From f7fe852daf599118f6624009df2f146db0ec5bb3 Mon Sep 17 00:00:00 2001 From: Ruben Vargas Date: Sun, 1 Jun 2025 23:30:26 -0600 Subject: [PATCH] OBSDOCS-1976: Document support for GCP, Azure, and AWS STP tokens Signed-off-by: Ruben Vargas --- ...ect-storage-setup-aws-sts-cco-install.adoc | 150 ++++++++++++++++ ...-object-storage-setup-aws-sts-install.adoc | 83 --------- ...bject-storage-setup-azure-sts-install.adoc | 165 ++++++++++++++++++ ...-object-storage-setup-gcp-sts-install.adoc | 147 ++++++++++++++++ .../distr-tracing-tempo-installing.adoc | 17 +- 5 files changed, 478 insertions(+), 84 deletions(-) create mode 100644 modules/distr-tracing-tempo-object-storage-setup-aws-sts-cco-install.adoc delete mode 100644 modules/distr-tracing-tempo-object-storage-setup-aws-sts-install.adoc create mode 100644 modules/distr-tracing-tempo-object-storage-setup-azure-sts-install.adoc create mode 100644 modules/distr-tracing-tempo-object-storage-setup-gcp-sts-install.adoc diff --git a/modules/distr-tracing-tempo-object-storage-setup-aws-sts-cco-install.adoc b/modules/distr-tracing-tempo-object-storage-setup-aws-sts-cco-install.adoc new file mode 100644 index 000000000000..02eb17f83c22 --- /dev/null +++ b/modules/distr-tracing-tempo-object-storage-setup-aws-sts-cco-install.adoc @@ -0,0 +1,150 @@ +// Module included in the following assemblies: +// +//* observability/distr_tracing/distr-tracing-tempo-installing.adoc + +:_mod-docs-content-type: PROCEDURE +[id="setting-up-amazon-s3-storage-with-security-token-service_{context}"] += Setting up the Amazon S3 storage with the Security Token Service + +You can set up the Amazon S3 storage with the Security Token Service (STS) and AWS Command Line Interface (AWS CLI). Optionally, you can also use the Cloud Credential Operator (CCO). + +:FeatureName: Using the {TempoShortName} with the Amazon S3 storage and STS +include::snippets/technology-preview.adoc[leveloffset=+1] + +.Prerequisites + +* You have installed the latest version of the AWS CLI. +* If you intend to use the CCO, you have installed and configured the CCO in your cluster. + +.Procedure + +. Create an AWS S3 bucket. + +. Create the following `trust.json` file for the AWS Identity and Access Management (AWS IAM) policy for the purpose of setting up a trust relationship between the AWS IAM role, which you will create in the next step, and the service account of either the `TempoStack` or `TempoMonolithic` instance: ++ +.`trust.json` +[source,yaml] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam:::oidc-provider/" # <1> + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + ":sub": [ + "system:serviceaccount::tempo-" # <2> + "system:serviceaccount::tempo--query-frontend" + ] + } + } + } + ] +} +---- +<1> The OpenID Connect (OIDC) provider that you have configured on the {product-title}. +<2> The namespace in which you intend to create either a `TempoStack` or `TempoMonolithic` instance. Replace `` with the `metadata` name that you define in your `TempoStack` or `TempoMonolithic` custom resource. ++ +[TIP] +==== +You can also get the value for the OIDC provider by running the following command: + +[source,terminal] +---- +$ oc get authentication cluster -o json | jq -r '.spec.serviceAccountIssuer' | sed 's~http[s]*://~~g' +---- +==== + +. Create an AWS IAM role by attaching the created `trust.json` policy file. You can do this by running the following command: ++ +[source,terminal] +---- +$ aws iam create-role \ + --role-name "tempo-s3-access" \ + --assume-role-policy-document "file:///tmp/trust.json" \ + --query Role.Arn \ + --output text +---- + +. Attach an AWS IAM policy to the created AWS IAM role. You can do this by running the following command: ++ +[source,terminal] +---- +$ aws iam attach-role-policy \ + --role-name "tempo-s3-access" \ + --policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess" +---- + +. If you are not using the CCO, skip this step. If you are using the CCO, configure the cloud provider environment for the {TempoOperator}. You can do this by running the following command: ++ +[source,terminal] +---- +$ oc patch subscription \ # <1> + -n \ # <2> + --type='merge' -p '{"spec": {"config": {"env": [{"name": "ROLEARN", "value": "'""'"}]}}}' # <3> +---- +<1> The name of the {TempoOperator} subscription. +<2> The