Hello, Is there a config to specify per project/domain secrets to be read by the tasks/workflows in that project/domain using

flytekit.Secret

?

as in, limit the secrets a project/domain is allowed to read?

yes. currently the only way to inject secrets is via default-env-vars-from-env-map-string-string afaiu, which will be available to all tasks irrespective which project/domain they belong.

that’s usually done on the secret manager side. What secret manager are you using? K8s secrets, AWS Secret Manager, Vault? Briefly, • K8s Secrets, you can create the secrets a project/domain is allowed to read within the namespace created for the project/domain. If an exec ran in a different project/domain, it’ll fail to mount the secret and you will get a runtime error. • AWS Secret Manager: You can configure IAM access

@Haytham Abuelfutuh thank you for the clarification. where do i specify the secrets to be mounted for a task using k8s secret manager?

@Fredrick the secrets are requested in the task itself https://docs.flyte.org/projects/cookbook/en/stable/auto/core/containerization/use_secrets.html

I already have this ^ in the code. I think there was some discussion around whether all pods end up getting access to whatever secrets they want irrespective of project or domain and if we can configure based on namespace, how to set that up in k8s secrets

can flyte tasks read any secret in the namespace they run on (assuming the serviceaccount it runs with has a role to get secret) ? or can we specify which secrets that a workflow's task can access during launch plan ?

Interesting- no, currently it's all tied to the service account only

reviving this back. how do we make secrets available to be read by tasks when using

k8s secret manager

. the doc says the below. where do i specify the secrets to be mounted/injected ?

. K8s secrets can be mounted as either files or injected as environment variables into the task pod, so if you need to make larger files available to the task, then this might be the better option.

Hey @Fredrick, apologies for the delayed responses. I'm out of office and @Ketan (kumare3) or @Yee will follow up with you... This is correct.. To double check, SECRET_GROUP represents the name of a secret object that exist in the same namespace as the execution? To troubleshoot: • Check the task pod to see if volumes were mounted for the secret, if yes, then it's likely a mismatch between the name of the secret and the name used to request the secret within the flyte task • check the task pod annotations. There should be annotations added (I forgot the name but something that has flyte and secret in the name), if they are not there, please check propeller logs around the time of task launch • if annotations are there, please check the pod webhook is running and check its logs

@Fredrick can you paste the pod spec for the task? (feel free to redact as necessary)