Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
- pre-merge-tested

Activity Type:
Quality / Stability / Reliability
Story Points:
1
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Epic Link:
Short lived token authentication for Tempo
Git Pull Request:
https://github.com/grafana/tempo-operator/pull/1207
Intelligence Requested:
Market:

Sprint:
Tracing Sprint # 270, Tracing Sprint # 271

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Description of the issue:

Currently we are supporting the following parameters for Tempo with GCP WIF.

data:
    bucketname:         # Bucket name
    iam_sa:             # a name for your the Google IAM service account
    iam_sa_project_id:  # The project ID for your IAM service account.

We also need add parameter to set audience in the ID token required when the audience in the provider is different due to which the we cannot generate access token.

% oc logs tempo-gcpwiftm-compactor-75bbbbfd54-xx29x
level=warn ts=2025-04-04T06:07:17.253908196Z caller=main.go:133 msg="-- CONFIGURATION WARNINGS --"
level=warn ts=2025-04-04T06:07:17.253945244Z caller=main.go:139 msg="c.StorageConfig.Trace.Cache is deprecated and will be removed in a future release." explain="Please migrate to the top level cache settings config."
level=info ts=2025-04-04T06:07:17.254039639Z caller=main.go:121 msg="Starting Tempo" version="(version=2.7.1, branch=HEAD, revision=ec946c4e8)"
level=info msg="server listening on addresses" http=[::]:3101 grpc=[::]:44867
level=error ts=2025-04-04T06:07:17.401354391Z caller=main.go:124 msg="error running Tempo" err="failed to init module services: error initialising module: store: failed to create store: getting bucket attrs: Get \"https://storage.googleapis.com/storage/v1/b/ikanse-gcp-wif-tempo?alt=json&prettyPrint=false&projection=full\": oauth2/google: unable to generate access token: Post \"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/ikanse-gcp-wif-tempo-sa@openshift-qe.iam.gserviceaccount.com:generateAccessToken\": oauth2/google: status code 400: {\"error\":\"invalid_grant\",\"error_description\":\"The audience in ID Token [https://storage.googleapis.com/ikanse-28-23186-oidc, https://kubernetes.default.svc] does not match the expected audience openshift.\"}"

Steps to reproduce the issue:

1. Install Tempo Operator built off the latest upstream main branch.

2. Deploy a OCP with GCP WIF support.

3. Create the required SA, roles, bucket and secret using the following script.

https://github.com/grafana/tempo-operator/blob/4bcce08f4e860ab34f1add8bcfb740be46bebf06/tests/e2e-openshift-object-stores/gcp-wif-tempostack/gcp-wif-create.sh

4. Create TempoStack instance using the following resource file.

https://github.com/grafana/tempo-operator/blob/4bcce08f4e860ab34f1add8bcfb740be46bebf06/tests/e2e-openshift-object-stores/gcp-wif-tempostack/install-tempostack.yaml

5. Check the pod logs for auth errors.

Additional notes:

Loki Operator's GCP WIF docs: https://loki-operator.dev/docs/short_lived_tokens_authentication.md/#gcp-workload-identity-federation

Assignee:: Ruben Vargas Palma

Reporter:: Ishwar Kanse

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/04/04 7:13 AM

Updated:: 2025/08/29 8:09 PM

Resolved:: 2025/05/28 1:34 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates