like if i can provide a cookis in config.yaml in ....
# flyte-supporte
early-addition-41415
03/27/2025, 8:38 PMlike if i can provide a cookis in config.yaml in .flyte and then whosoever has that cookie only abel to access
a
average-finland-92144
03/27/2025, 9:35 PMoh I don't think this is available as a cookie, but I think the closest is the ClientCredentials flow
You add to. your config.yaml
Copy code
admin:
...
authType: ClientCredentials
clientSecretLocation: /etc/secrets/client_secretaverage-finland-92144
03/27/2025, 9:36 PMit can be registered to the flyteadmin internal auth server or one coming from your IdP
average-finland-92144
03/27/2025, 9:36 PMand you also need OIDC
e
early-addition-41415
03/27/2025, 9:36 PMohh cool
early-addition-41415
03/27/2025, 9:36 PMi have setup OIDC
a
average-finland-92144
03/27/2025, 9:36 PMI'm documenting this as we speak btw
e
early-addition-41415
03/27/2025, 9:36 PMi am abel to authenticate
early-addition-41415
03/27/2025, 9:36 PMbut stuck up in authorization now
early-addition-41415
03/27/2025, 9:36 PMi was using pkce
early-addition-41415
03/27/2025, 9:37 PMwith oidc thats not correct?
a
average-finland-92144
03/27/2025, 9:38 PMThat's the default flow and it's correct too
average-finland-92144
03/27/2025, 9:38 PMcan you get logs from the flyteadmin pod?
e
early-addition-41415
03/27/2025, 9:38 PMi am susing googlr
early-addition-41415
03/27/2025, 9:38 PM Copy code
Google IdP
Google IdP does not offer an OAuth2 Authorization Server that could be used to protect external services (For example Flyte). In this case, Google offers a separate Cloud Product called Google Cloud Identity. Configuration for Cloud Identity is not included in this guide. If unavailable, setup can stop here and FlyteAdmin BuiltIn OAuth2 Authorization Server can be used instead.early-addition-41415
03/27/2025, 9:38 PMi see this
a
average-finland-92144
03/27/2025, 9:39 PMyeah I'm not sure that's up to date
average-finland-92144
03/27/2025, 9:39 PMfor PKCE you should be fine with Google as OIDC layer and flyteadmin as the authz server
e
early-addition-41415
03/27/2025, 9:39 PMso i am using flyte binary
a
average-finland-92144
03/27/2025, 9:39 PMgotcha, so logs from that pod
e
early-addition-41415
03/27/2025, 9:40 PMahh
Copy code
{
"json": {
"src": "handlers.go:91"
},
"level": "error",
"msg": "Failed to retrieve tokens from request, redirecting to login handler. Error: [EMPTY_OAUTH_TOKEN] Failure to retrieve cookie [flyte_idt], caused by: http: named cookie not present",
"ts": "2025-03-27T21:38:23Z"
}early-addition-41415
03/27/2025, 9:40 PMam i missing something
a
average-finland-92144
03/27/2025, 9:40 PMany other error?
