Hey! I have a question regarding how the role permission setup is supposed to work on the multi cluster setup. What i would like to run is basically one control-plane with multiple data-planes in different AWS Accounts. Every data-plane should have a dedicated

flyte-user-roles

for accessing stuff in their account. What is currently happening when following the official documentation is that after exchanging secret, token and adjusting the cluster config on the control plane, the data-plane retrieves all the namespaces, quotas and Service Accounts from the control plane (which are created by the

cluster_resource_manager

i guess). This leaves me with default Service Accounts in the data-plane for all the projects/domains where the

flyte-user-role

of the control plane is annotated. Obviously i want the

flyte-user-roles

of the data-planes in there, which are completely unused so far in my setup. One way would be to just replace the default Service Account annotation with the correct flyte-user-role in the project/domains i need them. Is there a better or correct way of doing this?

@Yee @Ketan (kumare3), can one of you please help Jan?

I went with overwriting the default service account in the data-plane for now:

kubectl annotate serviceaccount -n $FLYTE_PROJECT_NAME-$domain default <http://eks.amazonaws.com/role-arn=arn:aws:iam::$ACCOUNT_ID:role/$FLYTE_USER_ROLE|eks.amazonaws.com/role-arn=arn:aws:iam::$ACCOUNT_ID:role/$FLYTE_USER_ROLE> --overwrite

Still happy to hear, if there is correct way of doing this 🙂