Channels
announcements
ask-the-community
auth
conference-talks
contribute
databricks-integration
datahub-flyte
deployment
ecosystem-unionml
engineeringlabs
events
feature-discussions
flyte-bazel
flyte-build
flyte-console
flyte-deployment
flyte-documentation
flyte-github
flyte-on-gcp
flyte-ui-ux
flytekit
flytekit-java
flytelab
great-content
hacktoberfest-2022
helsing-flyte
in-flyte-conversations
integrations
introductions
jobs
konan-integration
linkedin-flyte
random
ray-integration
ray-on-flyte
release
scipy-2022-sprint
show-and-tell
sig-large-models
torch-elastic
workflow-building-ui-proj
writing-w-sfloris
Title
j
Jacob Wang
09/29/2022, 11:52 AMHey team,
I am running tasks on AWS batch. I am wondering do I always have to explicitly specify the IAM role? Is there a way to omit it? The default role to run the workflow is the same when it runs on batch.
k
Ketan (kumare3)
09/29/2022, 1:40 PMBy default Flyte is using the serviceaccount. It is not possible to convert from service accounts to role arn (afaik) - but you should be able to set a project level default to always use for every execution . Cc @Yee
g
Geoff Salmon
09/29/2022, 4:08 PMWhat form of config or flytectl command does this "project level default" take? We were looking at something similar for a IAM role passed to SageMaker and were considering either workflow params set in a launchplan or a ConfigMap created in the cluster-resources with the role ARN populated via cluster-resource-attributes.
Are we missing another option?
We're looking at how to serialize the workflow once and register it with flyte instances in multiple AWS accounts, so want parameterize things that will vary account to account.
y
Yee
09/29/2022, 4:10 PMsorry but this feature is not out yet. merging soon I hope. currently you can only set them on a project and domain basis - not for the whole project.
it’ll be a couple extra steps but it will do the same thing
project level to be out shortly
g
Geoff Salmon
09/29/2022, 4:11 PMwhat does the current project+domain feature look like? Is this
cluster-resource-attributesy
Yee
09/29/2022, 4:11 PMflytectl --config ~/.flyte/config.yaml update workflow-execution-config --attrFile wec.yamldomain: staging
project: flytesnacks
security_context:
run_as:
k8s_service_account: default
ytong@argus:/opt/local@Jacob Wang you can associate an eks service account with an iam role. take a look at the instructions here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
g
Geoff Salmon
09/29/2022, 4:13 PMhmm, maybe I misunderstood and co-opted this thread in the wrong direction. 🙂 I thought we were talking about setting an IAM role ARN that could be passed to AWS services by a workflow, not setting the ServiceAccount.
y
Yee
09/29/2022, 4:13 PMafter you do that, you will see this
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
<http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: arn:aws:iam::xyz:role/development-service-flyte-userflyterole
creationTimestamp: "2021-07-20T23:35:31Z"
name: default
namespace: flytesnacks-development
resourceVersion: "45171"
uid: 4ef4157b-4092-4247-a21a-147c2f9e5da5
secrets:
- name: default-token-8vxf2there are cases where you can set both, but we internally set the service account and let EKS handle the auth.
i don’t entirely remember what happens if you try to set the iam role directly in that same flytectl command. @Ketan (kumare3)?
we recommend going through eks/aws for the auth.
k
Ketan (kumare3)
09/29/2022, 8:26 PMhmm the IAM role is to pass to a downstream service like AWS Batch
I think we should support it in project/domain level defaults, if not already
cc @Geoff Salmon / @Jacob Wang
g
Geoff Salmon
09/29/2022, 8:32 PMAre "project/domain level defaults" set by a flytectl command like
workflow-execution-configcluster-resource-attributesk
Ketan (kumare3)
09/29/2022, 11:18 PMyes
sorry for the delayed response