-
Notifications
You must be signed in to change notification settings - Fork 680
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Azure Workload Identity not working with fsspec
in flytekit
#3962
Comments
@wild-endeavor Setting
And I'm getting the following error:
I could try creating and mounting a config file as well, but it's a bit more time consuming and I need to move forward with my deployment. |
It could be that I was missing this on my cluster: https://github.com/Azure/azure-workload-identity/tree/main/charts/workload-identity-webhook I'll try again once it's installed |
Nevermind! Turns out this helm chart is not necessary on managed clusters. I also was able to access blob storage from a task by instantiating the filesystem with the right parameters I've described above. So this bug is still valid |
left a comment on the other issue as well. okay so the ask is to make the flytekit invocation of fsspec implementations be able to have default options for setting up the instance, and potentially different set of args for the put/get calls? |
Yes, similarly to the S3 and GCS code paths in |
@wild-endeavor I can make a PR to add that to |
yes please, no rush, whenever you get a chance. |
Just stumbled across this and would love to see it! |
I think I found another place which needs to be updated - encoding pandas dataframes as parquet or other file formats. e.g. https://github.com/flyteorg/flytekit/blob/5c23325ac7317bb6a3e81aa22e654ace8eec1e1b/flytekit/types/structured/basic_dfs.py#L87-L109. In this code path it uses It seems to work fine apart from we need to set At least in this case setting |
Nice Catch! One thing i did not get is where fsspec retrieves the value for Other than that, i think it would be best to add a azure_setup_args in this function and get the |
I haven't re-run the code to confirm but I think
That is what I ended up doing with https://github.com/Tom-Newton/flytekit/commits/tomnewton/add_azure_data_config. With this I actually had to go back to using paths relative to the storage account
I tried modifying In summary I think something like https://github.com/Tom-Newton/flytekit/commits/tomnewton/add_azure_data_config is the best solution for a few reasons:
For reference there was some slack discussion: https://flyte-org.slack.com/archives/C01P3B761A6/p1694537671789039?thread_ts=1693319124.713779&cid=C01P3B761A6 |
@Tom-Newton @fiedlerNr9 - yeah let's just go ahead with modifying the current constructs now to support azure better. Unless you can think of a more seamless way to manage the configuration necessary across the cloud platforms. Could one/both of you open up a pr? One thing I'm pretty sure we still shouldn't do is muck around with the fsspec configs directly - that is flytekit should not get in the way of raw fsspec (as this can change behavior inexplicably for the user). thank you all |
I opened a draft PR flyteorg/flytekit#1842. This is based on the changes that @devictr and I are currently using. I've left it as a draft because I think we should add some some unit tests and I was going to consider renaming a couple of things and adding support for yaml config. I'm not sure how much time I will have to work on this right now so if anyone wants to take it and push it through PR review then go for it. |
one last comment: Also want to raise awareness of this PR for stow: flyteorg/stow#9 |
Maybe yes, but I don't really understand that usecase. As I understand it we need the golang code using stow to be able to read and write to the same place as the python code using fsspec. The way I see it the special flyte specifc env variables should be used so the python code can connect to the same storage account configured for stow. If you want your python task to authenticate to other Azure services or storage accounts you can do that completely as normal because we used non-standard environment variables to avoid conflicts.
Cool. It would certainly be nicer to use Azure AD based auth rather than account key. |
The Use case would be to have one storage account for flyte metadata and multiple storage accounts for different flyte projects and domains where user data can be uploaded/downloaded via Flytefiles or Flytedirectories. But like you said, i think it is not possible at the moment because of the relative output format. If you want your python flytekit code to write to the same storage account where stow is writing metadata, why dont just set the env variable |
FWIW, we also have this use case, but it's slightly different. We have several pre-existing storage accounts we need to connect to within tasks and would like to use |
also cc @gvashishtha and folks from blackshark who have been deploying to Azure. |
I would suggest using
I want flytekit to always write to that same storage account but my python task should be free to do anything using any Azure authentication and any blob storage account. The problem with using workload identities is that it unavoidably uses standard environment variables, so it's always going to interfere with whatever other Auth the task might use. |
I get your point but it would be a pity if we cannot have FlyteFile or Flytedirectory on Azure - its such an amazing feature. I also get your second point and i am interested what other libraries you use. I have
|
I agree it would be nice if everything supported absolute paths. I wouldn't want to get rid of all environment variables though, because its still very valuable to be able to configure auth for flytekit without interrupting other Azure auth. For now I think my proposed changes are the best option. Using the new env vars are optional so it should be a backwards compatible change. For writing to multiple different storage accounts with
For me |
Thanks for getting back and nice PR so far 🚀 I agree with this being the best option at the moment. Tomorrow i will test your Branch on a live cluster and try a couple of things. And yes, lets close this issue after your PR is merged ;) |
Between flyteorg/flytekit#1813 and flyteorg/flytekit#1842 I think its fair to close this as complete. |
Describe the bug
For workload identity to work within
AzureBlobFileSystem
, the filesystem needs to be instantiated with an account name andanon
set toFalse
. Currently, due to howget_filesystem()
is set up, we cannot pass the rightkwargs
for Workload Identity to work.The workaround is to set
AZURE_STORAGE_ACCOUNT_NAME
andAZURE_STORAGE_ACCOUNT_KEY
, which will allowflytekit
to talk to blob storage, but it would be nice to support Workload Identity directly.This relates to the discussion in #3945
Expected behavior
Enabling Azure Workload Identity should work out of the box when
flytekit
tries to read/write to blob storage.Additional context to reproduce
No response
Screenshots
No response
Are you sure this issue hasn't been raised already?
Have you read the Code of Conduct?
The text was updated successfully, but these errors were encountered: