The customer is unable to get a healthy deployment of the TempoStack with STS running using the producer specified in the documentation below for the AWS cluster in GovCloud region.
https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/distributed_tracing/distr-tracing-tempo-installing#setting-up-amazon-s3-storage-with-security-token-service_distr-tracing-tempo-installing
 
Most of the TempoStack component pods show the following log entry right before exiting:
 
 

level=error ts=2025-08-04T17:05:02.381151095Z caller=main.go:124 msg="error running Tempo" err="failed to init module services: error initialising module: store: failed to create store: unexpected error from ListObjects on service-mesh-tempo-bucket: Access Denied"  

 
 
The customer tracked down the issue to the 2 following missing configurations on the pods managed by the deployments created by the operator:
1. It is missing the configuration of the region as an environment variable even though one is provided in the secret that the documentation requests be created.
2. There is no way to add additional environment variables which is required in their environment in order to add additional trusted CAs.
 
They used Kyverno policies to inject environment variables and CA certificate in Tempo pods to get it working.
If Kyverno policies are not used, then pods crashes with "Access Denied" errors.
 
We tested this in non GovCloud region with STS enabled with Manual Credentials Mode and there was no problem. Steps to install the cluster:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html-single/installing_on_aws/index#installing-aws-with-short-term-creds_installing-aws-customizations
 
I'll share the mentioned resources YAML.