Description of problem:

When it's created a serviceAccount to give access to the logs given cluster-wide access, it get's rejected with the error:

$ logcli -o raw query --tls-skip-verify --bearer-token="$(oc whoami -t)" --addr https://${route}/api/logs/v1/application --from="2025-03-20T00:00:00Z" --to="2025-03-20T23:59:00Z" --step=1h '{log_type="application",kubernetes_namespace_name="lokitest"}'
2025/03/20 18:55:42 https://<route>/api/logs/v1/application/loki/api/v1/query_range?direction=BACKWARD&end=1742515140000000000&limit=30&query=%7Blog_type%3D%22application%22%2Ckubernetes_namespace_name%3D%22lokitest%22%7D&start=1742428800000000000&step=3600
2025/03/20 18:55:43 Error response from server: {"error":"You don't have permission to access this tenant","errorType":"observatorium-api","status":"error"}
 (<nil>) attempts remaining: 0
2025/03/20 18:55:43 Query failed: run out of attempts while querying the server

When the same is tried with an user, it works.

Version-Release number of selected component (if applicable):

$ oc get csv |egrep "loki|logging" 
cluster-logging.v6.0.5                  Red Hat OpenShift Logging        6.0.5     cluster-logging.v6.0.4   Succeeded
loki-operator.v6.0.5                    Loki Operator                    6.0.5     loki-operator.v6.0.4     Succeeded 

How reproducible:

Always

Steps to Reproduce:

1.  Create a loki test namespace with a normal user and run an application

   $ oc new-project lokitest
   $ kubectl create deployment hello-node --image=registry.k8s.io/e2e-test-images/agnhost:2.43 -- /agnhost serve-hostname
   

1.  Create as admin a serviceAccount and give cluster-wide permissions to access to the application logs

   $ oc create sa sa1 -n lokitest
   $ cat sa1-token.yaml 
   apiVersion: v1
   kind: Secret
   type: kubernetes.io/service-account-token
   metadata:
     name: sa1-token
     namespace: lokitest
     annotations:
       kubernetes.io/service-account.name: sa1
   $ oc create -f sa1-token.yaml 
   $ oc adm policy add-cluster-role-to-user cluster-logging-audit-view  system:serviceaccount:lokitest:sa1
   $ oc adm policy add-cluster-role-to-user cluster-logging-application-view  system:serviceaccount:lokitest:sa1
   $ oc adm policy add-cluster-role-to-user cluster-logging-infrastructure-view  system:serviceaccount:lokitest:sa1
   $ token=$(oc get secret sa1-token -n lokitest -o jsonpath='{.data.token'} |base64 -d)
   

1. Log in with the serviceAccount sa1:

   $ oc login  --token=$token   https://api.node.example.com:6443 
   $ oc whoami 
   system:serviceaccount:lokitest:sa1
   

1. Try to get the logs using logcli (route variable points to the loki gateway route

   $ logcli -o raw query --tls-skip-verify --bearer-token="$(oc whoami -t)" --addr https://${route}/api/logs/v1/application --from="2025-03-20T00:00:00Z" --to="2025-03-20T23:59:00Z" --step=1h '{log_type="application",kubernetes_namespace_name="lokitest"}'
   

Actual results:

It fails with a permission to access this tenant error when using the serviceAccount with cluster-wide access

$ logcli -o raw query --tls-skip-verify --bearer-token="$(oc whoami -t)" --addr https://${route}/api/logs/v1/application --from="2025-03-20T00:00:00Z" --to="2025-03-20T23:59:00Z" --step=1h '{log_type="application",kubernetes_namespace_name="lokitest"}' 2025/03/20 18:55:42 https://<route>/api/logs/v1/application/loki/api/v1/query_range?direction=BACKWARD&end=1742515140000000000&limit=30&query=%7Blog_type%3D%22application%22%2Ckubernetes_namespace_name%3D%22lokitest%22%7D&start=1742428800000000000&step=3600 2025/03/20 18:55:43 Error response from server: {"error":"You don't have permission to access this tenant","errorType":"observatorium-api","status":"error"}  (<nil>) attempts remaining: 0 2025/03/20 18:55:43 Query failed: run out of attempts while querying the server 

Expected results:

It's sucessful to query the logs

Additional info:

Querying the infrastructure or audit tenants work.