Hi! i am currently changing from

pyflyte package

+

flytectl register

to only use

pyflyte register

when deploying flyte workflows - but now i get an authentication error. With

flytectl

i could authenticate by writing a secret to

~/.flyte/client_secret

but seems this is not working for

pyflyte

Maybe someone else had similar issues?

What version are you using

we use flytekit 1.3.2

What's the config present in your config.yaml file?

i get this error from our CICD pipeline which deploys the flyte workflows. And in this process we: 1. create a file:

~/.flyte/client_secret

2. fetch the secret from secret manager and writes it in the newly created file 3. add an empty line in the end (because of this: https://github.com/flyteorg/flytekit/blob/70a08256adefc98ee42da86171177ab5b5136b6d/tests/flytekit/unit/configuration/test_internal.py#L42)

Shouldn't there be

clientId

as well? Also, what's the error you're seeing?

{
  "asctime": "2023-03-02 08:56:07,735",
  "name": "flytekit.cli",
  "levelname": "ERROR",
  "message": "Non-200 (401) received from IDP: {\"error\":\"invalid_client\",\"error_description\":\"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).\"}"
}

This is the error i receive

cc @Eduardo Apolinario (eapolinario) @Yee

mm yeah agreed, there should be a client id somewhere right?

Is this something which was changed? because it was working like this before 🤔

It’s weird to use the clientID from remote

so before when we did

flytectl register

the auth setup worked for us - and we didn't specify clientId inside

config.yml

ClientID https://github.com/flyteorg/flytekit/blob/71d436ac456285a75b3ec462f34fc4524933c309/flytekit/clients/auth/authenticator.py#L168 And https://github.com/flyteorg/flytekit/blob/71d436ac456285a75b3ec462f34fc4524933c309/flytekit/clients/auth_helper.py#L69 We can add an or here

btw. we also get this error i can see:

grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
	status = StatusCode.UNAUTHENTICATED
	details = "token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken"
	debug_error_string = "UNKNOWN:Error received from peer ipv4:<ipaddress> {grpc_message:"token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken", grpc_status:16, created_time:"2023-03-02T08:56:07.716682455+00:00"}"
>

if it helps?

robin was there still an issue here?

@Yee yes we still having the issue 😕 How do you suggest to do with the clientId? - not sure what id i should set and where to take it from. Is it the clientId from the configmap? we right now have these specified:

configmap:
  adminServer:
    auth:

      appAuth:
        thirdPartyConfig:
          flyteClient:
            clientId: <the_client_id>
            redirectUri: <http://the_domain/callback>
            scopes:
              - offline
              - all
      ...

(We have more things there as well) But how to create the one for

pyflyte register

? because before it was working for us without specifying the clientId in config.yml when we used

flytectl register

Have you deployed Flyte on AWS? If so,

clientID

is the Access Key ID.

Yes it is deployed in AWS EKS- I’ll give that a try, thanks!

sorry what’s the issue?

hey @Robin Eklund, how are things going with your deployment?

Hey @David Espejo (he/him) the issue still remains but solved it by having two ways of deploying - one way from my local computer with

pyflyte register

and one way from the ci cd pipeline with

pyflyte package

+`flytectl register`