Skip to content

DOM 54018 update flyte iam policy azure #412

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
ddl-ebrown wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

DOM 54018 update flyte iam policy azure #412

ddl-ebrown wants to merge 2 commits into from

Conversation

@ddl-ebrown
Copy link
Contributor

@ddl-ebrown ddl-ebrown commented Oct 24, 2025

  • DOM-54018 Allow GCP access to flyte-dataplane IAM
  • DOM-54018 not sure how this will work

@ddl-ebrown
DOM-54018 Allow GCP access to flyte-dataplane IAM
40fc9a4 
 - Allow GCP tokens with a custom audience matching the string
   {deploy_id}-flyte-gcp-{random_id} to access Flyte blobs

   Inspired by policy definition at
   https://jason-umiker.medium.com/cross-cloud-identities-between-gcp-and-aws-from-gke-and-or-eks-182652bddadb

   NOTE: jwt validation usually takes into account several factors

   - issuer
   - audience
   - signature
   - subject
   - scope
   - custom claims

   This policy verifies only the "aud" claim in the token, which in
   theory is spoofable by anyone using GCP to produce tokens. Therefore,
   include a random piece of data in the "aud" value that only the
   control plane will know. When generating executions on remote data
   planes (by dispatcher / workload operator), this value will be passed
   so that tokens produced from GCP will have this shared value.

   To do so requires exporting the value from the terraform code into
   the catalog and through to Nucleus
@ddl-ebrown
DOM-54018 not sure how this will work
23d8a7f
@ddl-ebrown ddl-ebrown mentioned this pull request Oct 24, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ddl-ebrown