I’m running Loki in simpleScalable mode on GKE with GCS as the storage backend. I want Loki to access the GCS bucket using only a Google Service Account via Workload Identity, without using a credentials JSON file.
I’ve:
-
Enabled Workload Identity on the cluster
-
Annotated the Kubernetes ServiceAccount used by Loki with the GCP Service Account
-
Granted the GCP Service Account the required GCS IAM roles
However, Loki fails to initialize the storage/compactor and most GitHub issues and docs seem to assume a credentials file–based setup.
Is using GCS with Loki in simpleScalable mode via Workload Identity (SA only, no JSON key) officially supported? If yes, is there any additional configuration required (especially for the compactor / delete store)?Any guidance or confirmation would be appreciated.
error in backend pod:
level=error ts=2025-12-14T19:20:14.164017356Z caller=log.go:223 msg="error running loki" err="init compactor: failed to init delete store: googleapi: Error 403: Provided scope(s) are not authorized, forbidden\nerror initialising module: compactor\ngithub.com/grafana/dskit/modules.(*Manager).initModule\n\t/src/loki/vendor/github.com/grafana/dskit/modules/modules.go:138\ngithub.com/grafana/dskit/modules.(*Manager).InitModuleServices\n\t/src/loki/vendor/github.com/grafana/dskit/modules/modules.go:108\ngithub.com/grafana/loki/v3/pkg/loki.(*Loki).Run\n\t/src/loki/pkg/loki/loki.go:549\nmain.main\n\t/src/loki/cmd/loki/main.go:130\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:283\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1700"