uctl get role#
Returns roles for your entire organization or assigned to a specific identity (user or application)
Synopsis#
Fetch the entire set of roles defined in your organization: :
./bin/uctl get roles
Fetch an individual role: :: ./bin/uctl get role MyExampleRole
uctl get role [flags]
Options#
Option |
Type |
Description |
---|---|---|
|
help for role |
|
|
string |
Optional, specific name of the role to fetch |
|
string |
writes API response to this file. |
Options inherited from parent commands#
Option |
Type |
Description |
---|---|---|
|
string |
Audience to use when initiating OAuth2 authorization requests. |
|
string |
Type of OAuth2 flow used for communicating with admin.ClientSecret, Pkce, ExternalCommand are valid values (default “ClientSecret”) |
|
string |
Custom metadata header to pass JWT |
|
string |
This is the URL to your IdP’s authorization server. It’ll default to Endpoint |
|
string |
Use specified certificate file to verify the admin server peer. |
|
string |
Client ID (default “flytepropeller”) |
|
string |
Environment variable containing the client secret |
|
string |
File containing the client secret (default “/etc/secrets/client_secret”) |
|
strings |
Command for external authentication token generation |
|
string |
OPTIONAL: Default org to use to support non-org based cli’s.’. |
|
string |
|
|
string |
amount of time the device flow would poll the token endpoint if auth server doesn’t return a polling interval. Okta and google IDP do return an interval’ (default “5s”) |
|
string |
grace period from the token expiry after which it would refresh the token. (default “5m0s”) |
|
string |
amount of time the device flow should complete or else it will be cancelled. (default “10m0s”) |
|
string |
For admin types, specify where the uri of the service is located. |
|
string |
OPTIONAL: HTTP Proxy to be used for OAuth requests. |
|
Use insecure connection. |
|
|
InsecureSkipVerify controls whether a client verifies the server’s certificate chain and host name. Caution : shouldn’t be use for production usecases’ |
|
|
string |
Max delay for grpc backoff (default “8s”) |
|
int |
The max size in bytes for incoming gRPC messages |
|
int |
Max number of gRPC retries (default 4) |
|
string |
gRPC per retry timeout (default “15s”) |
|
string |
grace period from the token expiry after which it would refresh the token. (default “5m0s”) |
|
string |
Amount of time the browser session would be active for authentication from client app. (default “2m0s”) |
|
strings |
Command for external proxy-authorization token generation |
|
strings |
List of scopes to request |
|
string |
Max duration between token refresh attempt and token expiry. (default “0s”) |
|
string |
OPTIONAL: Your IdP’s token endpoint. It’ll be discovered from flyte admin’s OAuth Metadata endpoint if not provided. |
|
Use Audience configured from admins public endpoint config. |
|
|
Deprecated: Auth will be enabled/disabled based on admin’s dynamically discovered information. |
|
|
strings |
Optional: A list of allowed audiences. If not provided, the audience is expected to be the public Uri of the service. |
|
string |
This should be the base url of the authorization server that you are trying to hit. With Okta for instance, it will look something like https://company.okta.com/oauth2/abcdef123456789/ |
|
string |
OPTIONAL: HTTP Proxy to be used for OAuth requests. |
|
string |
Optional: If the server doesn’t support /.well-known/oauth-authorization-server, you can set a custom metadata url here.’ |
|
int |
Optional: The number of attempted retries on a transient failure to get the OAuth metadata (default 5) |
|
string |
Optional, Duration to wait between retries (default “1s”) |
|
string |
Defines the lifespan of issued access tokens. (default “30m0s”) |
|
string |
Defines the lifespan of issued access tokens. (default “5m0s”) |
|
string |
OPTIONAL: Secret name to use to encrypt claims in authcode token. (default “claim_symmetric_key”) |
|
string |
Defines the issuer to use when issuing and validating tokens. The default value is https://<requestUri.HostAndPort>/ |
|
string |
OPTIONAL: Secret name to use to retrieve Old RSA Signing Key. This can be useful during key rotation to continue to accept older tokens. (default “token_rsa_key_old.pem”) |
|
string |
