Thanks @b0b!
I have now something like this in my Helm values file for deploying Loki and it works nicely 
loki:
...
storage:
...
s3:
endpoint: "${GRAFANA-LOKI-S3-ENDPOINT}"
accessKeyId: "${GRAFANA-LOKI-S3-ACCESKEYID}"
secretAccessKey: "${GRAFANA-LOKI-S3-SECRETACCESSKEY}"
...
backend:
...
extraArgs:
- '-config.expand-env=true'
extraEnv:
- name: GRAFANA-LOKI-S3-ENDPOINT
valueFrom:
secretKeyRef:
name: loki-secrets
key: grafana-loki-s3-endpoint
- name: GRAFANA-LOKI-S3-ACCESKEYID
valueFrom:
secretKeyRef:
name: loki-secrets
key: grafana-loki-s3-accessKeyId
- name: GRAFANA-LOKI-S3-SECRETACCESSKEY
valueFrom:
secretKeyRef:
name: loki-secrets
key: grafana-loki-s3-secretAccessKey
...