Goals

1. Add Loki upstream and downstream support for AWS identity federation mechanism for authenticated and authorized access of the corresponding object storage services.
2. Add Loki upstream and downstream support for Azure identity federation mechanism for authenticated and authorized access of the corresponding object storage services.

Non-Goals

1. TBD

Motivation

As per all cloud providers offering identity federation getting traction in all major managed and unmanaged Kubernetes distributions the Log Storage components require support to align with this IAM pattern. Identity federation across all provides (AWS, Azure) allows a more secure and centralized access to any service to service communication from workloads and infrastructure components running on Kubernetes/OpenShift cluster. It enables a faster turnaround time on stopping unqualified access to any service in case of breaches into services of entire clusters. Specifically for log storage based on Loki it gives a more secure access to logs stored on object storage buckets w/o the need to touch the service, it's configuration and any environment. Usually service operations continue seamless by access the credentials provided to the running containers by the host. In case of credentials revocation that will cascade through the cloud provider IAM services to the hosts and in turn to the containers automatically.

Alternatives

None.

Acceptance Criteria

1. The LokiStack administrator can define a valid object storage secret that enables using AWS Secure Token Service granting access to S3.
2. The LokiStack administrator can define a valid object storage secret that enables using Azure Workload Identity Federation granting access to Azure Blob Storage.

Risk and Assumptions

None.

Documentation Considerations

Requires completion of OBSDOCS-219 and expanding it to explain how to use the extra setting the object storage secret configuration for each cloud providers' identity federation. Beyond that it requires a concise authn/authz setting per provider that configures the granted rights to access S3/Blob Storage on each provider (See https://grafana.com/docs/loki/v2.9.x/storage/#aws-deployment-s3-single-store)

Open Questions

Additional Notes

• Official OCP HowTo STS for Operator Authors: https://docs.google.com/document/d/1iFNpyycby_rOY1wUew-yl3uPWlE00krTgr9XHDZOTNo/edit
• ROSA STS Introduction: https://cloud.redhat.com/experts/rosa/sts-oidc-flow/
• For STS consider the following two section in the CCO's docs: STS overview and credentials-secret-details
• For Azure WIF consider the following two section in the CCO's docs: overview and credentials-secret-details
• Upstream Enhancement proposal: https://github.com/grafana/loki/pull/11060
• OpenShift Enhancement proposal: https://github.com/openshift/enhancements/pull/1503