Louis DiNatale
04/18/2022, 2:35 PMMike Zhong
04/18/2022, 2:36 PMPrafulla Mahindrakar
04/18/2022, 2:49 PMLouis DiNatale
04/18/2022, 2:50 PMKetan (kumare3)
Mike Zhong
04/18/2022, 5:44 PMflyte-user-role
shown below. In aws console, we have checked this role and can confirm it has full s3 permissions. Do we need to set up any trust permission to allow the node role to assume this role?Annotations
, it is showing a different role though
Annotations: <http://cluster-autoscaler.kubernetes.io/safe-to-evict|cluster-autoscaler.kubernetes.io/safe-to-evict>: false
<http://iam.amazonaws.com/role|iam.amazonaws.com/role>: arn:aws:iam::763216446258:role/Dev-iam-role-flyte
<http://kubernetes.io/psp|kubernetes.io/psp>: eks.privileged
However, both roles in IAM have full s3 permissions, not sure which one is actually being usedPrafulla Mahindrakar
04/19/2022, 5:22 AM<http://iam.amazonaws.com/role|iam.amazonaws.com/role>
instead of
<http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>
The value seems to be arn and not just the role name .
You can modify this behavior by updating the admin config map and adding the roleNameKey
flyteadmin:
roleNameKey: "<http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>"
profilerPort: 10254
eventVersion: 2
metricsScope: "flyte:"
metadataStoragePrefix:
- "metadata"
- "admin"
Louis DiNatale
04/19/2022, 1:54 PMMike Zhong
04/19/2022, 2:22 PMAWS_ROLE_ARN
from the screenshot had a trust policy with an OIDC provider for a previous cluster (test deployment). We created a new cluster and created new roles but our IaC must not have updated entirely as the new roles were still trusting the old OIDC. I have made the update and we will be testing shortly, thanks for your helpPrafulla Mahindrakar
04/19/2022, 3:51 PMMike Zhong
04/22/2022, 1:13 PMKetan (kumare3)
Mike Zhong
04/22/2022, 1:19 PMKetan (kumare3)
Prafulla Mahindrakar
04/22/2022, 1:50 PM