Channels
#flyte-deployment
Title
# flyte-deployment
l
Laura Lin
10/18/2022, 11:30 PMHalf solved the issue ^ and now I'm getting a s3 putObject auth error
Copy code
lytekit.exceptions.user.FlyteAssertion: Failed to put data from /tmp/flyte-gnaguqof/sandbox/local_flytekit/engine_dir to <s3://flyte-bucket/metadata/propeller/flytetester-development-a9xg68jktjbhd7nz7sc7/n0/data/0> (recursive=True).
Original exception: Called process exited with error code: 1. Stderr dump:
b'upload failed: ../../tmp/flyte-gnaguqof/sandbox/local_flytekit/engine_dir/error.pb to <s3://flyte-bucket/metadata/propeller/flytetester-development-a9xg68jktjbhd7nz7sc7/n0/data/0/error.pb> An error occurred (AccessDenied) when calling the PutObject operation: Access Denied\n'AWS_ROLE_ARN<s3://flyfte-bucket/metadata/propeller/flytetester-development-a9xg68jktjbhd7nz7sc7/n0/data/inputs.pb>awscli==1.25.94actually, now that I'm looking at it:
aws says the
flyte-user-rolemessage has been deleted
Can it be this? This says default instead of flyte-user-role?
k
Ketan (kumare3)
10/19/2022, 12:11 AM
you have to use the service account
did you IAM for serviceaccounts?
and then associate that to the execution
you can ofcourse have a default for a project/domain
l
Laura Lin
10/19/2022, 12:12 AMI'm launching these from the UI. How can I set the default for the project?
k
Ketan (kumare3)
10/19/2022, 12:12 AM
you have to open the fold “Advanced Options”
l
Laura Lin
10/19/2022, 12:13 AMisnt that for specific execution?
k
Ketan (kumare3)
10/19/2022, 12:13 AM
and to set the default - either when you register set the service account - or when you run with pyflyte run
Copy code
pyflyte run --service-accountl
Laura Lin
10/19/2022, 12:14 AMwhich arg is it in
flytectl registerk
Ketan (kumare3)
10/19/2022, 12:15 AM
so this will help you set the default per project/domain ^
and in register
pyflyte register --service-account=“…”
l
Laura Lin
10/19/2022, 12:16 AMI still get the error with
k
Ketan (kumare3)
10/19/2022, 12:16 AM
ohh not iam role
service account
sorry about the confusion here
iam role only works if you use kIAM (which I think you dont)
l
Laura Lin
10/19/2022, 12:21 AMis this simiar to https://docs.flyte.org/projects/cookbook/en/latest/auto/deployment/deploying_workflows.html#pulling-images-from-a-private-container-image-registry?
attach the iamrole to the kube service ccount
k
Ketan (kumare3)
10/19/2022, 12:21 AM
similarish
the EKS IAM role for ServiceAccounts is a thing that AWS has
you have to follow specific steps that they have
check the doc link on AWS that I shared
l
Laura Lin
10/19/2022, 12:23 AMis this something that you always have to do for EKS deployments?
Wondering if I missed it in the https://docs.flyte.org/en/latest/deployment/aws/manual.html
https://docs.flyte.org/en/latest/deployment/aws/manual.html#oidc-provider-for-the-eks-cluster there's some stuff here that has to do with the iamroles. I did do this.
so for following the doc you shared, the IAM role I use is flyte-user-role and if I've been using the default kube service account, then default for that too?
oh i got it working
k
Ketan (kumare3)
10/19/2022, 1:44 AM
Sorry busy with kids now - but yeahhhh
h
Hiromu Hota
01/06/2023, 6:17 PMIt worked for us too!
For posterity and more concrete example, I annotated the default service account for each namespace like this:
Copy code
$ kubectl annotate serviceaccount -n flytesnacks-development default <http://eks.amazonaws.com/role-arn=arn:aws:iam::xxxx:role/flyte-user-role|eks.amazonaws.com/role-arn=arn:aws:iam::xxxx:role/flyte-user-role> Copy code
$ kubectl describe pod f81f7df8fd03f4f84b45-n0-0 -n flytesnacks-development | grep AWS
AWS_STS_REGIONAL_ENDPOINTS: regional
AWS_DEFAULT_REGION: xxxxxx
AWS_REGION: xxxxxx
AWS_ROLE_ARN: arn:aws:iam::xxxxx:role/flyte-user-role
AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/tokenk
Ketan (kumare3)
01/06/2023, 7:00 PM
cc @David Espejo (he/him) to ensure we can capture some of the learnings here
91 Views