Skip to main content
This guide walks through deploying Flyte on Amazon EKS using the flyte-binary Helm chart. The result is a single-cluster, production-capable Flyte installation backed by S3 and RDS.

Prerequisites

An EKS cluster with at least 3 nodes (e.g., m5.xlarge). Flyte’s control-plane components are lightweight but tasks need node capacity.
eksctl create cluster \
  --name flyte \
  --region us-east-1 \
  --nodegroup-name standard \
  --node-type m5.xlarge \
  --nodes 3
Create one or two S3 buckets — one for Flyte metadata and one for user task data (they can be the same bucket):
aws s3 mb s3://my-flyte-metadata --region us-east-1
aws s3 mb s3://my-flyte-userdata --region us-east-1
Create a PostgreSQL 13+ RDS instance in the same VPC as your EKS cluster. Note the endpoint, username, password, and database name.The Flyte database should be named flyteadmin by default.
Flyte uses IAM Roles for Service Accounts (IRSA) so that pods can access S3 without static credentials.You need two IAM roles:
  • Backend role (FLYTE_BACKEND_IAM_ARN): used by the flyte-binary pod itself to access S3 for metadata
  • User role (FLYTE_USER_IAM_ARN): assumed by task pods in each project namespace
Both roles need s3:GetObject, s3:PutObject, s3:DeleteObject, and s3:ListBucket on your buckets.Enable OIDC on your cluster and create the roles with eksctl:
eksctl utils associate-iam-oidc-provider \
  --cluster flyte --region us-east-1 --approve

eksctl create iamserviceaccount \
  --cluster flyte \
  --namespace flyte \
  --name flyte-backend \
  --attach-policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess \
  --override-existing-serviceaccounts \
  --approve

Installation

1

Add the Flyte Helm repo

helm repo add flyteorg https://flyteorg.github.io/flyte
helm repo update
2

Download the EKS starter values

curl -sL https://raw.githubusercontent.com/flyteorg/flyte/master/charts/flyte-binary/eks-starter.yaml \
  -o values.yaml
3

Edit values.yaml

Replace all placeholder values. The full file is shown below with annotations.
4

Install with Helm

helm install flyte-backend flyteorg/flyte-binary \
  --namespace flyte \
  --create-namespace \
  --values values.yaml

EKS values reference

This is the complete eks-starter.yaml with all required fields: 
configuration:
  database:
    username: postgres
    password: <DB_PASSWORD>
    host: <RDS_HOST_DNS>
    dbname: flyteadmin

  storage:
    metadataContainer: <BUCKET_NAME>
    userDataContainer: <USER_DATA_BUCKET_NAME>
    provider: s3
    providerConfig:
      s3:
        region: "<AWS-REGION-CODE>"
        authType: "iam"             # Uses IRSA — no static keys needed

  logging:
    level: 5
    plugins:
      cloudwatch:
        enabled: true
        templateUri: |-
          https://console.aws.amazon.com/cloudwatch/home?region=<AWS_REGION>#logEventViewer:group=/aws/eks/<EKS_CLUSTER_NAME>/cluster;stream=var.log.containers.{{ .podName }}_{{ .namespace }}_{{ .containerName }}-{{ .containerId }}.log

  auth:
    enabled: false  # Set to true and configure OIDC for production
    oidc:
      baseUrl: <YOUR_IDP_BASE_URL>
      clientId: <IDP_CLIENT_ID>
      clientSecret: <IDP_CLIENT_SECRET>
    internal:
      clientSecret: <CC_PASSWD>
      clientSecretHash: <HASHED_CC_PASSWD>
    authorizedUris:
      - https://flyte.company.com

  inline:
    # Annotate the default KSA in each project namespace for IRSA
    cluster_resources:
      customData:
        - production:
          - defaultIamRole:
              value: <FLYTE_USER_IAM_ARN>
        - staging:
          - defaultIamRole:
              value: <FLYTE_USER_IAM_ARN>
        - development:
          - defaultIamRole:
              value: <FLYTE_USER_IAM_ARN>

    flyteadmin:
      roleNameKey: "iam.amazonaws.com/role"

    plugins:
      k8s:
        inject-finalizer: true
        default-env-vars:
          - AWS_METADATA_SERVICE_TIMEOUT: 5
          - AWS_METADATA_SERVICE_NUM_ATTEMPTS: 20

    storage:
      cache:
        max_size_mbs: 10
        target_gc_percent: 100

    tasks:
      task-plugins:
        enabled-plugins:
          - container
          - sidecar
          - K8S-ARRAY
          - connector-service
          - echo
        default-for-task-types:
          - container: container
          - container_array: K8S-ARRAY

clusterResourceTemplates:
  inline:
    # Automatically create namespaces for each project+domain
    001_namespace.yaml: |
      apiVersion: v1
      kind: Namespace
      metadata:
        name: '{{ namespace }}'
    # Annotate the default KSA with the IAM role ARN
    002_serviceaccount.yaml: |
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: default
        namespace: '{{ namespace }}'
        annotations:
          eks.amazonaws.com/role-arn: '{{ defaultIamRole }}'

ingress:
  create: true
  # ALB Ingress Controller (recommended on EKS)
  ingressClassName: alb
  commonAnnotations:
    alb.ingress.kubernetes.io/certificate-arn: 'arn:aws:acm:<AWS-REGION>:<ACCOUNT-ID>:certificate/<CERT-ID>'
    alb.ingress.kubernetes.io/group.name: flyte
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/ssl-redirect: '443'
    alb.ingress.kubernetes.io/target-type: ip
  httpAnnotations:
    alb.ingress.kubernetes.io/actions.app-root: '{"Type": "redirect", "RedirectConfig": {"Path": "/console", "StatusCode": "HTTP_302"}}'
  grpcAnnotations:
    alb.ingress.kubernetes.io/backend-protocol-version: GRPC
  host: flyte.mydomain.com

serviceAccount:
  create: true
  annotations:
    eks.amazonaws.com/role-arn: "<FLYTE_BACKEND_IAM_ARN>"

Verify the installation

# Check the Flyte pod
kubectl get pods -n flyte

# Port-forward for initial testing (before DNS is set up)
kubectl -n flyte port-forward service/flyte-binary 8088:8088 8089:8089
Open http://localhost:8088/console in your browser.

Configure flytectl

# Point flytectl at the local port-forward (for testing)
flytectl config init --host localhost:8088

# Or configure directly against the ALB hostname
flytectl config init --host flyte.mydomain.com

IAM policy reference

The backend IAM role (attached to the flyte-binary service account) needs at minimum: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::my-flyte-metadata",
        "arn:aws:s3:::my-flyte-metadata/*",
        "arn:aws:s3:::my-flyte-userdata",
        "arn:aws:s3:::my-flyte-userdata/*"
      ]
    }
  ]
}

What’s next

Build docs developers (and LLMs) love

Get started for freeTalk to us