Hi Flyte Crew! I'm trying to configure the flyte-binary chart that's deployed in my team's on-prem cluster to use amazon RDS and S3. How do I use iam rather than access/secret keys?

Hey Tyler The challenge here is that things like a Trust Relationship couldn't use a scope that is known to IAM to map to a Kubernetes ServiceAccount. Moving identity between disparate environments is challenging and, AFAIK, not supported by OSS Flyte. The closest I've seen is kube2iam to make your on-prem Pods assume an IAM role

Would you say it's easier to implement something like kube2iam or just go multi-cluster?

depending on where you plan to setup your control and data plane clusters. Let's say 1. on-prem control plane + data plane in AWS as your database would be on the cloud while your flyteadmin instance is on prem (and it requires access to the DB to persist events, record resource inventory, etc) you'd still need secure access from on-prem to cloud. 2. on-prem data plane + control plane in AWS Now flytepropeller, running on-prem, needs access to S3 to retrieve inputs, compiled workflow definitions, etc. So in both cases you'd need a way for your workloads to assume IAM roles.

We're definitely looking at situation 2. This is good insight, thanks!