yehoshuadimarsky commented on issue #20408: URL: https://github.com/apache/airflow/issues/20408#issuecomment-999252229
Got it. Sorry to keep harping on this but I still can't get it to work. I verified that Workload Identity works correctly with the connected K8s service account, but when I try to get Airflow to use that specific K8s service account by specifying the pod template as you suggested, it seems to ignore it and not use that K8s service account. Google docs state that the K8s pod must use the service account that is connected to Workload Identity - see [here](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#gcloud) step 4. This part of `values.yaml` states https://github.com/apache/airflow/blob/6dfc939833fd3dc477b3971d965ba142d3b8bd77/chart/values.yaml#L1301-L1305 So I copied the contents of that file ([here](https://github.com/apache/airflow/blob/helm-chart/1.3.0/chart/files/pod-template-file.kubernetes-helm-yaml)) as the value of `podTemplate` and just changed the service account from this https://github.com/apache/airflow/blob/6dfc939833fd3dc477b3971d965ba142d3b8bd77/chart/files/pod-template-file.kubernetes-helm-yaml#L96 to the actual K8s service account that is used in Workload Identity. And... **doesn't work**. No logs written. The `Rendered K8s Pod Spec` in the Airflow UI for that task looks like this - note, `serviceAccountName` is MISSING: ```yaml metadata: annotations: dag_id: logging_test execution_date: '2021-12-22T02:39:29.525436+00:00' task_id: list_gcp_bucket_objects_in_dev try_number: '1' labels: airflow-worker: worker-config airflow_version: 2.2.1 dag_id: logging_test execution_date: 2021-12-22T02_39_29.525436_plus_00_00 kubernetes_executor: 'True' task_id: list_gcp_bucket_objects_in_dev try_number: '1' name: loggingtestlistgcpbucketobjectsindev.c939facaa5a947e2b10ead18da287a1c namespace: airflow spec: containers: - args: - airflow - tasks - run - logging_test - list_gcp_bucket_objects_in_dev - manual__2021-12-22T02:39:29.525436+00:00 - --subdir - DAGS_FOLDER/log_test_dag.py env: - name: AIRFLOW_IS_K8S_EXECUTOR_POD value: 'True' image: [REDACTED] name: base ``` I thought that maybe Airflow didn't sync, so I deleted and fully recreated the Helm chart app. Didn't work. **Why won't Airflow use the specified service account in the pod template file?** -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