namespace of the {TempoOperator}. +<3> The AWS STS requires adding the `ROLEARN` environment variable to the {TempoOperator} subcription. As the `` value, add the Amazon Resource Name (ARN) of the AWS IAM role that you created in step 3. + +. In the {product-title}, create an object storage secret with keys as follows: ++ +[source,yaml] +---- +apiVersion: v1 +kind: Secret +metadata: + name: +stringData: + bucket: + region: + role_arn: +type: Opaque +---- + +. When the object storage secret is created, update the relevant custom resource of the {TempoShortName} instance as follows: ++ +.Example `TempoStack` custom resource +[source,yaml] +---- +apiVersion: tempo.grafana.com/v1alpha1 +kind: TempoStack +metadata: + name: + namespace: +spec: +# ... + storage: + secret: # <1> + name: + type: s3 + credentialMode: token-cco # <2> +# ... +---- +<1> The secret that you created in the previous step. +<2> If you are not using the CCO, omit this line. If you are using the CCO, add this parameter with the `token-cco` value. ++ +.Example `TempoMonolithic` custom resource +[source,yaml] +---- +apiVersion: tempo.grafana.com/v1alpha1 +kind: TempoMonolithic +metadata: + name: + namespace: +spec: +# ... + storage: + traces: + backend: s3 + s3: + secret: # <1> + credentialMode: token-cco # <2> +# ... +---- +<1> The secret that you created in the previous step. +<2> If you are not using the CCO, omit this line. If you are using the CCO, add this parameter with the `token-cco` value. diff --git a/modules/distr-tracing-tempo-object-storage-setup-aws-sts-install.adoc b/modules/distr-tracing-tempo-object-storage-setup-aws-sts-install.adoc deleted file mode 100644 index 21390a15c6ec..000000000000 --- a/modules/distr-tracing-tempo-object-storage-setup-aws-sts-install.adoc +++ /dev/null @@ -1,83 +0,0 @@ -// Module included in the following assemblies: -// -//* observability/distr_tracing/distr-tracing-tempo-installing.adoc - -:_mod-docs-content-type: PROCEDURE -[id="distr-tracing-tempo-object-storage-setup-aws-sts-install_{context}"] -= Setting up the Amazon S3 storage with the Security Token Service - -You can set up the Amazon S3 storage with the Security Token Service (STS) by using the AWS Command Line Interface (AWS CLI). - -:FeatureName: The Amazon S3 storage with the Security Token Service -include::snippets/technology-preview.adoc[leveloffset=+1] - -.Prerequisites - -* You have installed the latest version of the AWS CLI. - -.Procedure - -. Create an AWS S3 bucket. - -. Create the following `trust.json` file for the AWS IAM policy that will set up a trust relationship for the AWS IAM role, created in the next step, with the service account of the TempoStack instance: -+ -[source,yaml] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Federated": "arn:aws:iam::${}:oidc-provider/${}" # <1> - }, - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringEquals": { - "${OIDC_PROVIDER}:sub": [ - "system:serviceaccount:${}:tempo-${}" # <2> - "system:serviceaccount:${}:tempo-${}-query-frontend" - ] - } - } - } - ] -} ----- -<1> OIDC provider that you have configured on the {product-title}. You can get the configured OIDC provider value also by running the following command: `$ oc get authentication cluster -o json | jq -r '.spec.serviceAccountIssuer' | sed 's~http[s]*://~~g'`. -<2> Namespace in which you intend to create the TempoStack instance. - -. Create an AWS IAM role by attaching the `trust.json` policy file that you created: -+ -[source,terminal] ----- -$ aws iam create-role \ - --role-name "tempo-s3-access" \ - --assume-role-policy-document "file:///tmp/trust.json" \ - --query Role.Arn \ - --output text ----- - -. Attach an AWS IAM policy to the created role: -+ -[source,terminal] ----- -$ aws iam attach-role-policy \ - --role-name "tempo-s3-access" \ - --policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess" ----- - -. In the {product-title}, create an object storage secret with keys as follows: -+ -[source,yaml] ----- -apiVersion: v1 -kind: Secret -metadata: - name: minio-test -stringData: - bucket: - region: - role_arn: -type: Opaque ----- diff --git a/modules/distr-tracing-tempo-object-storage-setup-azure-sts-install.adoc b/modules/distr-tracing-tempo-object-storage-setup-azure-sts-install.adoc new file mode 