Apparently, our Kubernetes setup (self-managed on AWS) does not support IAM roles for service accounts. I guess the system-role can be used via

accesskey

for storage. What is the recommended alternative to use the user-role for workflows? Inject a secret as default environment variable in the k8s plugin?

Multiple options I guess, Do it outside of Flyte, inject secret using your own webhook Use flytes global secret system. - can be painful, as you have to add it Use default env car config, which will get injected all the time Use pod templates

Okay, thanks 🙏 Sounds like many options, probably going with the default env vars.

❤️

We're also on self managed kubernetes on AWS, haven't implemented this yet, but something we're looking into https://github.com/jtblin/kube2iam

Oh cool, that looks interesting. I will forward that to our infra team. How do you use user-roles in your setup?

@Katrina P / @Hanno Küpers do not know if you tried - but at lyft we used kiam (same as kube2iam in the past) - so the Iam role in launch form will pass it correctly - we should check the code On a side note. These do not scale well