we are using google’s k8s (gke) with workload iden...
# ask-community
we are using google’s k8s (gke) with workload identity, which ties IAM with the k8s serviceaccount. is it possible to set a specific job service account on a job container, depending on which user code deployment was used to spin up the job container?
i believe there’s a way to set it at the
level via execute_k8s_job not ideal or convenient…since we group jobs based on repo, and each repo’s jobs should use the same service account
also, i believe
are instantiated on the user deployment, and for some of that code to be executed with the right privileges, i’d want to specify the corresponding service account per container and not globally (in the helm chart)
@daniel knower of all things
hi solaris - in general if you want to vary things in your code by what code location they're in, you could set an env var in that code location and check it in your code. So you could do something like
Copy code
location_dependant_service_account_name = # function that checks env vars to determine what to use

@job(tags="dagster-k8s/config": {"pod_spec_config": {"service_account_name": location_dependant_service_account_name}}
using the tags described here: https://docs.dagster.io/deployment/guides/kubernetes/customizing-your-deployment#per-job-or-per-op-kubernetes-configuration
🆗 1
for posterity…you can configure service accounts globally in your helm chart, or in the runlauncher section, or, if you want to get granular and specify service accounts per job (which is what i wanted) then your k8s config should look something like below:
dagster-k8s/config:{"pod_spec_config": { "serviceAccountName": "your_k8s_service_account"   }, }
in dagit, add it as a tag in your run configuration/runlauncher more documentation here and here (search for podspec)