< Marvin> i am running prefect on kubernetes in aws with sel Prefect Community #ask-marvin

@Marvin, i am running prefect on kubernetes in aws with self hosting api server, where can i config the aws aim role for running jobs in work pool

Marvin

07/15/2024, 1:02 PM

You can use Kubernetes service accounts and IAM to assign roles to your jobs on AWS EKS. There isn't much specific guidance for this in the Prefect documentation, but you can follow general Kubernetes and AWS practices. ### Key Steps: 1. Create and annotate a Kubernetes service account to associate with an IAM role. 2. Update your Kubernetes job manifest to use this service account. For creating and annotating a service account with a specific IAM role, refer to this AWS document: *https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html* Use this service account in your Prefect job definitions. ### Example Annotation:

Copy code

yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
  annotations:
    <http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: arn:aws:iam::<account-id>:role/<role-name>

### Example Job Specification:

Copy code

yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: prefect-job
spec:
  template:
    spec:
      serviceAccountName: my-service-account
      containers:
      - name: job
        image: prefecthq/prefect
      restartPolicy: Never

### Documentation Links: * Kubernetes on Prefect : https://docs.prefect.io/latest/guides/deployment/kubernetes/ ### Relevant GitHub Discussions: * Running Prefect on AWS EKS https://github.com/PrefectHQ/prefect/issues/3882 If you need more configuration help or run into specific issues, please provide additional details.

Marvin

07/15/2024, 1:25 PM

To configure an AWS IAM role for running jobs in a work pool on Kubernetes with a self-hosted Prefect API server, follow these steps: ### Create and Annotate a Kubernetes Service Account 1. Create a Service Account in Kubernetes and annotate it with the IAM role ARN that you want to use. Example:

Copy code

yaml
   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: work-pool-service-account
     annotations:
       <http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: arn:aws:iam::<account-id>:role/<role-name>

2. Associate this service account with the pods or jobs that Prefect orchestrates. ### Update Prefect Work Pool Configuration 1. Set Up Work Pool with Kubernetes Worker: Ensure that the Kubernetes worker uses the custom job template with the specified service account. Example:

Copy code

yaml
   apiVersion: batch/v1
   kind: Job
   metadata:
     name: prefect-job
   spec:
     template:
       spec:
         serviceAccountName: work-pool-service-account
         containers:
           - name: job
             image: prefecthq/prefect
         restartPolicy: Never

2. Work Pool and Worker Configuration: Detailed documentation can be found here and here. ### Practical Example

Copy code

yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: work-pool-service-account
  annotations:
    <http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: arn:aws:iam::123456789012:role/your-iam-role

---
apiVersion: batch/v1
kind: Job
metadata:
  name: prefect-job
spec:
  template:
    spec:
      serviceAccountName: work-pool-service-account
      containers:
      - name: job
        image: prefecthq/prefect
      restartPolicy: Never

### Links for Documentation and Configuration: - Guide for Kubernetes deployment: https://docs.prefect.io/latest/guides/deployment/kubernetes/ - Work Pools in detail: https://docs.prefect.io/latest/concepts/work-pools/ - Managing Kubernetes Service Accounts on AWS: https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html This setup ensures that the jobs run under the specified IAM role, leveraging Kubernetes service accounts and AWS IAM roles for improved security and compliance. If you have more detailed requirements or specific issues, feel free to ask!

Open in Slack

Previous Next