Defines the lifespan of issued access tokens. (default “1h0m0s”) |
|
string |
OPTIONAL: Secret name to use to retrieve RSA Signing Key. (default “token_rsa_key.pem”) |
|
string |
Audience to use when initiating OAuth2 authorization requests. |
|
string |
public identifier for the app which handles authorization for a Flyte deployment (default “flytectl”) |
|
string |
This is the callback uri registered with the app which handles authorization for a Flyte deployment (default “http://localhost:53593/callback”) |
|
strings |
Recommended scopes for the client to request. (default [all,offline]) |
|
Disables auth enforcement on Grpc Endpoints. |
|
|
Disables auth enforcement on HTTP Endpoints. |
|
|
string |
(default “flyte-authorization”) |
|
string |
(default “flyte-authorization”) |
|
string |
OPTIONAL: HTTP Proxy to be used for OAuth requests. |
|
string |
The path used to proxy calls to the TokenURL |
|
string |
OPTIONAL: Secret name to use for cookie block key. (default “cookie_block_key”) |
|
string |
OPTIONAL: Secret name to use for cookie hash key. (default “cookie_hash_key”) |
|
string |
OPTIONAL: Allows you to set the domain attribute on the auth cookies. |
|
string |
OPTIONAL: Allows you to declare if your cookie should be restricted to a first-party or same-site context.Wrapper around http.SameSite. (default “DefaultMode”) |
|
string |
OPTIONAL: HTTP Proxy to be used for OAuth requests. |
|
string |
idp query parameter used for selecting a particular IDP for doing user authentication. Eg: for Okta passing idp= |
|
string |
|
|
string |
|
|
string |
|
|
string |
(default “oidc_client_secret”) |
|
strings |
(default [openid,profile]) |
|
string |
(default “/console”) |
|
Enables authorization decisions for internal communication. (default true) |
|
|
string |
IngressIdentity used in the cluster. Needed to exclude the communication coming from ingress. (default “ingress-nginx.ingress-nginx.serviceaccount.identity.linkerd.cluster.local”) |
|
string |
UrlPatternIdentity of the internal tenant service endpoint identities. (default “{{ service }}.{{ org }}.serviceaccount.identity.linkerd.cluster.local”) |
|
string |
UrlPatternIdentity of the internal service endpoint identities. (default “{{ service }}-helmchart.{{ service }}.serviceaccount.identity.linkerd.cluster.local”) |
|
string |
(default “Active”) |
|
string |
description for the boilerplate admin policy (default “Contributor permissions and full admin permissions to manage users and view usage dashboards”) |
|
string |
description for the boilerplate contributor policy (default “Viewer permissions and permissions to create workflows, tasks, launch plans, and executions”) |
|
string |
name of the role type to determine which default policy new users added to the organization should be assigned (default “Viewer”) |
|
string |
description for the boilerplate serverless contributor policy (default “Viewer permissions and permissions to create workflows, tasks, launch plans, and executions”) |
|
string |
description for the boilerplate serverless viewer policy (default “Permissions to view Flyte entities”) |
|
string |
description for the boilerplate viewer policy (default “Permissions to view Flyte entities”) |
|
string |
Cache entry duration for the store of the default policy per organization (default “10m0s”) |
|
string |
(default “1m0s”) |
|
string |
(default “UserClouds”) |
|
string |
Specifies how long edge types remain in the cache.. (default “30m0s”) |
|
string |
Specifies how long edges remain in the cache. (default “30m0s”) |
|
string |
Specifies how long object types remain in the cache. (default “30m0s”) |
|
string |
Specifies how long objects remain in the cache. (default “30m0s”) |
|
string |
Cache type to use. (default “none”) |
|
string |
UserClouds client id |
|
string |
UserCloud client secret name to read from the secret manager. (default “userclouds-client-secret”) |
|
Enable userclouds client’s internal logging. Calls to post logs take 250-350 ms and will impact p99 latency, enable with caution. |
|
|
string |
UserClouds tenant id. Should be a UUID. |
|
string |
Something like https:// |
|
string |
config file (default is /Users/andrew/.union/config.yaml) |
|
string |
|
|
string |
|
|
string |
Pattern for tenant url. (default “dns:///{{ organization }}.cloud-staging.union.ai”) |
|
