Open Rohlik opened 1 month ago
We actually use the minio s3 client. Here is our Tempo s3 config:
And here is where we use it to build a minio client:
This appears relevant to our interests:
https://github.com/minio/minio-go/issues/1940
Looks like this was released here:
https://github.com/minio/minio-go/releases/tag/v7.0.70
We updated to this version here:
https://github.com/grafana/tempo/pull/3721
So with a little luck this will be supported in 2.6.0?
We are having the same issue. Pod Identity was configured correctly and the containers had auto-mounted ENVs properly.
But somehow, Tempo's services do not pick those credentials. The only way seems to work now is using IRSA
level=error ts=2024-07-24T04:34:13.563927913Z caller=main.go:121 msg="error running Tempo" err="failed to init module services: error initialising module: store: failed to create store: unexpected error from ListObjects on s3-tempo: Access Denied"
Additional information, Grafana Loki
and Mimir
can work normally with EKS Pod Identity
@AnhQKatalon š§ I was not able to make it work even with Mimir, I'm getting similar error as for Tempo:
err="blocks storage: unable to successfully send a request to object storage: Access Denied"
@joe-elliott Thank yout for that claryfication about Go library š.
@Rohlik I can confirm Mimir works with Pod Identity.
We're running most Grafana OSS services and Tempo + Pyroscope are the only two that don't work with Pod Identity at the moment.
Is your feature request related to a problem? Please describe. A very common solution for granting permission to S3 buckets is via IAM roles for Service Accounts (IRSA), but recently (2023), AWS introduced EKS Pod Identity functionality, which simplifies granting AWS services access to pods running in an EKS cluster. However, Tempo (and other Grafana components) seems to be incompatible based on the docs and my tests:
Describe the solution you'd like Support this modern way of granting access to AWS services to pods via EKS Pod Identity.
Describe alternatives you've considered The mentioned alternative solution with IRSA works fine. However, it can be unnecessarily complicated, especially in big deployments.
Additional context The primary prerequisite is
aws-sdk-go
with version> v1.47.11
, which Tempo fulfills. We usetempo-distributed
Helm chart. Related pod's output of compactor, which shows that the container has proper ENVs/mounts auto-set, but the container itself doesn't use them for some reason: