we are using google’s k8s (gke) with workload identity, which ties IAM with the k8s serviceaccount. is it possible to set a specific job service account on a job container, depending on which user code deployment was used to spin up the job container?

hi solaris - in general if you want to vary things in your code by what code location they're in, you could set an env var in that code location and check it in your code. So you could do something like

location_dependant_service_account_name = # function that checks env vars to determine what to use

@job(tags="dagster-k8s/config": {"pod_spec_config": {"service_account_name": location_dependant_service_account_name}}

using the tags described here: https://docs.dagster.io/deployment/guides/kubernetes/customizing-your-deployment#per-job-or-per-op-kubernetes-configuration

for posterity…you can configure service accounts globally in your helm chart, or in the runlauncher section, or, if you want to get granular and specify service accounts per job (which is what i wanted) then your k8s config should look something like below:

dagster-k8s/config:{"pod_spec_config": { "serviceAccountName": "your_k8s_service_account"   }, }

in dagit, add it as a tag in your run configuration/runlauncher more documentation here and here (search for podspec)