Skip to content

IAM Roles for Loki Service Accounts⚓︎

Note

Make sure that IRSA is enabled and amazon-eks-pod-identity-webhook is deployed according to the Associate IAM Roles With Service Accounts documentation.

It is possible to use Amazon Simple Storage Service Amazon S3 as object storage for Loki. In this case Loki requires access to AWS resources. Follow the steps below to create a required role:

  1. Create AWS IAM Policy "AWSIRSA‹CLUSTER_NAME›‹LOKI_NAMESPACE›Loki_policy":

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListObjects",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::loki-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::loki-*"
            ]
        }
    ]
}

  2. Create AWS IAM Role "AWSIRSA‹CLUSTER_NAME›‹LOKI_NAMESPACE›Loki" with trust relationships:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/<OIDC_PROVIDER>"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "<OIDC_PROVIDER>:sub": "system:serviceaccount:<LOKI_NAMESPACE>:edp-loki"
       }
     }
   }
 ]
}

  3. Attach the "AWSIRSA‹CLUSTER_NAME›‹LOKI_NAMESPACE›Loki_policy" policy to the "AWSIRSA‹CLUSTER_NAME›‹LOKI_NAMESPACE›Loki" role.

  4. Make sure that Amazon S3 bucket with name loki-‹CLUSTER_NAME› exists.

  5. Provide key value eks.amazonaws.com/role-arn: "arn:aws:iam:::role/AWSIRSA‹CLUSTER_NAME›‹LOKI_NAMESPACE›Loki" into the serviceAccount.annotations parameter in values.yaml during the Loki Installation.