Hi, I have a flyte cluster on AWS with the manual ...
# flyte-deploymentb
big-glass-22633
05/18/2022, 8:27 PMHi, I have a flyte cluster on AWS with the manual setup. I'm having trouble registering workflows, for example trying to register the examples with
flytectl register examples -d development -p flytesnacks Copy code
Error: example 0xc0006ae770 failed to register rpc error: code = Internal desc = failed to write marshaled workflow [resource_type:WORKFLOW project:"flytesnacks" domain:"development" name:"blast.blastx_example.blast_wf" version:"v0.3.81" ] to storage <s3://flyte-cluster-bucket/metadata/admin/flytesnacks/development/blast.blastx_example.blast_wf/v0.3.81> with err Failed to write data [3170b] to path [metadata/admin/flytesnacks/development/blast.blastx_example.blast_wf/v0.3.81].: PutObject, putting object: WebIdentityErr: failed to retrieve credentials
caused by: ValidationError: Request ARN is invalida
acceptable-policeman-57188
05/18/2022, 8:34 PM
hey it looks like flyteadmin is failing to offload the remote workflow closure. can you share what's in the storage block of your flyteadmin config? does the flyteadmin service account have s3 put permissions?
b
big-glass-22633
05/18/2022, 9:27 PMconfig is
Copy code
storage:
type: s3
connection:
auth-type: iam
region: us-east-2
container: flyte-cluster-bucketbig-glass-22633
05/18/2022, 9:29 PMThe service account on the helm chart is
Copy code
serviceAccount:
# -- If the service account is created by you, make this false, else a new service account will be created and the iam-role-flyte will be added
# you can change the name of this role
create: true
annotations:
<http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: arn:aws:iam::{{ .Values.userSettings.accountNumber }}:role/iam-role-flytea
acceptable-policeman-57188
05/18/2022, 9:55 PM
stupid question, but just to double check does it have s3 access for the
Copy code
<s3://flyte-cluster-bucket>b
big-glass-22633
05/18/2022, 10:02 PMthere's no policy on the bucket
a
acceptable-policeman-57188
05/19/2022, 6:51 PM
cc @great-school-54368 @high-park-82026
b
big-glass-22633
05/23/2022, 2:35 PMis there a way to know what ARN is causing the error? maybe I can debug it with that
big-glass-22633
05/23/2022, 2:41 PMI tried adding this very permissive policy on the bucket, but got the same result:
Copy code
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::flyte-cluster-bucket"
}
]
}a
acceptable-policeman-57188
05/23/2022, 4:07 PM
does
iam-role-flyteacceptable-policeman-57188
05/23/2022, 4:10 PM
the arn thing is confusing, not the erorr i would expect to see re: permissions 😕
b
big-glass-22633
05/23/2022, 6:25 PMthe problem was unrelated to AWS config, the problem was I had the Account ID without quotes in the Helm yaml
big-glass-22633
05/23/2022, 6:25 PMthanks for your help
a
acceptable-policeman-57188
05/23/2022, 6:26 PM
oh, annoying! thanks for the update and glad you figured it out
b
big-glass-22633
05/23/2022, 6:26 PMI would change the "AWS (EKS) Manual Setup" document so that the Sample Value for the account ID to be
"173113148371"173113148371a
acceptable-policeman-57188
05/23/2022, 7:00 PM
hey @big-glass-22633 would you want to open a PR for that 😄 or file an issue to track?
b
big-glass-22633
05/23/2022, 7:49 PMa
acceptable-policeman-57188
05/23/2022, 8:26 PM
awesome, thank you!
402 Views