From b4a8273960f470614677d07078e5fbe08c969014 Mon Sep 17 00:00:00 2001 From: "loki-gh-app[bot]" <160051081+loki-gh-app[bot]@users.noreply.github.com> Date: Tue, 26 Nov 2024 11:05:33 -0500 Subject: [PATCH] docs: added additional GCS authentication information (backport release-3.2.x) (#15125) Co-authored-by: Sean P. --- docs/sources/configure/storage.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/docs/sources/configure/storage.md b/docs/sources/configure/storage.md index 0b98cfc18d848..c0178b67bdcbb 100644 --- a/docs/sources/configure/storage.md +++ b/docs/sources/configure/storage.md @@ -237,9 +237,14 @@ storage_config: tsdb_shipper: active_index_directory: /loki/index cache_location: /loki/index_cache - cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space + cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space gcs: bucket_name: + service_account: | + { + "type": "service_account", + ... + } schema_config: configs: @@ -252,6 +257,14 @@ schema_config: period: 24h ``` +`service_account` should contain JSON from either a GCP Console `client_credentials.json` file or a GCP service account key. If this value is blank, most services will fall back to GCP's Application Default Credentials (ADC) strategy. For more information about ADC, refer to [How Application Default Credentials works](https://cloud.google.com/docs/authentication/application-default-credentials). + +The [pre-defined `storage.objectUser` role](https://cloud.google.com/storage/docs/access-control/iam-roles) (or a custom role modeled after it) contains sufficient permissions for Loki to operate. + +{{< admonition type="note" >}} +GCP recommends [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) instead of a service account key. +{{< /admonition >}} + ### AWS deployment (S3 Single Store) ```yaml