CRE-2025-0029

Loki fails to retrieve AWS credentials when specifying S3 endpoint with IRSALow

Impact: 6/10

Mitigation: 5/10

CRE-2025-0029View on GitHub

LokiS3AWSIrsaStorageAuthenticationHelmPublic

Description

• When deploying Grafana Loki with AWS S3 as the storage backend and specifying a custom S3 endpoint (e.g., for FIPS compliance or GovCloud regions), Loki may fail to retrieve AWS credentials via IAM Roles for Service Accounts (IRSA). This results in errors during startup or when attempting to upload index tables, preventing Loki from functioning correctly.

Cause

• The issue arises when the Loki configuration includes a custom `endpoint` for S3 and relies on IRSA for authentication. In such cases, Loki encounters a `WebIdentityErr` and `SerializationError` due to improper handling of credential retrieval with the specified endpoint.

Mitigation

• In your Helm chart values, explicitly set `accessKeyId` and `secretAccessKey` to `null` to prevent default values from interfering with IRSA authentication.

References

• https://github.com/grafana/loki/issues/12095
• https://github.com/grafana/helm-charts/issues/1550#issuecomment-1180365429