admin: endpoint: dns:///<> insecure: false insecureSkipVerify: true authType: ClientSecret #command: # Set to the clientId (will be used for both Pkce and ClientSecret flows) # Leave empty to use the value discovered through flyteAdmin's Auth discovery endpoint. clientId: flytepropeller # Set to the location where the client secret is mounted. # Only needed/used for

ClientSecret

flow. clientSecretLocation: /home/<>/.flyte/clientsecret scopes: access_token

This is how it looks like

Could you please let me know which env vars need to be exported so that I can try the same

Can you please let me know how to specify the ca certificate location while running the flytekit.remote functionality

i think you might need to pass some options - https://github.com/flyteorg/flytekit/blob/b6605bc95bd6f03434aeb5ca8f69eba161924ef8/flytekit/clients/raw.py#L126

or - https://github.com/flyteorg/flytekit/blob/b6605bc95bd6f03434aeb5ca8f69eba161924ef8/flytekit/clients/raw.py#L135

this is all grpc

the thing is do not have such a setup

happy to hop on a call and work with you?

sorry for the trouble, lets chat?

Please help

Can you please send me the format of hte config file to be used for flytekit. Is the format different for flytekit vs flytectl??

Let me take a look into golang and python and see if we can reconcile

is it?

And the below is the error that I am not getting

{"asctime": "2023-01-25 185604,531", "name": "flytekit.remote", "levelname": "WARNING", "message": "This feature is still in beta. Its interface and UX is subject to change."} {"asctime": "2023-01-25 185604,761", "name": "flytekit.cli", "levelname": "ERROR", "message": "Unauthenticated RPC error <_InactiveRpcError of RPC that terminated with:\n\tstatus = StatusCode.UNAUTHENTICATED\n\tdetails = \"token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken\"\n\tdebug_error_string = \"UNKNOWN:Error received from peer ipv487.254.212.1208080 {created_time:\"2023-01-25T185604.760958564+00:00\", grpc_status:16, grpc_message:\"token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken\"}\"\n>, refreshing credentials and retrying\n"} E0125 185607.795258038 29608 thread_pool.cc:254] Waiting for thread pool to idle before forking E0125 185610.795462808 29608 thread_pool.cc:254] Waiting for thread pool to idle before forking E0125 185613.795641791 29608 thread_pool.cc:254] Waiting for thread pool to idle before forking E0125 185616.795816215 29608 thread_pool.cc:254] Waiting for thread pool to idle before forking

same flytectl doesnt give any issue

I am using clientsecret

I think definitely need to jump on a call to discuss this

i am really confused

so you always get a failure before retrying to get creds

this again seems to be some python issue

are you using a virtualenv

it seems like the version of grpc

sad - https://github.com/grpc/grpc/issues/31885#issuecomment-1354028785

i have seen this too

{"asctime": "2023-01-25 210923,351", "name": "flytekit.remote", "levelname": "WARNING", "message": "This feature is still in beta. Its interface and UX is subject to change."} {"asctime": "2023-01-25 210924,059", "name": "flytekit.cli", "levelname": "ERROR", "message": "Unauthenticated RPC error <_InactiveRpcError of RPC that terminated with:\n\tstatus = StatusCode.UNAUTHENTICATED\n\tdetails = \"token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken\"\n\tdebug_error_string = \"UNKNOWN:Error received from peer ipv410.183.180.0443 {grpc_message:\"token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken\", grpc_status:16, created_time:\"2023-01-25T210924.058945058+02:00\"}\"\n>, refreshing credentials and retrying\n"} Traceback (most recent call last): File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/clients/raw.py", line 150, in handler return fn(*args, **kwargs) File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/clients/raw.py", line 448, in list_workflows_paginated return self._stub.ListWorkflows(resource_list_request, metadata=self._metadata) File "/home/samuel/.local/lib/python3.8/site-packages/grpc/_channel.py", line 946, in call return _end_unary_response_blocking(state, call, False, None) File "/home/samuel/.local/lib/python3.8/site-packages/grpc/_channel.py", line 849, in _end_unary_response_blocking raise _InactiveRpcError(state) grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with: status = StatusCode.UNAUTHENTICATED details = "token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken" debug_error_string = "UNKNOWN:Error received from peer ipv410.183.180.0443 {grpc_message:"token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken", grpc_status:16, created_time:"2023-01-25T210924.058945058+02:00"}"

During handling of the above exception, another exception occurred: Traceback (most recent call last): File "mul_wf.py", line 15, in <module> workflow = remote.fetch_workflow(name="w2.my_workflow.w2_workflow") File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/remote/remote.py", line 392, in fetch_workflow workflow_id = _get_entity_identifier( File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/remote/remote.py", line 108, in _get_entity_identifier version if version is not None else _get_latest_version(list_entities_method, project, domain, name), File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/remote/remote.py", line 84, in _get_latest_version entity_list, _ = list_entities_method( File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/clients/friendly.py", line 276, in list_workflows_paginated wf_list = super(SynchronousFlyteClient, self).list_workflows_paginated( File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/clients/raw.py", line 159, in handler refresh_handler_fn(args[0]) File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/clients/raw.py", line 44, in _refresh_credentials_standard client = _credentials_access.get_client( File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/clis/auth/credentials.py", line 20, in get_client _authorization_client = AuthorizationClient( File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/clis/auth/auth.py", line 178, in init self._refresh_token = _keyring.get_password(_keyring_service_name, _keyring_refresh_token_storage_key) File "/home/samuel/.local/lib/python3.8/site-packages/keyring/core.py", line 55, in get_password return get_keyring().get_password(service_name, username) File "/home/samuel/.local/lib/python3.8/site-packages/keyring/backends/fail.py", line 25, in get_password raise NoKeyringError(msg) keyring.errors.NoKeyringError: No recommended backend was available. Install a recommended 3rd party backend package; or, install the keyrings.alt package if you want to use the non-recommended backends. See https://pypi.org/project/keyring for details. samuel@nmlprs-dev-vm:~/install/flytenmlp$

if i install the keyrings.alt package, it will try to open a browser on my UNIX machine and ask to enter the user and pass. But I was of the opinion that clientsecret means I dont need all that

@Eduardo Apolinario (eapolinario) can you help here

Also maybe we should move to the new auth flow I have built elsewhere

This issue is still not resolved

But I need to figure why your python client is not working

We can set up a call to show you the python client.

It would be great to have an example of the usage of this flyteidl client used with the oauth flow.

And propeller

It should be easy tbh

Is that right??

But this is the same with python

I have a python client now that is just like that golang one

And we can try it

Absolutely

Anything to get this right and get you unblocked

If I delete this workflow from the UI, the workflow on cluster is deleted but since the external system gets no indication, the job continues running

This needs a backend plugin

so the propeller will send message to this backend and then my backed will send signal to the external resource

You are right the python plugin is like the backend go plugin

Ok. Thanks a lot for your support and please keep up the good work.

this way we do not pollute the cluster, the workflows remain dormant in Flyteadmin and are activated and only remain in k8s for that period

When can we get on a call

I also am about to create a branch with the new Grpc auth system

Will post something today