cold-hydrogen-56106
02/05/2025, 12:02 PMaverage-finland-92144
02/05/2025, 2:32 PMflyte-core
Helm chart but by default, the Terraform module configure workload identity only for the namespaces you specify in locals
average-finland-92144
02/05/2025, 2:33 PMcold-hydrogen-56106
02/05/2025, 3:26 PMflytectl
flytectl create project --name aquassist --id aquassist --description "pta titration model to speed up the titration" --labels app=pta
I can see the project in the console, but I am getting the same error "error: Not authorized to perform sts:AssumeRoleWithWebIdentity" when running the workflow below
pyflyte run --remote -p aquassist -d development wine_classification_example.py training_workflow
So your recommendation is to add new projects by running Terraform plan/apply. Maybe I not executing properly the flytectl create project
command. Thankscold-hydrogen-56106
02/05/2025, 4:00 PMflyte_projects = ["flytesnacks", "aquassist"]
flyte_domains = ["development", "staging", "production"]
average-finland-92144
02/05/2025, 4:01 PMflytectl create project
is enough to create a project and enable flyte to run executions there (without mentioning that Flyte creates the namespaces automatically).
In this case, as the Terraform modules are designed to resemble a production deployment, they use IAM roles for Service Account which, among other things, create a mapping between SAs on the specific namespaces where workflows will run. So while Flyte doesn't need IRSA, in this case it's a requirement. It protect you from accidental/unintended project creation and centralizes authorization config on IAMcold-hydrogen-56106
02/05/2025, 4:04 PM