Has anyone ever attached a service account to thei...
# ask-communityl
Leon Kozlowski
12/01/2021, 2:49 PMHas anyone ever attached a service account to their agent with helm? I’m getting 403s after attaching a service account - including error message in thread
Leon Kozlowski
12/01/2021, 2:49 PM Copy code
"Failure","message":"jobs.batch is forbidden: User \"system:serviceaccount:default:prefect-agent\" cannot create resource \"jobs\" in API group \"batch\" in the namespace \"default\"","reason":"Forbidden","details":{"group":"batch","kind":"jobs"},"code":403}k
Kevin Kho
12/01/2021, 3:06 PM
Did you set the env variable to define the service account?
Copy code
- name: SERVICE_ACCOUNT_NAME
value: ''l
Leon Kozlowski
12/01/2021, 3:09 PMis that for the flow or the agent?
a
Anna Geller
12/01/2021, 3:09 PM
for the agent. You can get the full template this way:
Copy code
prefect agent kubernetes install >> k8s.yamll
Leon Kozlowski
12/01/2021, 3:10 PMI’m thinking this is more on the k8s side because of this:
Copy code
kubectl auth can-i --as=system:serviceaccount:default:prefect-agent create jobs -n defaultnoLeon Kozlowski
12/01/2021, 4:48 PMdoes that env var just override this:
Copy code
subjects:
- kind: ServiceAccount
name: defaultk
Kevin Kho
12/01/2021, 5:38 PM
Will ask someone who knows more than me
l
Leon Kozlowski
12/01/2021, 5:39 PMI got it to work (I believe)
🚀 2
t
Tyler Wanner
12/01/2021, 5:40 PMwhat was the trick?
l
Leon Kozlowski
12/01/2021, 5:56 PMIn my
rolebinding.yaml Copy code
subjects:
- kind: ServiceAccount
name: {{ include "<CHART_NAME>.fullname" . }}Leon Kozlowski
12/01/2021, 5:56 PMMy flow is noop-ing but I’m not exactly sure if its related to this
Leon Kozlowski
12/01/2021, 5:57 PMAlso - the service account is defined in a
serviceaccount.yaml