍 1
f
freezing-airport-6809
08/18/2022, 2:15 PM
@tall-lock-23197 let's make sure we make docs for all of this or tickets for this
👍 1
freezing-airport-6809
08/18/2022, 2:16 PM
@helpful-crowd-74546 you can use the same service account
freezing-airport-6809
08/18/2022, 2:16 PM
Power of Flyte is to use different service accouoif you want
h
helpful-crowd-74546
08/18/2022, 3:09 PMYes, but I don’t think it works across accounts i.e., EKS is deployed in account A. Account B has some resources that we need, but are not available cross account. Then I don’t think there is a way to create a service account in account A with a role in account B due to OIDC provider in AWS
248 Views