Channels
announcements
ask-the-community
auth
conference-talks
contribute
databricks-integration
datahub-flyte
deployment
ecosystem-unionml
engineeringlabs
events
feature-discussions
flyte-bazel
flyte-build
flyte-console
flyte-deployment
flyte-documentation
flyte-github
flyte-on-gcp
flyte-ui-ux
flytekit
flytekit-java
flytelab
great-content
hacktoberfest-2022
helsing-flyte
in-flyte-conversations
integrations
introductions
jobs
konan-integration
linkedin-flyte
random
ray-integration
ray-on-flyte
release
scipy-2022-sprint
show-and-tell
sig-large-models
torch-elastic
workflow-building-ui-proj
writing-w-sfloris
Title
r
Robin Eklund
11/16/2022, 4:14 PMHey!
Do anyone know if it is possible/where to set session duration on the role which is assumed when running a workflow?
I have a task which is running for some time (~5min) and then i get this error:
flytekit.exceptions.scopes.FlyteScopedUserException: An error occurred (ExpiredToken) when calling the AssumeRole operation: The security token included in the request is expiredCalled process exited with error code: 1. Stderr dump:\n\nb'upload failed: ../../tmp/flyte-kvw3xxto/sandbox/local_flytekit/engine_dir/error.pb to s3://<s3_bucket>/metadata/propeller/<project_name>-development-<execution_id>/n1/data/0/error.pb An error occurred (AccessDenied) when calling the PutObject operation: Access Deniedsecurity_context = SecurityContext(
run_as=Identity(
iam_role=None,
k8s_service_account=f"my-aws-role",
),
)
LaunchPlan.get_or_create(
name="my_lp",
workflow=my_wf,
security_context=security_context,
)s
Samhita Alla
11/17/2022, 5:26 AM@Prafulla Mahindrakar, do you know how to set the session duration?
p
Prafulla Mahindrakar
11/17/2022, 6:05 AM@Robin Eklund
Also can you verify aswell the assumed IAM role has the PutObject permissions. You can verify this by checking the service account annotated role.
kubectl get sa -n /<project_name>-development my-aws-role -o yamlr
Robin Eklund
11/17/2022, 6:54 AM@Samhita Alla and @Prafulla Mahindrakar thanks for your response!
in the article it says default session duration is one hour - but i get this error after ~5min 🤔
I ran the command to check permissions, this is what i get:
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
annotations:
<http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: arn:aws:iam::<aws_account_id>:role/eks/MyAwsRole
creationTimestamp: "2022-10-28T11:24:50Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:automountServiceAccountToken: {}
f:metadata:
f:annotations:
.: {}
f:<http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: {}
manager: HashiCorp
operation: Update
time: "2022-10-28T11:24:50Z"
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:secrets:
.: {}
k:{"name":"my-aws-role-token-pvz2l"}: {}
manager: kube-controller-manager
operation: Update
time: "2022-10-28T11:24:50Z"
name: my-aws-role
namespace: <project_name>-development
resourceVersion: "20306065"
uid: <UUID>
secrets:
- name: my-flyte-role-token-pvz2lbased on how the role is created these are the permissions:
s3:GetBucketLocation
s3:GetObject
s3:ListBucket
s3:ListBucketMultipartUploads
s3:ListMultipartUploadParts
s3:AbortMultipartUpload
s3:PutObject
s3:DeleteObject
s3:ListAllMyBucketsalso verified the role has 1 hour max session duration:
p
Prafulla Mahindrakar
11/17/2022, 7:12 AMThat looks ok.
Is there a log to indicate that an upload had succeeded before the timeout.
This can also be verified if the bucket where you are uploading has any objects.
If there are not objects then we can check more from permissions side
Another thing to check is the role infact being used by the flyte-pods. It should ideally be the same you have mentioned in launch but would be good to check.
You can get this by doing
kubectl get pod -n <project_name>-development <execuitid>-* -o yamlAlso the role that you have mentioned , are these for all buckets in your account
r
Robin Eklund
11/17/2022, 7:15 AMthere is lots of subfolders inside that bucket - so i guess the put permission is correct. When i run shorter tasks, < 5min, i don't get this error
i have verified this before with running
aws sts get-caller-identitythe command you sent didn't find the execution - but ran it without the filter and then i found it - and yes it is using the correct role
i assume i should check the
AWS_ROLE_ARNp
Prafulla Mahindrakar
11/17/2022, 7:25 AMthats strange , yes the AWS_ROLE_ARN that you have configured for accessing the bucket .
For < 5min duration , you do see those executions here
s3://<s3_bucket>/metadata/propeller/r
Robin Eklund
11/17/2022, 7:39 AMLet me double check the metadata folder
so there is lots of subfolders with different executions under /metadata/propeller, but not the one which failed due to this error
p
Prafulla Mahindrakar
11/17/2022, 7:45 AMOk then it definitely an issue with long running executions. We haven’t seen this in our community AFAIK . Are you using non-default IDP in your EKS cluster .
c c: @Haytham Abuelfutuh
r
Robin Eklund
11/17/2022, 8:52 AMWe use Flyte IDP for flytctl and all other internal services. Service Accounts are connected to IAM with OIDC.
btw. @Prafulla Mahindrakar if a call would make debugging easier i would be up for that. And thanks again for taking your time!
@Prafulla Mahindrakar @Haytham Abuelfutuh we had some logging issues (not related to flyte) - which were the confusing part. Actually the job was running for 1 hour before we got this error - so we will just increase the session duration on the role within AWS.
Thanks for taking your time 🙏
a
Andrew Korzhuev
11/17/2022, 11:48 AMOn EKS service account it's possible to set session duration via annotation:
https://github.com/aws/amazon-eks-pod-identity-webhook if your role is configured with correct max session duration as well
p
Prafulla Mahindrakar
11/17/2022, 12:21 PMThanks for sharing this @Andrew Korzhuev, this can then probably be synced through the cluster resource controller if enabled along with the role annotations on the service account.