Skip to main content
Version: 3.9.0

IAM Roles for Loki Service Accounts

note

Make sure that IRSA is enabled and amazon-eks-pod-identity-webhook is deployed according to the Associate IAM Roles With Service Accounts documentation.

It is possible to use Amazon Simple Storage Service Amazon S3 as object storage for Loki. In this case Loki requires access to AWS resources. Follow the steps below to create a required role:

  1. Create AWS IAM Policy AWSIRSA<CLUSTER_NAME><LOKI_NAMESPACE>Loki_policy:

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "s3:ListObjects",
    "s3:ListBucket",
    "s3:PutObject",
    "s3:GetObject",
    "s3:DeleteObject"
    ],
    "Resource": [
    "arn:aws:s3:::loki-*"
    ]
    },
    {
    "Effect": "Allow",
    "Action": [
    "s3:ListBucket"
    ],
    "Resource": [
    "arn:aws:s3:::loki-*"
    ]
    }
    ]
    }
  2. Create AWS IAM Role AWSIRSA<CLUSTER_NAME><LOKI_NAMESPACE>Loki with trust relationships:

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Principal": {
    "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/<OIDC_PROVIDER>"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
    "StringEquals": {
    "<OIDC_PROVIDER>:sub": "system:serviceaccount:<LOKI_NAMESPACE>:edp-loki"
    }
    }
    }
    ]
    }
  3. Attach the AWSIRSA<CLUSTER_NAME><LOKI_NAMESPACE>Loki_policy policy to the AWSIRSA<CLUSTER_NAME><LOKI_NAMESPACE>Loki role.

  4. Make sure that Amazon S3 bucket with name loki-<CLUSTER_NAME> exists.

  5. Provide key value eks.amazonaws.com/role-arn: "arn:aws:iam::<AWS_ACCOUNT_ID>:role/AWSIRSA‹CLUSTER_NAME›‹LOKI_NAMESPACE›Loki" into the serviceAccount.annotations parameter in values.yaml during the Loki Installation.