average-finland-92144
03/27/2025, 9:41 PMcould you also share your backend config? like the values you used to setup this
e
early-addition-41415
03/27/2025, 9:43 PM Copy code
{"json":{"src":"token.go:80"},"level":"debug","msg":"Could not retrieve bearer token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:309"},"level":"info","msg":"Failed to parse Access Token from context. Will attempt to find IDToken. Error: [JWT_VERIFICATION_FAILED] Could not retrieve bearer token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"token.go:100"},"level":"debug","msg":"Could not retrieve id token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:317"},"level":"debug","msg":"Failed to parse ID Token from context. Error: [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2025-03-27T21:37:33Z"}early-addition-41415
03/27/2025, 9:43 PMso i craeted an app in google and then i generated a random passwd and then hash it
early-addition-41415
03/27/2025, 9:44 PM Copy code
{"json":{"src":"cookie.go:80","x-request-id":"a-v8f4krwhj4nb54blms7x"},"level":"info","msg":"Could not detect existing cookie [flyte_idt]. Error: http: named cookie not present","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:299"},"level":"debug","msg":"Running authentication gRPC interceptor","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"token.go:80"},"level":"debug","msg":"Could not retrieve bearer token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:309"},"level":"info","msg":"Failed to parse Access Token from context. Will attempt to find IDToken. Error: [JWT_VERIFICATION_FAILED] Could not retrieve bearer token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"token.go:100"},"level":"debug","msg":"Could not retrieve id token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:317"},"level":"debug","msg":"Failed to parse ID Token from context. Error: [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"cookie.go:80","x-request-id":"a-5rfnq8cqd7zm7w47cf5z"},"level":"info","msg":"Could not detect existing cookie [flyte_idt]. Error: http: named cookie not present","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:299"},"level":"debug","msg":"Running authentication gRPC interceptor","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"token.go:80"},"level":"debug","msg":"Could not retrieve bearer token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:309"},"level":"info","msg":"Failed to parse Access Token from context. Will attempt to find IDToken. Error: [JWT_VERIFICATION_FAILED] Could not retrieve bearer token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"token.go:100"},"level":"debug","msg":"Could not retrieve id token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:317"},"level":"debug","msg":"Failed to parse ID Token from context. Error: [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"cookie.go:80"},"level":"info","msg":"Could not detect existing cookie [flyte_idt]. Error: http: named cookie not present","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:91"},"level":"error","msg":"Failed to retrieve tokens from request, redirecting to login handler. Error: [EMPTY_OAUTH_TOKEN] Failure to retrieve cookie [flyte_idt], caused by: http: named cookie not present","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:147"},"level":"debug","msg":"Setting CSRF state cookie to 4iram6bmhq and state to a0208ff5a7391cc93f80d981ac0afabeecb34c47f9acd2d41412dff80b632a36\n","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handler_utils.go:166"},"level":"debug","msg":"not validating whether relative redirect url is authorized","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"composite_workqueue.go:88"},"level":"debug","msg":"Subqueue handler batch round","ts":"2025-03-27T21:37:34Z"}
{"json":{"src":"composite_workqueue.go:98"},"level":"debug","msg":"Dynamically configured batch size [-1]","ts":"2025-03-27T21:37:34Z"}
{"json":{"src":"composite_workqueue.go:129"},"level":"debug","msg":"Exiting SubQueue handler batch round","ts":"2025-03-27T21:37:34Z"}
{"json":{"src":"cookie.go:80"},"level":"info","msg":"Could not detect existing cookie [flyte_idt]. Error: http: named cookie not present","ts":"2025-03-27T21:37:35Z"}
{"json":{"src":"handlers.go:91"},"level":"error","msg":"Failed to retrieve tokens from request, redirecting to login handler. Error: [EMPTY_OAUTH_TOKEN] Failure to retrieve cookie [flyte_idt], caused by: http: named cookie not present","ts":"2025-03-27T21:37:35Z"}
