-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
using gcs for storage with default helm templates results in "caller=flush.go:156 org_id=fake msg="failed to flush user" err="googleapi: Error 401: Invalid Credentials, authError"" #932
Comments
Hi @shepely, I've been able to reproduce this and verified that it is a bug. The issue is that tokens using the GOOGLE_APPLICATION_CREDENTIALS aren't being generated with a scope so they're not authenticating properly. I'm working on a fix; updating the vendors should do it since the issue originates upstream and was fixed here: cortexproject/cortex#1511 |
Apparently updating the vendors is easier said than done 😞. @sandlis is working on a PR that'll include vendor updates and make this issue go away. |
I got GCS working without a hitch with |
Great! Closing as fixed by #938. If anyone is waiting for a new release that includes the fix, that should be coming soon. |
how to add the gcp service account keys from helm charts? |
I was able to grant Loki access to the GCP bucket with the following configuration (the current version of the chart doesn't make it too hard):
|
Thanks a lot, I had been stuck at this for too long.
|
Description
Hello!
I'm trying with helm to setup loki to use GCS for the object storage, while for index storage we're planning to use Cassandra eventualy. So no bigtable in the setup, which I assume is not needed for GCS usage, as there is no documenation controdicting this assumption. For a sake of simplicity, I'll keep default boltdb configuration for index storage below.
I've followed this modest intruction https://github.com/grafana/loki/blob/master/docs/operations.md#google-cloud-storage and this production setup
loki/production/ksonnet/loki/config.libsonnet
Line 55 in a422f39
As a result loki returns an error on a attempt to flush data to GCS:
level=error ts=2019-08-22T09:29:31.858305985Z caller=flush.go:156 org_id=fake msg="failed to flush user" err="googleapi: Error 401: Invalid Credentials, authError"
To Reproduce
Steps to reproduce the behavior:
Using helm secrets plugin for encryption: https://github.com/futuresimple/helm-secrets
Expected behavior
Data is flushed to GCS.
Environment:
Additional information
To validate the json key for the service account itself is valid, I've exec'ed into a devbox container within the same GKE cluster as a loki and performed following:
Also I've exec'ed into the loki container, to ensure that key.json is properly mounted, see below:
P.S.: Obviously, all sensitive data is replaced with sample one (e.g. project name, bucket name and etc)
Please, advice on how to approch the issue or confirm whether this is a Bug, as I can't be certain that the setup above is correct. Thanks!
The text was updated successfully, but these errors were encountered: