IAM Roles for Loki Service Accounts
Make sure that IRSA is enabled and amazon-eks-pod-identity-webhook is deployed according to the Associate IAM Roles With Service Accounts documentation.
It is possible to use Amazon Simple Storage Service Amazon S3 as object storage for Loki. In this case Loki requires access to AWS resources. Follow the steps below to create a required role:
-
Create AWS IAM Policy
AWSIRSA<CLUSTER_NAME><LOKI_NAMESPACE>Loki_policy
:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListObjects",
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::loki-*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::loki-*"
]
}
]
} -
Create AWS IAM Role
AWSIRSA<CLUSTER_NAME><LOKI_NAMESPACE>Loki
with trust relationships:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/<OIDC_PROVIDER>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<OIDC_PROVIDER>:sub": "system:serviceaccount:<LOKI_NAMESPACE>:edp-loki"
}
}
}
]
} -
Attach the
AWSIRSA<CLUSTER_NAME><LOKI_NAMESPACE>Loki_policy
policy to theAWSIRSA<CLUSTER_NAME><LOKI_NAMESPACE>Loki
role. -
Make sure that Amazon S3 bucket with name
loki-<CLUSTER_NAME>
exists. -
Provide key value eks.amazonaws.com/role-arn: "arn:aws:iam::<AWS_ACCOUNT_ID>:role/AWSIRSA‹CLUSTER_NAME›‹LOKI_NAMESPACE›Loki" into the serviceAccount.annotations parameter in values.yaml during the Loki Installation.