Using an IAM Role instead of IAM User?

Is it possible when running OSS Loki on an AWS EC2 (or a host running AWS SSM Agent), to use an IAM Role (or instance profile) instead of IAM User for Loki to access S3?

Yes, no reason not to do that if you are running in AWS.

@ tonyswumac so it will pickup from the Instance Profile role Environment vars?

You should not need to set instance profile if it’s attached to the instance. Please see Using instance profiles - AWS Identity and Access Management. Also this is not Loki related, I’d recommend you to ask AWS related questions in their forums.

it is Loki Related, as im asking for step 3 that talks to IAM User (Access Key/SecretKey) in this doc:
https://grafana.com/docs/loki/latest/setup/install/helm/install-monolithic/

Hello,
Looks like I’ve got the same issue.
I installed a docker with Loki, in AWS, EC2 has a role-based access to S3. I’ve checked via AWS CLI - access-policy works fine. Nevertheless, if I try to start Loki-docker, I get an error:
msg="error running loki" err="NoCredentialProviders: no valid providers in chain. Deprecated.
Here I use config of Loki like this:

storage_config:
  aws:
    s3: s3://<my_region_here_goes>
    bucketnames: <my_s3_name_here_goes>
  tsdb_shipper:
    active_index_directory: /loki/tsdb-index
    cache_location: /loki/tsdb-cache
    shared_store: s3

if I modify line with s3 like this:
s3: s3://<ACCESS_KEY>/<SECRET_KEY>@<my_region_here_goes>
it works fine. But I’d like not to use credentials, but via aws role like here is


and no matter how I apply a bucketname - as a separated parameter, or in one line with aws_region, it doesn’t work.

Will appreciate any help
Best regards

1 Like

I’m running into this same issue, did you ever find a solution to using aws roles instead of specifying the keys?