Hey, can I assign a service account to the k8s jobs so that they can use GCP Workload Identity? If so, how can I do it? (I'm using the Helm chart)

we do offer the ability to specify the service account name for the K8sRunLauncher but looks like it’s currently not configurable (in Helm, it’s set to be the service account generated from our chart)

yeah that would be awesome, how can I allow then access to, for example, Google Cloud Storage from the jobs? so that they can use it for intermediate storage

As you said, you need an annotation in the service account

i havent work with annotations before, any useful resource you can point me to?

The systems engineer already created the workload identity, and he told me I must point to the GCP SA from my K8s job (the one launched by dagster). The thing is that he told me I need to point to it from the job definition yaml, which I cannot configure since it is generated by the K8sJobLauncher, hence my question. So, I believe everything you've just said has been done by him, and the last point is how to tell the K8sJobLauncher to launch the jobs pointing to that service account. I see in the link you sent that when defining the job with a yaml, you specifiy

serviceAccountName

as part of the job spec, but I am unable to define the Dagster jobs myself, so I have to tell the job launcher to do it, and that is the original question, where do I tell him to do so. 😞

Right, the issue is you need to patch in the annotation I mentioned

another thing you can do is associate to the cluster's default service account

@Matyas Tamas No, as I linked there is a specific SA created by dagster

that last thing would mean setting undesired permissions by default

Cool, very well explained guys, thanks a lot! You are really helping me a lot with the k8s thing these days!

Also your system engineer will need to know the name (and namespace) of your K8s service account to set up the policy binding I mentioned/linked

@Rubén Lopez Lozoya its true that that will be more permissive than you might want. @Noah K there is a service account created by dagster. There is also

<project_id>.svc.id.goog[default/default]

which will work as well.

@Matyas Tamas WorkloadID only works with the K8s SA the pod is actually running with

hmm - I have it running...

You might be used to the default case when you do not specify a

serviceAccountName

correct - which I believe is the default, no?

wait, so how are you setting the serviceAccountName?

Not sure I understand the question. It's a config option in the dagster_k8s plugin

yup

When is then passed down into the Kubernetes jobs it creates

like as a tag you mean? i.e.:

@solid(tags={
    "dagster-k8s/config": {
        "job_config": {
            "service_account_name": "<service account>"
        }
    }
})

with the k8s celery executor, you can just specify it in the run config

ah - right

cool! thanks all!

I'm not aware of any support for it in tags but maybe it's at some meta level I don't know about 🙂