Bring your towel and join one of the fastest growing data communities. Welcome to our second-generation open source orchestration platform, a completely rethought approach to dataflow automation.

Prefect Community

I'm running prefect server in k8s so I have pods for all prefects pieces, pods for the k8s agents and then those pods are making pods for the flows. How do I control configuration of the flow pods? I would like to annotate them to grant IAM permissions. Do they get whatever the k8s agent has? Can I pass something from the agent to the flow pods?

Hi <@U02H82N0KT9>, all of what you are describing seems to be configurable by using <https://docs.prefect.io/api/latest/run_configs.html#kubernetesrun|KubernetesRun> run configuration.  KubernetesAgent deploys flows as Kubernetes jobs and by using KubernetesRun you can configure a <https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/|service account> to use for each flow as needed.

When you say IAM, I assume you mean AWS, right? :slightly_smiling_face: if so, AWS has some docs showing how to set up <https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html|IAM roles for service accounts>.

gotcha. thanks. Is service account the only thing? We're not quite to the IAM roles for SA setup yet, we use kube2iam and annotations control access. could I use the `job_template` field to specify the yaml to use for the job?

And when it comes to passing something from the agent to the flow pods, it’s possible to pass certain things like environment variables when you start the agent - those should be available in flow pods as well:
```prefect agent &lt;AGENT TYPE&gt; start --env KEY=VALUE```

Yes, you can use the `job_template` field to set a custom Kubernetes job template. What I saw people from the community do is passing a path to a YAML template stored in S3 using `job_template_path`.