Hi all, I have an issue when running a workflow re...
# flyte-support
c
Hi all, I have an issue when running a workflow remotely to a different project name I can run successfully a workflow inside the "flytesnacks" project name pyflyte run --remote -p flytesnacks -d development wine_classification_example.py training_workflow but the same project failed when I run the same workflow inside the "flyteexamples" project name pyflyte run --remote -p flyteexamples -d development wine_classification_example.py training_workflow error: Not authorized to perform sts:AssumeRoleWithWebIdentity Note: I did the flyte cluster deployment in AWS following the Terraform process. When I deployed flyte I only added "flytesnacks" to flyte_projects. But I can see in the flyte console two more projects that I didn't add "*flyteexamples" and "flytetester".* locals { project = "flyte" environment = "aquassist" name_prefix = "${local.project}-${local.environment}" account_id = data.aws_caller_identity.current.account_id domain_name = "flyte.${data.aws_route53_zone.zone.name}" # Change this only if you need to add more projects in the default installation flyte_projects = ["flytesnacks"] flyte_domains = ["development", "staging", "production"] } Thanks in advance for your help!
a
Oh good catch. Yes, those additional projects come with the
flyte-core
Helm chart but by default, the Terraform module configure workload identity only for the namespaces you specify in
locals
If you add those projects there and run a Terraform plan/apply then it should work. Otherwise please file an Issue to fix it
c
Thanks @average-finland-92144 I tried to add a project using
flytectl
Copy code
flytectl create project --name aquassist --id aquassist --description "pta titration model to speed up the titration" --labels app=pta
I can see the project in the console, but I am getting the same error "error: Not authorized to perform sts:AssumeRoleWithWebIdentity" when running the workflow below
Copy code
pyflyte run --remote -p aquassist -d development wine_classification_example.py training_workflow
So your recommendation is to add new projects by running Terraform plan/apply. Maybe I not executing properly the
flytectl create project
command. Thanks
After running Terraform plan/apply the added project "aquassist" is now running workflows without issues.
Copy code
flyte_projects         = ["flytesnacks", "aquassist"]
flyte_domains          = ["development", "staging", "production"]
a
awesome just for reference, this is a 2 step process:
flytectl create project
is enough to create a project and enable flyte to run executions there (without mentioning that Flyte creates the namespaces automatically). In this case, as the Terraform modules are designed to resemble a production deployment, they use IAM roles for Service Account which, among other things, create a mapping between SAs on the specific namespaces where workflows will run. So while Flyte doesn't need IRSA, in this case it's a requirement. It protect you from accidental/unintended project creation and centralizes authorization config on IAM
c
perfect. Thanks