string |
Endpoint of console, if different than flyte admin |
|
string |
sets the maximum amount of time a connection may be reused (default “1h0m0s”) |
|
Whether to enable gorm foreign keys when migrating the db |
|
|
int |
maxIdleConnections sets the maximum number of connections in the idle connection pool. (default 10) |
|
int |
maxOpenConnections sets the maximum number of open connections to the database. (default 100) |
|
string |
The database name (default “postgres”) |
|
||
|
string |
The host name of the database server (default “localhost”) |
|
string |
See http://gorm.io/docs/connecting_to_the_database.html for available options passed, in addition to the above. (default “sslmode=disable”) |
|
string |
The database password. (default “postgres”) |
|
string |
Points to the file containing the database password. |
|
int |
The port name of the database server (default 30001) |
|
string |
The host name of the read replica database server (default “localhost”) |
|
string |
The database user who is connecting to the server. (default “postgres”) |
|
string |
The path to the file (existing or new) where the DB should be created / stored. If existing, then this will be re-used, else a new will be created |
|
string |
(default “0s”) |
|
int |
|
|
int |
|
|
string |
(default “postgres”) |
|
||
|
string |
(default “postgres”) |
|
int |
(default 4) |
|
string |
(default “sslmode=disable”) |
|
string |
|
|
string |
|
|
int |
(default 5432) |
|
string |
(default “postgres”) |
|
string |
Specifies the Flyte project’s domain. |
|
Pass in archive file either an http link or local path. |
|
|
string |
Custom assumable iam auth role to register launch plans with. |
|
Continue on error when registering files. |
|
|
string |
Location of source code in container. |
|
Execute command without making any modifications. |
|
|
Enable the schedule if the files contain schedulable launchplan. |
|
|
Force use of version number on entities registered with flyte. |
|
|
string |
Deprecated. Please use –K8sServiceAccount |
|
string |
Custom kubernetes service account auth role to register launch plans with. |
|
string |
Custom output location prefix for offloaded types (files/schemas). |
|
string |
Deprecated: Update flyte admin to avoid having to configure storage access from flytectl. |
|
string |
Version of the entity to be registered with flyte which are un-versioned after serialization. |
|
string |
Sets logging format type. (default “json”) |
|
int |
Sets the minimum logging level. (default 3) |
|
Mutes all logs regardless of severity. Intended for benchmarks/tests only. |
|
|
Includes source code location in logs. |
|
|
string |
Organization to work on. If not set, default to user’s org. |
|
string |
Filename to store exported telemetry traces (default “/tmp/trace.txt”) |
|
string |
Endpoint for the jaeger telemetry trace ingestor (default “http://localhost:14268/api/traces”) |
|
string |
Endpoint for the OTLP telemetry trace collector (default “http://localhost:4317”) |
|
string |
Endpoint for the OTLP telemetry trace collector (default “http://localhost:4318/v1/traces”) |
|
string |
Sets the parent sampler to use for the tracer (default “always”) |
|
string |
Sets the type of exporter to configure [noop/file/jaeger/otlpgrpc/otlphttp]. (default “noop”) |
|
string |
Specifies the output type - supported formats [TABLE JSON YAML DOT DOTURL]. NOTE: dot, doturl are only supported for Workflow (default “table”) |
|
int |
Maximum number of entries to keep in the index. (default 10000) |
|
int |
Maximum number of retries per item. (default 3) |
|
int |
Number of concurrent workers to start processing the queue. (default 10) |
|
int |
Maximum number of entries to keep in the index. (default 10000) |
|
int |
Maximum number of retries per item. (default 3) |
|
int |
Number of concurrent workers to start processing the queue. (default 10) |
|
string |
Specifies the Flyte project. |
|
string |
Name of secret with Redis password. |
|
string |
Primary endpoint for the redis cache that can be used for both reads and writes. |
|
string |
Replica endpoint for the redis cache that can be used for reads. |
|
string |
Prefix for environment variables (default “FLYTE_SECRET_”) |
|
string |
Prefix where to look for secrets file (default “/etc/secrets”) |
|
string |