100644 index 000000000000..3cf8c7cec2e1 --- /dev/null +++ b/modules/distr-tracing-tempo-object-storage-setup-azure-sts-install.adoc @@ -0,0 +1,165 @@ +// Module included in the following assemblies: +// +//* observability/distr_tracing/distr-tracing-tempo-installing.adoc + +:_mod-docs-content-type: PROCEDURE +[id="setting-up-azure-storage-with-security-token-service_{context}"] += Setting up the Azure storage with the Security Token Service + +You can set up the Azure storage with the Security Token Service (STS) by using the Azure Command Line Interface (Azure CLI). + +:FeatureName: Using the {TempoShortName} with the Azure storage and STS +include::snippets/technology-preview.adoc[leveloffset=+1] + +.Prerequisites + +* You have installed the latest version of the Azure CLI. +* You have created an Azure storage account. +* You have created an Azure blob storage container. + +.Procedure + +. Create an Azure managed identity by running the following command: ++ +[source,terminal] +---- +$ az identity create \ + --name \ # <1> + --resource-group \ # <2> + --location \ # <3> + --subscription # <4> +---- +<1> The name you have chosen for the managed identity. +<2> The Azure resource group where you want the identity to be created. +<3> The Azure region, which must be the same region as for the resource group. +<4> The Azure subscription ID. + +. Create a federated identity credential for the {product-title} service account for use by all components of the {TempoShortName} except the Query Frontend. You can do this by running the following command: ++ +[source,terminal] +---- +$ az identity federated-credential create \ # <1> + --name \ # <2> + --identity-name \ + --resource-group \ + --issuer \ # <3> + --subject \ # <4> + --audiences # <5> +---- +<1> Federated identity credentials allow {product-title} service accounts to authenticate as an Azure managed identity without storing secrets or using an Azure service principal identity. +<2> The name you have chosen for the federated credential. +<3> The URL of the OpenID Connect (OIDC) provider for your cluster. +<4> The service account subject for your cluster in the following format: `system:serviceaccount::tempo-`. +<5> The expected audience, which is to be used for validating the issued tokens for the federated identity credential. This is commonly set to `api://AzureADTokenExchange`. ++ +[TIP] +==== +You can get the URL of the OpenID Connect (OIDC) issuer for your cluster by running the following command: +---- +$ oc get authentication cluster -o json | jq -r .spec.serviceAccountIssuer +---- +==== + +. Create a federated identity credential for the {product-title} service account for use by the Query Frontend component of the {TempoShortName}. You can do this by running the following command: ++ +[source,terminal] +---- +$ az identity federated-credential create \ # <1> + --name -frontend \ # <2> + --identity-name \ + --resource-group \ + --issuer \ + --subject \ # <3> + --audiences | jq +---- +<1> Federated identity credentials allow {product-title} service accounts to authenticate as an Azure managed identity without storing secrets or using an Azure service principal identity. +<2> The name you have chosen for the frontend federated identity credential. +<3> The service account subject for your cluster in the following format: `system:serviceaccount::tempo-`. + +. Assign the Storage Blob Data Contributor role to the Azure service principal identity of the created Azure managed identity. You can do this by running the following command: ++ +[source,terminal] +---- +$ az role assignment create \ + --assignee \ # <1> + --role "Storage Blob Data Contributor" \ + --scope "/subscriptions/ +---- +<1> The Azure service principal identity of the Azure managed identity that you created in step 1. ++ +[TIP] +==== +You can get the `` value by running the following command: +---- +$ az ad sp list --all --filter "servicePrincipalType eq 'ManagedIdentity'" | jq -r --arg idName '.