Noam Banay

08/07/2023, 10:06 AM
Hey all! I’m trying to run a flow that reads and writes to an S3 bucket but I’m struggling with the assignment of the IAM permissions. I’m running my Prefect agent on a K8S pod and as I understand, I need to configuring the pod to use a Kubernetes service account. Is there a way I can add the service account as I running my agent?


08/07/2023, 3:53 PM
There’s (at least) two ways you can do it: 1. Use a Secret block to store an account and access key. This is more straightforward to get started with, but the downside is that this is a static credential, so you may want to rotate it periodically. 2. Use IAM Roles for Service Accounts, which sounds like what you’re getting at. It’s an EKS-specific mechanism that lets you bind a Kubernetes service account to a particular AWS role. This requires some setup at the cluster level, but simplifies things as it’s a dynamic credential that rotates automatically. You can use infra_overrides to influence the job spec that Prefect creates, and bind it to a service account that has the IRSA annotation for the credential you want to use. The agent has its own Kubernetes service account, but I would recommend creating a separate service account for your flow, so that you can reduce permissions granted to it. The Prefect agent KSA requires the ability to create and deploy pods, whereas your flow KSA may not need any permissions inside Kubernetes (no RoleBinding or ClusterRoleBindings) and would only exist so that you can link it to your IAM role on the AWS side