Sets the type of storage to configure [local]. (default “local”) |
|
string |
Maximum allowed expiration duration. (default “1h0m0s”) |
|
int |
Default length for the generated file name if not provided in the request. (default 20) |
|
string |
Maximum allowed expiration duration. (default “1h0m0s”) |
|
string |
Maximum allowed upload size. (default “6Mi”) |
|
string |
Storage prefix to use for all upload requests. |
|
Enable grpc latency metrics. Note Histograms metrics can be expensive on Prometheus servers. |
|
|
int |
The max size in bytes for incoming gRPC messages |
|
int |
On which grpc port to serve admin (default 8089) |
|
Enable GRPC Server Reflection (default true) |
|
|
int |
deprecated |
|
deprecated |
|
|
int |
On which http port to serve admin (default 8088) |
|
string |
Path to kubernetes client config file, default is empty, useful for incluster config. |
|
int |
Max burst rate for throttle. 0 defaults to 10 (default 25) |
|
int32 |
Max QPS to the master for requests to KubeAPI. 0 defaults to 5. (default 100) |
|
string |
Max duration allowed for every request to KubeAPI before giving up. 0 implies no timeout. (default “30s”) |
|
string |
The address of the Kubernetes API server. |
|
int |
The amount of time allowed to read request headers. (default 32) |
|
(default true) |
|
|
strings |
(default [Content-Type,flyte-authorization]) |
|
strings |
(default [*]) |
|
||
|
||
|
string |
|
|
string |
|
|
||
|
string |
Audience to use when initiating OAuth2 authorization requests. |
|
string |
public identifier for the app which handles authorization for a Flyte deployment |
|
string |
This is the callback uri registered with the app which handles authorization for a Flyte deployment |
|
strings |
Recommended scopes for the client to request. |
|
int |
(default 5) |
|
int |
(default 50000) |
|
string |
(default “1m0s”) |
|
string |
(default “1s”) |
|
string |
On which connect port to serve admin (default “8080”) |
|
int32 |
specifies the maximum (uncompressed) size of header list that the client is prepared to accept on grpc calls (default 32000) |
|
int |
Limit on the number of concurrent streams to each ServerTransport. (default 100) |
|
int |
Limit on the size of message that can be received on the server. (default 10485760) |
|
Enable GRPC Server Reflection (default true) |
|
|
string |
On which http port to serve admin (default “8089”) |
|
string |
Path to kubernetes client config file. |
|
string |
The address of the Kubernetes API server. |
|
Enable client grpc histograms (default true) |
|
|
Enable grpc histograms (default true) |
|
|
string |
Scope to emit metrics under (default “service:”) |
|
string |
On which grpc port to serve admin (default “8080”) |
|
Enable Profiler on server |
|
|
string |
Profile port to start listen for pprof and metric handlers on. (default “10254”) |
|
||
|
Whether to permit localhost unauthenticated access to the server |
|
|
strings |
|
|
strings |
|
|
||
|
string |
Override org in identity context if localhost access enabled |
|
||
|
string |
|
|
string |
|
|
string |
|
|
||
|
string |
Time interval to sync (default “5m0s”) |
|
int |
Maximum size of the cache where the Blob store data is cached in-memory. If not specified or set to 0, cache is not used |
|
int |
Sets the garbage collection target percentage. |
|
string |
Access key to use. Only required when authtype is set to accesskey. |
|
string |
Auth Type to use [iam, accesskey]. (default “iam”) |
|
Disables SSL connection. Should only be used for development. |
|
|
string |
URL for storage client to connect to. |
|
string |
Region to connect to. (default “us-east-1”) |
|
string |
Secret to use when accesskey is set. |
|
string |
Initial container (in s3 a bucket) to create -if it doesn’t exist-.’ |
|
string |
Sets time out on the http client. (default “0s”) |
|
If this is true, then the container argument is overlooked and redundant. This config will automatically open new connections to new containers/buckets as they are encountered |
|
|
int |
Maximum allowed download size (in MBs) per call. (default 2) |
|
stringToString |
Configuration for stow backend. Refer to github/flyteorg/stow (default []) |
|
string |
Kind of Stow backend to use. Refer to github/flyteorg/stow |
|
string |
Sets the type of storage to configure [s3/minio/local/mem/stow]. (default “s3”) |
