Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Flytectl authentication not working with GCP IAP #6089

Open
2 tasks done
gverkes opened this issue Dec 6, 2024 · 2 comments
Open
2 tasks done

[BUG] Flytectl authentication not working with GCP IAP #6089

gverkes opened this issue Dec 6, 2024 · 2 comments
Assignees
@eapolinario
Labels
bug Something isn't working waiting for reporter Used for when we need input from the bug reporter

Comments

@gverkes
Copy link

gverkes commented Dec 6, 2024
edited
Loading

Describe the bug

After having set up IAP with Flyte according to https://pypi.org/project/flytekitplugins-identity-aware-proxy/, the flytectl command during flyte authentication seems to fail due to IAP. During the Flyte authentication the initial IAP works fine, but during the callback I get the error: Couldn't get access token due to error: oauth2: cannot fetch token: 401 Unauthorized Response: Invalid IAP credentials: empty token. Connecting through Flytekit or the console works fine.

versions

$ flytectl version
{
  "App": "flytectl",
  "Build": "89efcc62a",
  "Version": "0.9.2",
  "BuildTime": "2024-12-06 10:06:41.50991 +0000 WET m=+0.017617709"
}

flyte-core: 1.13.3

Expected behavior

The proxyCommand provides a token for IAP, that should be properly propagated, such that the Flyte authentication succeeds. Just like Flytekit

Additional context to reproduce

  1. Setup Flyte + IAP according to the tutorial on https://pypi.org/project/flytekitplugins-identity-aware-proxy/
  2. Set config.yaml to something like (also used for flytekit, which does work):
admin:
  endpoint: dns:///example.com
  insecure: false
  insecureSkipVerify: false
  authType: Pkce
  proxyCommand: ["flyte-iap", "generate-user-id-token", "--desktop_client_id", "xxxxx.apps.googleusercontent.com", "--desktop_client_secret_gcp_secret_name", "flyte-desktop-oauth-client-secret", "--webapp_client_id", "xxxxx.apps.googleusercontent.com", "--project", "project-1"]
  1. Try to run something like flytectl get project

Screenshots

image

Are you sure this issue hasn't been raised already?

  • Yes

Have you read the Code of Conduct?

  • Yes
@gverkes gverkes added bug Something isn't working untriaged This issues has not yet been looked at by the Maintainers labels Dec 6, 2024
@welcome Welcome
Copy link

welcome bot commented Dec 6, 2024

Thank you for opening your first issue here! 🛠

@eapolinario
Copy link
Contributor

@gverkes , can you confirm that running the flyte-iap command separately works?

Also, can you increase the log level in the invocation of flytectl? You can set the --logger.level flag to 5.

@eapolinario eapolinario added waiting for reporter Used for when we need input from the bug reporter and removed untriaged This issues has not yet been looked at by the Maintainers labels Dec 27, 2024
@eapolinario eapolinario self-assigned this Dec 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eapolinario eapolinario

Labels
bug Something isn't working waiting for reporter Used for when we need input from the bug reporter
Projects
Flyte Issues/PRs maintenance
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eapolinario @gverkes