[] | select(.displayName == $idName) | .appId'` +---- +==== + +. Fetch the client ID of the Azure managed identity that you created in step 1: ++ +[source,bash] +---- +CLIENT_ID=$(az identity show \ + --name \ # <1> + --resource-group \ # <2> + --query clientId \ + -o tsv) +---- +<1> Copy and paste the `` value from step 1. +<2> Copy and paste the `` value from step 1. + +. Create an {product-title} secret for the Azure workload identity federation (WIF). You can do this by running the following command: ++ +[source,terminal] +---- +$ oc create -n secret generic azure-secret \ + --from-literal=container= \ # <1> + --from-literal=account_name= \ # <2> + --from-literal=client_id= \ # <3> + --from-literal=audience= \ # <4> + --from-literal=tenant_id= # <5> +---- +<1> The name of the Azure Blob Storage container. +<2> The name of the Azure Storage account. +<3> The client ID of the managed identity that you fetched in the previous step. +<4> Optional: Defaults to `api://AzureADTokenExchange`. +<5> Azure Tenant ID. + +. When the object storage secret is created, update the relevant custom resource of the {TempoShortName} instance as follows: ++ +.Example `TempoStack` custom resource +[source,yaml] +---- +apiVersion: tempo.grafana.com/v1alpha1 +kind: TempoStack +metadata: + name: + namespace: +spec: +# ... + storage: + secret: # <1> + name: + type: azure +# ... +---- +<1> The secret that you created in the previous step. ++ +.Example `TempoMonolithic` custom resource +[source,yaml] +---- +apiVersion: tempo.grafana.com/v1alpha1 +kind: TempoMonolithic +metadata: + name: + namespace: +spec: +# ... + storage: + traces: + backend: azure + azure: + secret: # <1> +# ... +---- +<1> The secret that you created in the previous step. diff --git a/modules/distr-tracing-tempo-object-storage-setup-gcp-sts-install.adoc b/modules/distr-tracing-tempo-object-storage-setup-gcp-sts-install.adoc new file mode 100644 index 000000000000..b73f92426db9 --- /dev/null +++ b/modules/distr-tracing-tempo-object-storage-setup-gcp-sts-install.adoc @@ -0,0 +1,147 @@ +// Module included in the following assemblies: +// +//* observability/distr_tracing/distr-tracing-tempo-installing.adoc + +:_mod-docs-content-type: PROCEDURE +[id="setting-up-google-cloud-storage-with-security-token-service_{context}"] += Setting up the Google Cloud storage with the Security Token Service + +You can set up the Google Cloud Storage (GCS) with the Security Token Service (STS) by using the Google Cloud CLI. + +:FeatureName: Using the {TempoShortName} with the GCS and STS +include::snippets/technology-preview.adoc[leveloffset=+1] + +.Prerequisites + +* You have installed the latest version of the Google Cloud CLI. + +.Procedure + +. Create a GCS bucket on the Google Cloud Platform (GCP). + +. Create or reuse a service account with Google's Identity and Access Management (IAM): ++ +[source,bash] +---- +SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts create \ # <1> + --display-name="Tempo Account" \ + --project \ # <2> + --format='value(email)' \ + --quiet) +---- +<1> The name of the service account on the GCP. +<2> The project ID of the service account on the GCP. + +. Bind the required GCP roles to the created service account at the project level. You can do this by running the following command: ++ +[source,terminal] +---- +$ gcloud projects add-iam-policy-binding \ + --member "serviceAccount:$SERVICE_ACCOUNT_EMAIL" \ + --role "roles/storage.objectAdmin" +---- + +. Retrieve the `POOL_ID` value of the Google Cloud Workload Identity Pool that is associated with the cluster. How you can retrieve this value depends on your environment, so the following command is only an example: ++ +[source,terminal] +---- +$ OIDC_ISSUER=$(oc get authentication.config cluster -o jsonpath='{.spec.serviceAccountIssuer}') \ +&& + POOL_ID=$(echo "$OIDC_ISSUER" | awk -F'/' '{print $NF}' | sed 's/-oidc$//') +---- + +. Add the IAM policy bindings. You can do this by running the following commands: ++ +[source,terminal] +---- +$ gcloud iam service-accounts add-iam-policy-binding "$SERVICE_ACCOUNT_EMAIL" \ # <1> + --role="roles/iam.workloadIdentityUser" \ + --member="principal://iam.googleapis.com/projects//locations/global/workloadIdentityPools//subject/system:serviceaccount::tempo-" \ + --project= \ + --quiet \ +&& + gcloud iam service-accounts add-iam-policy-binding "$SERVICE_ACCOUNT_EMAIL" \ + --role="roles/iam.workloadIdentityUser" \ + --member="principal://iam.googleapis.com/projects//locations/global/workloadIdentityPools//subject/system:serviceaccount::tempo--query-frontend" \ + --project= \ + --quiet +&& + gcloud storage buckets add-iam-policy-binding "gs://$BUCKET_NAME" \ + --role="roles/storage.admin" \ + --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" \ + --condition=None +---- +<1> The `$SERVICE_ACCOUNT_EMAIL` is the output of the command in step 2. + +. Create a credential file for the `key.json` key of the storage secret for use by the `TempoStack` custom resource. You can do this by running the following command: ++ +[source,terminal] +---- +$ gcloud iam workload-identity-pools create-cred-config \ + "projects//locations/global/workloadIdentityPools//providers/" \ + --service-account="$SERVICE_ACCOUNT_EMAIL" \ + --credential-source-file=/var/run/secrets/storage/serviceaccount/token \ # <1> + --credential-source-type=text \ + --output-file= # <2> +---- +<1> The `credential-source-file` parameter must always point to the `/var/run/secrets/storage/serviceaccount/token` path because the Operator mounts the token from this path. +<2> The path for saving the output file. + +. Get the correct audience by running the following command: ++ +[source,terminal] +---- +$ gcloud iam workload-identity-pools providers describe "$PROVIDER_NAME" --format='value(oidc.allowedAudiences[0])' +---- + +. Create a storage secret for the {TempoShortName} by running the following command. ++ +[source,terminal] +---- +$ oc -n create secret generic gcs-secret \ + --from-literal=bucketname="" \ # <1> + --from-literal=audience="" \ # <2> + --from-file=key.json= # <3> +---- +<1> The bucket name of the Google Cloud Storage. +<2> The audience that you got in the previous step. +<3> The credential file that you created in step 6. + +. When the object storage secret is created, update the relevant custom resource of the {TempoShortName} instance as follows: ++ +.Example `TempoStack` custom resource +[source,yaml] +---- +apiVersion: tempo.grafana.com/v1alpha1 +kind: TempoStack +metadata: + name: + namespace: +spec: +# ... + storage: + secret: # <1> + name: + type: gcs +# ... +---- +<1> The secret that you created in the previous step. ++ +.Example `TempoMonolithic` custom resource +[source,yaml] +---- +apiVersion: tempo.grafana.com/v1alpha1 +kind: TempoMonolithic +metadata: + name: + namespace: +spec: +# ... + storage: + traces: + backend: gcs + gcs: + secret: # <1> +# ... +---- +<1> The secret that you created in the previous step. diff --git a/observability/distr_tracing/distr-tracing-tempo-installing.adoc b/observability/distr_tracing/distr-tracing-tempo-installing.adoc index 6d82a2c3610b..6fcbaf0636b9 100644 --- a/observability/distr_tracing/distr-tracing-tempo-installing.adoc +++ b/observability/distr_tracing/distr-tracing-tempo-installing.adoc @@ -36,7 +36,7 @@ include::modules/distr-tracing-tempo-install-cli.adoc[leveloffset=+2] include::modules/distr-tracing-tempo-storage-ref.adoc[leveloffset=+1] -include::modules/distr-tracing-tempo-object-storage-setup-aws-sts-install.adoc[leveloffset=+2] +include::modules/distr-tracing-tempo-object-storage-setup-aws-sts-cco-install.adoc[leveloffset=+2] [role="_additional-resources"] .Additional resources @@ -46,6 +46,21 @@ include::modules/distr-tracing-tempo-object-storage-setup-aws-sts-install.adoc[l * xref:../../authentication/identity_providers/configuring-oidc-identity-provider.adoc#configuring-oidc-identity-provider[Configuring an OpenID Connect identity provider] * link:https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html[Identify AWS resources with Amazon Resource Names (ARNs)] (AWS documentation) +include::modules/distr-tracing-tempo-object-storage-setup-azure-sts-install.adoc[leveloffset=+2] + +[role="_additional-resources"] +.Additional resources + +* link:https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux[Install the Azure CLI on Linux] (Azure documentation) + +include::modules/distr-tracing-tempo-object-storage-setup-gcp-sts-install.adoc[leveloffset=+2] + +[role="_additional-resources"] +.Additional resources + +* link:https://cloud.google.com/sdk/docs/install[Install the gcloud CLI] (Google Cloud Documentation) +* link:https://cloud.google.com/iam/docs/service-account-overview[Service accounts overview] (Google Cloud Documentation) + include::modules/distr-tracing-tempo-object-storage-setup-ibm-storage.adoc[leveloffset=+2] [role="_additional-resources"]