|
string |
Authorization Header to use when passing Access Tokens to the server (default “flyte-authorization”) |
|
string |
Client ID |
|
string |
Environment variable containing the client secret |
|
string |
File containing the client secret |
|
string |
amount of time the device flow would poll the token endpoint if auth server doesn’t return a polling interval. Okta and google IDP do return an interval’ (default “5s”) |
|
string |
grace period from the token expiry after which it would refresh the token. (default “5m0s”) |
|
string |
amount of time the device flow should complete or else it will be cancelled. (default “10m0s”) |
|
Whether to enable an authenticated conenction when communicating with admin. (default true) |
|
|
strings |
Command for external authentication token generation |
|
string |
grace period from the token expiry after which it would refresh the token. (default “5m0s”) |
|
string |
Amount of time the browser session would be active for authentication from client app. (default “15s”) |
|
strings |
List of scopes to request |
|
string |
Max duration between token refresh attempt and token expiry. (default “1h0m0s”) |
|
string |
OPTIONAL: Your IdP’s token endpoint. It’ll be discovered from flyte admin’s OAuth Metadata endpoint if not provided. |
|
string |
Type of OAuth2 flow used for communicating with admin. (default “Pkce”) |
|
int |
Maximum number of items to keep in the cache before evicting. (default 1000) |
|
string |
Host to connect to (default “dns:///utt-mgdp-stg-us-east-2.cloud-staging.union.ai”) |
|
Whether to connect over insecure channel |
|
|
InsecureSkipVerify controls whether a client verifies the server’s certificate chain and host name. Caution : shouldn’t be use for production usecases’ |
|
|
If true, client sends keepalive pings even with no active RPCs. |
|
|
string |
After a duration of this time if the client doesn’t see any activity it pings the server to see if the transport is still alive. (default “20s”) |
|
string |
After having pinged for keepalive check, the client waits for a duration of Timeout and if no activity is seen even after that the connection is closed. (default “2m0s”) |
|
string |
Max delay for grpc backoff (default “8s”) |
|
int |
Maximum size of a message in bytes of a gRPC message (default 10485760) |
|
int |
Max number of gRPC retries (default 4) |
|
string |
Minimum timeout for establishing a connection (default “20s”) |
|
string |
gRPC per retry timeout (default “15s”) |
|
string |
Defines gRPC experimental JSON Service Config (default “{“loadBalancingConfig”: [{“round_robin”:{}}]}”) |
|
Enables passing of trusted claims while making inter service calls |
|
|
string |
External identity claim of the service which is authorized to make internal service call. These are verified against userclouds actions |
|
string |
External identity type claim of app or user to use for the current service identity. It should be an ‘app’ for inter service communication |
|
stringToString |
(default []) |
|
Enables internal service to service communication instead of going through ingress. |
|
|
string |
UrlPattern of the internal service endpoints. (default “{{ service }}-helmchart.{{ service }}.svc.cluster.local:80”) |
|
string |
Specifies the sidecar docker image to use (default “docker.io/amazon/aws-secrets-manager-secret-sidecar:v0.1.4”) |
|
string |
Certificate directory to use to write generated certs. Defaults to /etc/webhook/certs/ (default “/etc/webhook/certs”) |
|
string |
AWS region |
|
string |
Specifies init container image to use for mounting secrets as files. (default “busybox:1.28”) |
|
string |
GCP project to be used for secret manager |
|
string |
(default “AWS”) |
|
string |
Specifies the sidecar docker image to use (default “gcr.io/google.com/cloudsdktool/cloud-sdk:alpine”) |
|
int |
The port to use to listen to webhook calls. Defaults to 9443 (default 9443) |
|
write certs locally. Defaults to false |
|
|
string |
An optional prefix for all published metrics. (default “flyte:”) |
|
string |
Secret name to write generated certs to. (default “flyte-pod-webhook”) |
|
string |
The name of the webhook service. (default “flyte-pod-webhook”) |
|
int32 |
The port on the service that hosting webhook. (default 443) |
|
string |
Specifies the vault role to use (default “flyte”) |