Hi! i am currently changing from `pyflyte package`...
# ask-the-community
r
Hi! i am currently changing from
pyflyte package
+
flytectl register
to only use
pyflyte register
when deploying flyte workflows - but now i get an authentication error. With
flytectl
i could authenticate by writing a secret to
~/.flyte/client_secret
but seems this is not working for
pyflyte
Maybe someone else had similar issues?
k
What version are you using
r
we use flytekit 1.3.2
s
What's the config present in your config.yaml file?
r
i get this error from our CICD pipeline which deploys the flyte workflows. And in this process we: 1. create a file:
~/.flyte/client_secret
2. fetch the secret from secret manager and writes it in the newly created file 3. add an empty line in the end (because of this: https://github.com/flyteorg/flytekit/blob/70a08256adefc98ee42da86171177ab5b5136b6d/tests/flytekit/unit/configuration/test_internal.py#L42)
and this is the
config.yaml
Copy code
admin:
  endpoint: dns:///flyte.our.domain
  authType: ClientSecret
  clientSecretLocation: /root/.flyte/client_secret
  insecure: false
logger:
  show-source: true
  level: 0
s
Shouldn't there be
clientId
as well? Also, what's the error you're seeing?
r
Copy code
{
  "asctime": "2023-03-02 08:56:07,735",
  "name": "flytekit.cli",
  "levelname": "ERROR",
  "message": "Non-200 (401) received from IDP: {\"error\":\"invalid_client\",\"error_description\":\"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).\"}"
}
This is the error i receive
i just know we had it working when we used
pyflyte package
+
flytectl register
. But now when we use only
pyflyte register
we got this error
s
cc @Eduardo Apolinario (eapolinario) @Yee
y
mm yeah agreed, there should be a client id somewhere right?
there’s some corner cases between flytectl and pyflyte when it comes to auth but this is a pretty standard case, it should work.
i think you should remove the newline though if there isn’t one in the real password. that test is only there to ensure we’re reading the file correctly. the test secret file has a newline (even though it doesn’t look like it on github)
r
Is this something which was changed? because it was working like this before 🤔
and do you mean clientId should be added to config.yaml? and do i set that manually? or how does it work? Do you have some documentation? tried to read here: https://docs.flyte.org/en/latest/deployment/configuration/auth_setup.html#continuous-integration-ci on clientId it says:
Copy code
# Leave empty to use the value discovered through flyteAdmin's Auth discovery endpoint.
So i guess that made it work when i used flytectl register? Seems like pyflyte register does not work in the same way though.
k
It’s weird to use the clientID from remote
But I guess we can add that back
We did overhaul the auth system
r
so before when we did
flytectl register
the auth setup worked for us - and we didn't specify clientId inside
config.yml
Ok, ideally you should be
But this is then a backwards compatibility issue
Let me fix this today
And we will backport
r
btw. we also get this error i can see:
Copy code
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
	status = StatusCode.UNAUTHENTICATED
	details = "token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken"
	debug_error_string = "UNKNOWN:Error received from peer ipv4:<ipaddress> {grpc_message:"token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken", grpc_status:16, created_time:"2023-03-02T08:56:07.716682455+00:00"}"
>
if it helps?
awesome great, thanks all of you for your help @Samhita Alla @Ketan (kumare3) @Yee 🙏
@Ketan (kumare3) were you able to revert / fix the code on Friday? and can i still use version 1.3.2? or is it a new one?
y
robin was there still an issue here?
did things work after you added the clientId?
the code still looks up the clientid, but i think not if you use clientsecret. it only works for the pkce flow
r
@Yee yes we still having the issue 😕 How do you suggest to do with the clientId? - not sure what id i should set and where to take it from. Is it the clientId from the configmap? we right now have these specified:
Copy code
configmap:
  adminServer:
    auth:

      appAuth:
        thirdPartyConfig:
          flyteClient:
            clientId: <the_client_id>
            redirectUri: <http://the_domain/callback>
            scopes:
              - offline
              - all
      ...
(We have more things there as well) But how to create the one for
pyflyte register
? because before it was working for us without specifying the clientId in config.yml when we used
flytectl register
@Samhita Alla do you know how to deal with the clientId?
s
Have you deployed Flyte on AWS? If so,
clientID
is the Access Key ID.
r
Yes it is deployed in AWS EKS- I’ll give that a try, thanks!
y
sorry what’s the issue?
what are you trying to auth? pyflyte?
and you’re using an external auth server or the selfauthserver?
the thirdpartyconfig doesn’t do anything directly… it gets piped through to the /api/v1/flyte_client endpoint. this information then gets cat’ed into the config file when you do flytectl config init.
so the id just needs to be whatever you pick for the application. by default that’s flytectl.
d
hey @Robin Eklund, how are things going with your deployment?
r
Hey @David Espejo (he/him) the issue still remains but solved it by having two ways of deploying - one way from my local computer with
pyflyte register
and one way from the ci cd pipeline with
pyflyte package
+`flytectl register`
100 Views