How can I give an IAM role to Dagster Cloud when, for example, I want to access something from an S3 bucket?

To provide your Dagster Cloud instance with an IAM role for accessing resources such as an S3 bucket, you can follow the process of granting AWS permissions to your Dagster pods. This involves using AWS IAM roles for service accounts (IRSA) which allows you to associate an IAM role with a Kubernetes service account. Here are the general steps you would take, as outlined in the documentation: 1. Create an IAM OIDC provider for your EKS cluster: This is necessary to allow the Kubernetes service accounts in your EKS cluster to assume IAM roles. You can follow the AWS documentation to set this up. 2. Create an IAM role and attach IAM policies: You will need to create an IAM role with the necessary permissions to access the S3 bucket and any other AWS resources you need. Then, you can attach the appropriate IAM policies to this role. 3. Update the Helm chart to associate the IAM role with a service account: Modify your Helm chart to create a service account and annotate it with the IAM role ARN. Here is an example snippet from the documentation that shows how to do this in your Helm chart configuration:

yaml serviceAccount:   create: true   annotations:     <http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: "arn:aws:iam::1234567890:role/my_service_account_role"

By following these steps, you will allow your Dagster agent and the pods it creates to assume the specified

my_service_account_role

IAM role, which should have the necessary permissions to access the S3 bucket. Please note that these steps are a general guide, and you may need to adjust them based on your specific AWS and Kubernetes setup. If you encounter any issues or need further clarification, you can refer to the AWS and Kubernetes documentation or seek additional support.

I am using serverless deployment, not hybrid