Hey team,
I am running tasks on AWS batch. I am wo...
# flyte-deploymentg
gray-lifeguard-89900
09/29/2022, 11:52 AMHey team,
I am running tasks on AWS batch. I am wondering do I always have to explicitly specify the IAM role? Is there a way to omit it? The default role to run the workflow is the same when it runs on batch.
f
freezing-airport-6809
09/29/2022, 1:40 PM
By default Flyte is using the serviceaccount. It is not possible to convert from service accounts to role arn (afaik) - but you should be able to set a project level default to always use for every execution . Cc @thankful-minister-83577
n
nutritious-london-39005
09/29/2022, 4:08 PMWhat form of config or flytectl command does this "project level default" take? We were looking at something similar for a IAM role passed to SageMaker and were considering either workflow params set in a launchplan or a ConfigMap created in the cluster-resources with the role ARN populated via cluster-resource-attributes.
Are we missing another option?
nutritious-london-39005
09/29/2022, 4:09 PMWe're looking at how to serialize the workflow once and register it with flyte instances in multiple AWS accounts, so want parameterize things that will vary account to account.
t
thankful-minister-83577
09/29/2022, 4:10 PM
sorry but this feature is not out yet. merging soon I hope. currently you can only set them on a project and domain basis - not for the whole project.
thankful-minister-83577
09/29/2022, 4:10 PM
it’ll be a couple extra steps but it will do the same thing
thankful-minister-83577
09/29/2022, 4:10 PM
project level to be out shortly
n
nutritious-london-39005
09/29/2022, 4:11 PMwhat does the current project+domain feature look like? Is this
cluster-resource-attributest
thankful-minister-83577
09/29/2022, 4:11 PM
Copy code
flytectl --config ~/.flyte/config.yaml update workflow-execution-config --attrFile wec.yaml Copy code
domain: staging
project: flytesnacks
security_context:
run_as:
k8s_service_account: default
ytong@argus:/opt/localthankful-minister-83577
09/29/2022, 4:12 PM
@gray-lifeguard-89900 you can associate an eks service account with an iam role. take a look at the instructions here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
n
nutritious-london-39005
09/29/2022, 4:13 PMhmm, maybe I misunderstood and co-opted this thread in the wrong direction. 🙂 I thought we were talking about setting an IAM role ARN that could be passed to AWS services by a workflow, not setting the ServiceAccount.
t
thankful-minister-83577
09/29/2022, 4:13 PM
after you do that, you will see this
Copy code
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
<http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: arn:aws:iam::xyz:role/development-service-flyte-userflyterole
creationTimestamp: "2021-07-20T23:35:31Z"
name: default
namespace: flytesnacks-development
resourceVersion: "45171"
uid: 4ef4157b-4092-4247-a21a-147c2f9e5da5
secrets:
- name: default-token-8vxf2thankful-minister-83577
09/29/2022, 4:14 PM
there are cases where you can set both, but we internally set the service account and let EKS handle the auth.
thankful-minister-83577
09/29/2022, 4:15 PM
i don’t entirely remember what happens if you try to set the iam role directly in that same flytectl command. @freezing-airport-6809?
thankful-minister-83577
09/29/2022, 4:15 PM
we recommend going through eks/aws for the auth.
f
freezing-airport-6809
09/29/2022, 8:26 PM
hmm the IAM role is to pass to a downstream service like AWS Batch
freezing-airport-6809
09/29/2022, 8:26 PM
I think we should support it in project/domain level defaults, if not already
freezing-airport-6809
09/29/2022, 8:26 PM
cc @nutritious-london-39005 / @gray-lifeguard-89900
👍 2
n
nutritious-london-39005
09/29/2022, 8:32 PMAre "project/domain level defaults" set by a flytectl command like
workflow-execution-configcluster-resource-attributesf
freezing-airport-6809
09/29/2022, 11:18 PM
yes
freezing-airport-6809
09/29/2022, 11:18 PM
sorry for the delayed response
165 Views