https://dagster.io/ logo
#deployment-kubernetes
Title
# deployment-kubernetes
m

Michel Rouly

08/20/2021, 10:13 PM
Has anyone seen problems with
dagster-daemon
having an inability to assume IAM roles on k8s? More details in 🧵
I have independently deployed
dagster-daemon
and
dagster-user-code-deployment
pods. Both use the service account
dagster
Both deployments have
serviceAccount.annotations
set to the same IAM role:
Copy code
<http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: arn:aws:iam::account_id:role/terraform/dagster
Both deployments are running with the same user code package installed -- actually wait no, the daemon is not. The daemon must be using gRPC to trigger sensor runs on the user code deployment.
The pipelines deployed by the user code deployment are able to access S3 resources via the specified IAM role. But the dagster-daemon is continually logging an STS role assumption error.
oh wait the user for the code deployment was different from
dagster
. so.....even though the
dagster-daemon
was using the correct user.....it was invoking the sensor in the user code deployment remotely. and since the user code deployment had the wrong user. it couldn't assume the role appropriately.
OK. Makes sense. Ignore me 🙂
j

johann

08/23/2021, 1:18 PM
Glad you figured it out! Is there a spot in the docs where you would have expected to see info for this
m

Michel Rouly

08/23/2021, 2:36 PM
Let me see if I can find a spot...
I think it would have to be here, if anywhere. Maybe as a final
note
subsection at the end of that section.
j

johann

08/23/2021, 2:39 PM
Yeah tricky, it’s a bit of overall system content mixed with k8s content mixed with aws content. Thanks for the suggestion!
1