https://flyte.org logo
s

seunggs

09/23/2022, 12:24 AM
Been struggling with s3 PutObject access denied issue for days now (@Yee I’m posting a new one here because the existing Slack thread won’t load for me for some reason). Any idea why having a service account with the
flyte-user-role
(which has full s3 access) attached as an annotation still gives me PutObject access denied error?
k

Ketan (kumare3)

09/23/2022, 12:35 AM
@seunggs what do you mean by attached as an annotation?
are you using IAM for ServiceACcounts in AWS
or using kIAM?
s

seunggs

09/23/2022, 12:37 AM
I’m using IAM for ServiceAccounts in AWS. And so my SA looks like this
Copy code
apiVersion: v1
imagePullSecrets:
- name: gcr-json-key
kind: ServiceAccount
metadata:
  annotations:
    <http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: arn:aws:iam::xxx:role/flyte-user-role
  name: flyte-executor
  namespace: shelly-robotics-bipedal-robot-development
k

Ketan (kumare3)

09/23/2022, 12:38 AM
did you pass the service-account when you execute,
from launch-form, set the value
s

seunggs

09/23/2022, 12:38 AM
Yes
As per @Yee’s suggestion, I created a temporary pod in the same namespace and exec’d into the pod and ran aws cli command to add something to a bucket and it worked fine, but it won’t work from the dashboard
k

Ketan (kumare3)

09/23/2022, 12:38 AM
hmm
that is odd
how can i help in that?
s

seunggs

09/23/2022, 12:39 AM
It is really strange - seems like this should work
k

Ketan (kumare3)

09/23/2022, 12:39 AM
just ensure that your pod did infact get the account
ohh one last thing can be, version of aws cli
or try using fsspec plugin
s

seunggs

09/23/2022, 12:39 AM
aws cli?
k

Ketan (kumare3)

09/23/2022, 12:40 AM
that is installed in your dockerfile
s

seunggs

09/23/2022, 12:40 AM
You mean a version mismatch?
k

Ketan (kumare3)

09/23/2022, 12:40 AM
ya for aws oidc you need a newer version maybe
s

seunggs

09/23/2022, 12:40 AM
hmm
OK I’ll check that out - thanks
4 Views