Hi, a few questions regarding permissions and configuration: • What is the preferred way to provide identities for task Pods? Would you specify IAM Role in Launch Plan, or provide an Service Account in the

flyte.config

? • Is it best practice to assign a SA/IAM role for each task, or reuse the same identity on a workflow basis? • What should be configured in

flyte.config

vs

~/.flyte/config.yaml

?

Hello @helpful-crowd-74546! 1. Both are identical. Providing an IAM role in

flyte.config

is kinda general, whereas IAM role for a specific launch plan is helpful if you want to override the value in

flyte.config

or the default value. 2. I think it’d be nice to have an IAM role per project-domain. You can also have it per workflow; it depends on the use case. Task should be ok, too. I might have to ask @icy-agent-73298 or @great-school-54368 to chime in here. 3.

flyte.config

holds the configuration for FlyteRemote or the execution-related parameters (e.g., https://github.com/flyteorg/flytelab/blob/main/templates/basic/%7B%7Bcookiecutter.project_name%7D%7D/dashboard/remote.config) and

~/flyte/config.yaml

is for Flytectl. We’re revamping this flow where

flyte.config

is no more required; the release with these changes should be out very soon!

For 2. Per project-domain level IAM role / Service account is coming in new release .