Closed
Description
Describe the bug
A loki-stack pod running on eks with credentials supplied by ISRA still attempts to retrieve credentials via sts:AssumeRoleWithWebIdentity
Expected behavior
Loki should the IAM role provided to it via a serviceaccount, and not require hard-coded values.
Environment:
loki-stack chart version: 2.3.1
eks v1.17.12-eks-7684af
Screenshots, Promtail config, or terminal output
Config
serviceAccount:
create: true
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNTID:role/ROLENAME
config:
schema_config:
configs:
- from: 2020-10-24
store: boltdb-shipper
object_store: aws
schema: v11
index:
prefix: index_
period: 24h
storage_config:
boltdb_shipper:
active_index_directory: /data/loki/index
cache_location: /data/loki/boltdb-cache
resync_interval: 5s
shared_store: s3
aws:
s3: s3://eu-central-1/mybucket
limits_config:
enforce_metric_name: false
reject_old_samples: true
reject_old_samples_max_age: 24h
compactor:
working_directory: /data/loki/boltdb-shipper-compactor
shared_store: aws
The role has the correct ODIC trust relationship, and rw permissions on the bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:ListBucket",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket"
]
}
]
}
Error:
level=error ts=2021-01-28T22:42:19.15177334Z caller=compactor.go:83 msg="failed to run compaction" err="WebIdentityErr: failed to retrieve credentials\ncaused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity\n\tstatus code: 403, request id: dcb419e7-4b05-4093-bfc0-d78829c23eb7"
Activity