{"json":{"src":"handlers.go:147"},"level":"debug","msg":"Setting CSRF state cookie to 877sitiuuw and state to 598dcebd4a0075f74be828969e530f6c317909057738abad782319f5f6990b1a\n","ts":"2025-03-27T21:37:35Z"}
{"json":{"src":"handler_utils.go:169"},"level":"debug","msg":"validating whether redirect url: <https://flyte.hyperpod.labs.lumalabs.ai/console/select-project> is authorized","ts":"2025-03-27T21:37:35Z"}
{"json":{"src":"handler_utils.go:173"},"level":"debug","msg":"authorizing redirect url: <https://flyte.hyperpod.labs.lumalabs.ai/console/select-project> against authorized uri: <https://flyte.hyperpod.labs.lumalabs.ai/console/callback>","ts":"2025-03-27T21:37:35Z"}
{"json":{"src":"composite_workqueue.go:88"},"level":"debug","msg":"Subqueue handler batch round","ts":"2025-03-27T21:37:35Z"}
{"json":{"src":"composite_workqueue.go:98"},"level":"debug","msg":"Dynamically configured batch size [-1]","ts":"2025-03-27T21:37:35Z"}
{"json":{"src":"composite_workqueue.go:129"},"level":"debug","msg":"Exiting SubQueue handler batch round","ts":"2025-03-27T21:37:35Z"}
{"json":{"src":"composite_workqueue.go:88"},"level":"debug","msg":"Subqueue handler batch round","ts":"2025-03-27T21:37:36Z"}
{"json":{"src":"composite_workqueue.go:98"},"level":"debug","msg":"Dynamically configured batch size [-1]","ts":"2025-03-27T21:37:36Z"}
{"json":{"src":"composite_workqueue.go:129"},"level":"debug","msg":"Exiting SubQueue handler batch round","ts":"2025-03-27T21:37:36Z"}
{"json":{"src":"composite_workqueue.go:88"},"level":"debug","msg":"Subqueue handler batch round","ts":"2025-03-27T21:37:37Z"}
{"json":{"src":"composite_workqueue.go:98"},"level":"debug","msg":"Dynamically configured batch size [-1]","ts":"2025-03-27T21:37:37Z"}
{"json":{"src":"composite_workqueue.go:129"},"level":"debug","msg":"Exiting SubQueue handler batch round","ts":"2025-03-27T21:37:37Z"}
{"json":{"src":"composite_workqueue.go:88"},"level":"debug","msg":"Subqueue handler batch round","ts":"2025-03-27T21:37:38Z"}
{"json":{"src":"composite_workqueue.go:98"},"level":"debug","msg":"Dynamically configured batch size [-1]","ts":"2025-03-27T21:37:38Z"}
{"json":{"src":"composite_workqueue.go:129"},"level":"debug","msg":"Exiting SubQueue handler batch round","ts":"2025-03-27T21:37:38Z"}
{"json":{"src":"composite_workqueue.go:88"},"level":"debug","msg":"Subqueue handler batch round","ts":"2025-03-27T21:37:39Z"}
{"json":{"src":"composite_workqueue.go:98"},"level":"debug","msg":"Dynamically configured batch size [-1]","ts":"2025-03-27T21:37:39Z"}
{"json":{"src":"composite_workqueue.go:129"},"level":"debug","msg":"Exiting SubQueue handler batch round","ts":"2025-03-27T21:37:39Z"}
{"json":{"src":"execution_stats.go:63"},"level":"debug","msg":"Execution stats: ActiveExecutions: 0 ActiveNodes: 0, ActiveTasks: 0","ts":"2025-03-27T21:37:40Z"}
{"json":{"src":"client.go:171"},"level":"info","msg":"AgentDeployments support the following task types: [task_type_1, task_type_2]","ts":"2025-03-27T21:37:40Z"}
{"json":{"src":"cookie.go:80","x-request-id":"a-fh8tkfmjwv766mf4ctrv"},"level":"info","msg":"Could not detect existing cookie [flyte_idt]. Error: http: named cookie not present","ts":"2025-03-27T21:37:40Z"}
{"json":{"src":"handlers.go:299"},"level":"debug","msg":"Running authentication gRPC interceptor","ts":"2025-03-27T21:37:40Z"}
{"json":{"src":"token.go:80"},"level":"debug","msg":"Could not retrieve bearer token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2025-03-27T21:37:40Z"}
{"json":{"src":"handlers.go:309"},"level":"info","msg":"Failed to parse Access Token from context. Will attempt to find IDToken. Error: [JWT_VERIFICATION_FAILED] Could not retrieve bearer token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2025-03-27T21:37:40Z"}
{"json":{"src":"token.go:100"},"level":"debug","msg":"Could not retrieve id token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2025-03-27T21:37:40Z"}
{"json":{"src":"handlers.go:317"},"level":"debug","msg":"Failed to parse ID Token from context. Error: [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2025-03-27T21:37:40Z"}early-addition-41415
03/27/2025, 9:44 PMthis is whats coming when i try to login
a
average-finland-92144
03/27/2025, 9:47 PMfrom the logs, the redirectUri you configure in Google should be this:
<https://flyte.hyperpod.labs.lumalabs.ai>e
early-addition-41415
03/27/2025, 9:47 PMearly-addition-41415
03/27/2025, 9:47 PMis this not correct?
