IAM Roles for Loki Service Accounts

It is possible to use Amazon Simple Storage Service Amazon S3 as object storage for Loki. In this case Loki requires access to AWS resources. Follow the steps below to create a required role:

1. Create AWS IAM Policy AWSIRSA<CLUSTER_NAME><LOKI_NAMESPACE>Loki_policy:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "s3:ListObjects",
                   "s3:ListBucket",
                   "s3:PutObject",
                   "s3:GetObject",
                   "s3:DeleteObject"
               ],
               "Resource": [
                   "arn:aws:s3:::loki-*"
               ]
           },
           {
               "Effect": "Allow",
               "Action": [
                   "s3:ListBucket"
               ],
               "Resource": [
                   "arn:aws:s3:::loki-*"
               ]
           }
       ]
   }

2. Create AWS IAM Role AWSIRSA<CLUSTER_NAME><LOKI_NAMESPACE>Loki with trust relationships:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/<OIDC_PROVIDER>"
         },
         "Action": "sts:AssumeRoleWithWebIdentity",
         "Condition": {
           "StringEquals": {
             "<OIDC_PROVIDER>:sub": "system:serviceaccount:<LOKI_NAMESPACE>:edp-loki"
         }
       }
     }
   ]
   }

3. Attach the AWSIRSA<CLUSTER_NAME><LOKI_NAMESPACE>Loki_policy policy to the AWSIRSA<CLUSTER_NAME><LOKI_NAMESPACE>Loki role.

4. Make sure that Amazon S3 bucket with name loki-<CLUSTER_NAME> exists.

5. Provide key value eks.amazonaws.com/role-arn: "arn:aws:iam::<AWS_ACCOUNT_ID>:role/AWSIRSA‹CLUSTER_NAME›‹LOKI_NAMESPACE›Loki" into the serviceAccount.annotations parameter in values.yaml during the Loki Installation.

Related Articles

• Associate IAM Roles With Service Accounts
• Install Grafana Loki