docs: added additional GCS authentication information (#15112)

Co-authored-by: J Stickler <julie.stickler@grafana.com>
6 months ago · 39c47e5b5a
parent 949bfb9e07
commit 39c47e5b5a
1 changed files with 14 additions and 1 deletions
--- a/docs/sources/configure/storage.md
+++ b/docs/sources/configure/storage.md
@ -237,9 +237,14 @@ storage_config:
  tsdb_shipper:
    active_index_directory: /loki/index
    cache_location: /loki/index_cache
-    cache_ttl: 24h         # Can be increased for faster performance over longer query periods, uses more disk space
+    cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space
  gcs:
      bucket_name: <bucket>
+      service_account: |    
+        {
+          "type": "service_account",
+          ...
+        }

 schema_config:
  configs:
@ -252,6 +257,14 @@ schema_config:
        period: 24h
 ```

+`service_account` should contain JSON from either a GCP Console `client_credentials.json` file or a GCP service account key. If this value is blank, most services will fall back to GCP's Application Default Credentials (ADC) strategy. For more information about ADC, refer to [How Application Default Credentials works](https://cloud.google.com/docs/authentication/application-default-credentials).
+
+The [pre-defined `storage.objectUser` role](https://cloud.google.com/storage/docs/access-control/iam-roles) (or a custom role modeled after it) contains sufficient permissions for Loki to operate.
+
+{{< admonition type="note" >}}
+GCP recommends [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) instead of a service account key.
+{{< /admonition >}}
+
 ### AWS deployment (S3 Single Store)

 ```yaml