CRE-2025-0029

Loki fails to retrieve AWS credentials when specifying S3 endpoint with IRSALow
Impact: 6/10
Mitigation: 5/10

CRE-2025-0029View on GitHub

Loki S3 AWS Irsa Storage Authentication Helm Public

Description

- When deploying Grafana Loki with AWS S3 as the storage backend and specifying a custom S3 endpoint (e.g., for FIPS compliance or GovCloud regions), Loki may fail to retrieve AWS credentials via IAM Roles for Service Accounts (IRSA). This results in errors during startup or when attempting to upload index tables, preventing Loki from functioning correctly.

Mitigation

- In your Helm chart values, explicitly set `accessKeyId` and `secretAccessKey` to `null` to prevent default values from interfering with IRSA authentication.

References

https://github.com/grafana/loki/issues/12095
https://github.com/grafana/helm-charts/issues/1550#issuecomment-1180365429