Flyte enables production-grade orchestration for machine learning workflows and data processing created to accelerate local workflows to production.

Flyte

Hi, a few questions regarding permissions and configuration:
• What is the preferred way to provide identities for task Pods? Would you specify IAM Role in Launch Plan, or provide an Service Account in the `flyte.config`? 
• Is it best practice to assign a SA/IAM role for each task, or reuse the same identity on a workflow basis? 
• What should be configured in `flyte.config` vs `~/.flyte/config.yaml`? 

Hello <@U038FT3LCRE>!

1. Both are identical. Providing an IAM role in `flyte.config` is kinda general, whereas IAM role for a specific launch plan is helpful if you want to override the value in `flyte.config` or the default value.
2. I think it’d be nice to have an IAM role per project-domain. You can also have it per workflow; it depends on the use case. Task should be ok, too. I might have to ask <@UPTRGR537> or <@U016RNZDZRS> to chime in here.
3. `flyte.config` holds the configuration for FlyteRemote or the execution-related parameters (e.g., <https://github.com/flyteorg/flytelab/blob/main/templates/basic/%7B%7Bcookiecutter.project_name%7D%7D/dashboard/remote.config>) and `~/flyte/config.yaml` is for Flytectl. We’re revamping this flow where `flyte.config` is no more required; the release with these changes should be out very soon!

For 2. Per project-domain level IAM role / Service account is coming in new release .