a
average-finland-92144
03/27/2025, 9:48 PMno
Authorized redirect URI should be
<https://flyte.hyperpod.labs.lumalabs.ai>e
early-addition-41415
03/27/2025, 9:48 PMmy issue was even with annotation alb was not redirecting
early-addition-41415
03/27/2025, 9:48 PMas per doc
Copy code
Create an OAuth2 Client Credential following the official documentation and take note of the client_id and client_secret
In the Authorized redirect URIs field, add <http://localhost:30081/callback> for sandbox deployments, or https://<your-deployment-URL>/callback for other methods of deployment.early-addition-41415
03/27/2025, 9:48 PMi can try what you said now
a
average-finland-92144
03/27/2025, 9:49 PMright, your deployment goes without
consolehoste
early-addition-41415
03/27/2025, 9:49 PMchanged that in googl enow
early-addition-41415
03/27/2025, 9:50 PMchange din helm and redeplyiong
early-addition-41415
03/27/2025, 9:52 PMwhy i am getting this
Copy code
Error 400: redirect_uri_mismatchearly-addition-41415
03/27/2025, 9:52 PMScreenshot 2025-03-27 at 2.52.21 PM.png
a
average-finland-92144
03/27/2025, 9:53 PMah sorry!!
Authorized redirect URI should be `https://flyte.hyperpod.labs.lumalabs.ai/callback`in Google
AND
<https://flyte.hyperpod.labs.lumalabs.ai>e
early-addition-41415
03/27/2025, 9:53 PMhahah thats what i was sayiong earlier 🙂
a
average-finland-92144
03/27/2025, 9:54 PMhaha sorry I'm on many threads now
e
early-addition-41415
03/27/2025, 9:55 PMstill no luck
early-addition-41415
03/27/2025, 9:55 PMdo i need to restart the app
early-addition-41415
03/27/2025, 9:55 PMi made th change in google
a
average-finland-92144
03/27/2025, 9:56 PMmaybe a deployment restart doesn't hurt, executions should progress regardless
e
early-addition-41415
03/27/2025, 9:57 PMdone
early-addition-41415
03/27/2025, 9:57 PMlets see
early-addition-41415
03/27/2025, 9:58 PMand my flyet config is
Copy code
admin:
# For GRPC endpoints you might want to use dns:///flyte.myexample.com
endpoint: <http://flyte.hyperpod.labs.lumalabs.ai:443|flyte.hyperpod.labs.lumalabs.ai:443> #Replace with your domain name
authType: Pkce
# authType: ClientCredentials
# clientSecretLocation: /etc/secrets/client_secret
insecure: false
insecureSkipVerify: false
logger:
show-source: true
level: 6early-addition-41415
03/27/2025, 9:58 PMis this correct?
early-addition-41415
03/27/2025, 9:58 PMthat worked
early-addition-41415
03/27/2025, 9:58 PMtysm
early-addition-41415
03/27/2025, 9:59 PMok last qt for now 🙂 how can i assign people rbac access to flyte
early-addition-41415
03/27/2025, 9:59 PMis it based on my EKS cluster??
a
average-finland-92144
03/27/2025, 10:24 PMIf using an external auth server you can map the flyte app to a group of users but that's the extent of what's available in Flyte.
Union comes with RBAC out of the box.
It lets you assign policies to users at the project-domain level
https://docs.union.ai/byoc/user-guide/administration/user-management
Happy to demo if needed
e
early-addition-41415
03/27/2025, 10:25 PMhow can i map??
a
average-finland-92144
03/27/2025, 10:26 PMFor example in Okta, you can assign the app to groups inside your org
average-finland-92144
03/27/2025, 10:26 PMNot sure how it's done in Google
e
early-addition-41415
03/27/2025, 10:26 PMahh ok i will check in google i think its based on identity center but will check
a
average-finland-92144
03/27/2025, 10:26 PMAnd you should be using Google as the authz server too, not flyteadmin
e
early-addition-41415
03/27/2025, 10:28 PMsure i will check how
3 Views