https://flyte.org logo
Join Slack
Powered by
Hi flyte team, we would like to acquire google ser...
# flyte-support
m
Hi flyte team, we would like to acquire google service account credential in the task, is there any practice? like how to mount the volume to the task? Thanks
e
I'm not sure if there is a better way, but you can use 
ImageSpec
to copy file or directory into container 
/root
. Here you can copy the credential file into the container, then set 
GOOGLE_APPLICATION_CREDENTIALS
in env.
Copy code
image_spec = ImageSpec(
    name="image",
    registry="localhost:30000",
    copy=["credential.json"],
    env={"GOOGLE_APPLICATION_CREDENTIALS": "/root/credential.json"}
)

@task(container_image=image_spec)
...
m
our secops is asking us not to put the credential file into docker image
d
m
I'll look into this, thanks!
g
Are you running in GKE, @mammoth-quill-44336?
m
@gentle-tomato-480 yes
it seems like imagespec packs our credential file automaticallu
so we are trying to decouple it
g
A cloud vendor agnostic approach is to use secrets https://docs.flyte.org/en/latest/user_guide/productionizing/secrets.html
Another way would be is to create a k8s service account, annotate it with the google service account like you do with the default service account and add an IAM policy binding for the workload identity federation thing. https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#kubernetes-sa-to-iam Then for the task you would pass a podtemplate where you specify it to use the newly created k8s service account and then the credentials should be automatically available in the container. Bit more steps, but then you don't need to use secrets and locally
m
thanks, will look into it!
c
thanks @gentle-tomato-480 hey @mammoth-quill-44336 is it working for you? Do you need additional help?
m
Hi David, we are solving some permission issue here, wheh it comes to technical, i will reach out, thank you so much for following up
Open in Slack
PreviousNext
Powered by