You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
A clear and concise description of what the bug is.
I'm using Loki helm chart with GCS object storage, and it seems that it cannot authenticate to the bucket using the service account.
Expected behavior
Expect to use the service account to authenticate and work correctly. Environment:
Infrastructure: Kubernetes
Deployment tool: helm
loki-0 logs level=error caller=log.go:216 msg="error running loki" err="init compactor: failed to init delete store: googleapi: got HTTP response code 403 with body: <?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>Caller does not have storage.objects.get access to the Google Cloud Storage object. Permission 'storage.objects.get' denied on resource (or it may not exist).</Details></Error>\nerror initialising module: compactor\ngithub.com/grafana/dskit/modules.(*Manager).initModule\n\t/src/loki/vendor/github.com/grafana/dskit/modules/modules.go:138\ngithub.com/grafana/dskit/modules.(*Manager).InitModuleServices\n\t/src/loki/vendor/github.com/grafana/dskit/modules/modules.go:108\ngithub.com/grafana/loki/v3/pkg/loki.(*Loki).Run\n\t/src/loki/pkg/loki/loki.go:453\nmain.main\n\t/src/loki/cmd/loki/main.go:122\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:267\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1650"
The text was updated successfully, but these errors were encountered:
The service_account field is not included in the Helm chart, and since it can't find a valid service account it will instead use the cluster service account. What I could find is that by default the service account key JSON is mounted into the container as a secret. For the loki-write container for example:
Describe the bug
A clear and concise description of what the bug is.
I'm using Loki helm chart with GCS object storage, and it seems that it cannot authenticate to the bucket using the service account.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Expect to use the service account to authenticate and work correctly.
Environment:
loki-0 logs
level=error caller=log.go:216 msg="error running loki" err="init compactor: failed to init delete store: googleapi: got HTTP response code 403 with body: <?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>Caller does not have storage.objects.get access to the Google Cloud Storage object. Permission 'storage.objects.get' denied on resource (or it may not exist).</Details></Error>\nerror initialising module: compactor\ngithub.com/grafana/dskit/modules.(*Manager).initModule\n\t/src/loki/vendor/github.com/grafana/dskit/modules/modules.go:138\ngithub.com/grafana/dskit/modules.(*Manager).InitModuleServices\n\t/src/loki/vendor/github.com/grafana/dskit/modules/modules.go:108\ngithub.com/grafana/loki/v3/pkg/loki.(*Loki).Run\n\t/src/loki/pkg/loki/loki.go:453\nmain.main\n\t/src/loki/cmd/loki/main.go:122\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:267\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1650"
The text was updated successfully, but these errors were encountered: