Hi all I have an issue when running a workflow remotely to a Flyte #flyte-support

Hi all, I have an issue when running a workflow re...

cold-hydrogen-56106

02/05/2025, 12:02 PM

Hi all, I have an issue when running a workflow remotely to a different project name I can run successfully a workflow inside the "flytesnacks" project name pyflyte run --remote -p flytesnacks -d development wine_classification_example.py training_workflow but the same project failed when I run the same workflow inside the "flyteexamples" project name pyflyte run --remote -p flyteexamples -d development wine_classification_example.py training_workflow error: Not authorized to perform sts:AssumeRoleWithWebIdentity Note: I did the flyte cluster deployment in AWS following the Terraform process. When I deployed flyte I only added "flytesnacks" to flyte_projects. But I can see in the flyte console two more projects that I didn't add "*flyteexamples" and "flytetester".* locals { project = "flyte" environment = "aquassist" name_prefix = "${local.project}-${local.environment}" account_id = data.aws_caller_identity.current.account_id domain_name = "flyte.${data.aws_route53_zone.zone.name}" # Change this only if you need to add more projects in the default installation flyte_projects = ["flytesnacks"] flyte_domains = ["development", "staging", "production"] } Thanks in advance for your help!

flyte-error.rtf

average-finland-92144

02/05/2025, 2:32 PM

Oh good catch. Yes, those additional projects come with the

flyte-core

Helm chart but by default, the Terraform module configure workload identity only for the namespaces you specify in

locals

average-finland-92144

02/05/2025, 2:33 PM

If you add those projects there and run a Terraform plan/apply then it should work. Otherwise please file an Issue to fix it

cold-hydrogen-56106

02/05/2025, 3:26 PM

Thanks @average-finland-92144 I tried to add a project using

flytectl

Copy code

flytectl create project --name aquassist --id aquassist --description "pta titration model to speed up the titration" --labels app=pta

I can see the project in the console, but I am getting the same error "error: Not authorized to perform sts:AssumeRoleWithWebIdentity" when running the workflow below

Copy code

pyflyte run --remote -p aquassist -d development wine_classification_example.py training_workflow

So your recommendation is to add new projects by running Terraform plan/apply. Maybe I not executing properly the

flytectl create project

command. Thanks

cold-hydrogen-56106

02/05/2025, 4:00 PM

After running Terraform plan/apply the added project "aquassist" is now running workflows without issues.

Copy code

flyte_projects         = ["flytesnacks", "aquassist"]
flyte_domains          = ["development", "staging", "production"]

average-finland-92144

02/05/2025, 4:01 PM

awesome just for reference, this is a 2 step process:

flytectl create project

is enough to create a project and enable flyte to run executions there (without mentioning that Flyte creates the namespaces automatically). In this case, as the Terraform modules are designed to resemble a production deployment, they use IAM roles for Service Account which, among other things, create a mapping between SAs on the specific namespaces where workflows will run. So while Flyte doesn't need IRSA, in this case it's a requirement. It protect you from accidental/unintended project creation and centralizes authorization config on IAM

cold-hydrogen-56106

02/05/2025, 4:04 PM

perfect. Thanks

3 Views

Open in Slack

Previous Next