Skip to content

Enabling Loki

Introduction

Loki is a log aggregation system designed for storing and querying logs efficiently. Unlike traditional log management systems, Loki indexes only metadata instead of the full log contents, making it highly scalable and cost-effective. Stores logs in a compressed format with minimal indexing, reducing storage and operational costs.

Process

  1. SSH into the instance where Privacera Manager is installed.
  2. Navigate to the config directory using the following command:
    Bash
    1
    cd ~/privacera/privacera-manager/config/

  3. Copy vars.monioring.yml file from sample-vars folder to custom-vars folder.

    If this file already exists in custom-vars folder then you can skip this step.

    Bash
    1
    cp sample-vars/vars.monitoring.yml custom-vars/

  4. Open vars.monioring.yml.

    Bash
    1
    vi custom-vars/vars.monitoring.yml

  5. Uncomment the below variables in the file and save it.
    • Enable loki.
      Bash
      1
      LOKI_DEPLOYMENT_ENABLED: "true"

  6. Once done, redeploy the monitoring components.

    a. Go to privacera-manager directory.

    Bash
    1
    cd ~/privacera/privacera-manager.
    b. Run setup to generate the required files.
    Bash
    1
    ./privacera-manager.sh setup
    c. Install the monitoring components.
    Bash
    1
    ./pm_with_helm.sh install-monitoring
    d. Run install to update the Grafana.
    Bash
    1
    ./pm_with_helm.sh install
    e. Once done, run post-install.
    Bash
    1
    ./privacera-manager.sh post-install

Storage Configuration

By default, Loki uses local storage, which is not recommended for production environments. For production deployments, configure a cloud storage such as AWS S3, Azure Blob Storage, or Google Cloud Storage (GCS), as detailed in the sections below.

Configure Cloud Storage for Loki

This guide outlines the steps to configure cloud-based object storage for Grafana Loki using AWS S3, Azure Blob Storage, or Google Cloud Storage (GCS) within a production-ready Privacera Monitoring stack.

Configure AWS S3 for Loki

Prerequisites

Ensure the following are in place:

  1. An S3 bucket to store Loki logs.
  2. An IAM role with the necessary permissions and trust relationship(of kubernetes service account).

Note

By default, Loki retaintion period is set to 30 days.

Step 1: Ensure that an Identity Provider (IdP) is already created for your EKS cluster’s OIDC. If not, create a new Identity Provider before proceeding.

  1. Navigate to AWS EKS → Select your cluster.
  2. From the Overview tab, copy the OIDC (OpenID Connect) provider URL.
  3. Go to IAMIdentity ProvidersAdd provider.
    • Select OpenID Connect.
    • Paste the OIDC URL under Provider URL and click Get thumbprint.
    • Set Audience as sts.amazonaws.com.
    • Add optional tags and click Add provider. ( we will need this ID to be added in the IAM role.)

Step 2: Create an IAM Policy

Go to IAM → Policies, and create a new policy with the following JSON definition:

JSON
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
{
"Version": "2012-10-17",
"Statement": [
    {
    "Effect": "Allow",
    "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:ListBucket",
        "s3:DeleteObject",
        "s3:GetObjectTagging",
        "s3:PutObjectTagging"
    ],
    "Resource": [
        "arn:aws:s3:::<AWS_S3_BUCKET_NAME>",
        "arn:aws:s3:::<AWS_S3_BUCKET_NAME>/*"
    ]
    }
]
}

Tip

  • Replace <AWS_S3_BUCKET_NAME> with your AWS S3 bucket name.

Step 3: Create an IAM Role and Trust Relationship

  1. Navigate to IAM → RolesCreate role.
  2. Select Web identity as the trusted entity type.
  3. Choose the OIDC provider created earlier, set Audience to sts.amazonaws.com, and proceed.
  4. Attach the custom policy from the previous step.
  5. Name and create the role.

Once created, modify the trust relationship to limit role assumption to specific Kubernetes service accounts:

JSON
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
{
"Version": "2012-10-17",
"Statement": [
    {
    "Effect": "Allow",
    "Principal": {
        "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/oidc.eks.<AWS_REGION>.amazonaws.com/id/<OIDC_ID>"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
        "StringLike": {
        "oidc.eks.<AWS_REGION>.amazonaws.com/id/<OIDC_ID>:sub": [
            "system:serviceaccount:privacera-monitoring:loki"
        ]
        }
    }
    }
]
}

Tip

  • Replace <AWS_ACCOUNT_ID>, <AWS_REGION> & <OIDC_ID> with your AWS account ID , aws region & OIDC_ID respectively.
  • Action sts:AssumeRoleWithWebIdentity allows a service (like a Kubernetes service account) to assume an IAM role using a web identity token (e.g.OIDC).
  • Default service account name is loki and namespace is privacera-monitoring.

Step 4: Configure Loki for S3

  1. SSH into the instance where Privacera Manager is installed.
  2. Navigate to the configuration directory:
Bash
1
cd ~/privacera/privacera-manager/config/custom-vars/
  1. Create the Loki custom values file:
Bash
1
vi loki_custom_values.yml
  1. Add the following configuration:
YAML
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
loki:
  schemaConfig:
    configs:
      - from: "2024-04-01"
        store: tsdb
        object_store: s3
        schema: v13
        index:
          prefix: loki_index_
          period: 24h
  # -- Check https://grafana.com/docs/loki/latest/configuration/#storage_config for more info on how to configure storages
  storage_config:
    aws:
      s3: s3://<AWS_REGION>/<AWS_S3_BUCKET_NAME>
      s3forcepathstyle: true
    tsdb_shipper:
      active_index_directory: var/loki/index
      cache_location: var/loki/cache
  storage:
    bucketNames:
      chunks: <AWS_S3_BUCKET_NAME>
      ruler: <AWS_S3_BUCKET_NAME>
      admin: <AWS_S3_BUCKET_NAME>
serviceAccount:
  annotations:
    eks.amazonaws.com/role-arn: <AWS_IAM_ROLE_ARN>
minio:
  enabled: false

Tip

  • Replace <AWS_S3_BUCKET_NAME>, <AWS_REGION> & <AWS_IAM_ROLE_ARN> with your S3 bucket name , AWS region & IAM role created above.

Step 5: Redeploy Monitoring Components

a. Go to privacera-manager directory.

Bash
1
cd ~/privacera/privacera-manager.
b. Run setup to generate the required files.
Bash
1
./privacera-manager.sh setup
c. Install the monitoring components.
Bash
1
./pm_with_helm.sh install-monitoring
d. Run install to update the Grafana.
Bash
1
./pm_with_helm.sh install
e. Once done, run post-install.
Bash
1
./privacera-manager.sh post-install

Configure Azure Blob Storage for Loki

Step 1: Create a Storage Account

  1. Go to Azure Portal → Storage Accounts → Create.
  2. Configure:
    • Name: e.g., privaceramonitoringsa (must be globally unique)
    • Region: Same as your AKS cluster
    • Resource Group: Same as AKS
    • Performance: Standard
    • Replication: LRS
  3. Click Review + create, then Create.

Step 2: Create a Blob Container

  1. In your created storage account, go to Data storage → Containers.
  2. Click + Container and configure:
    • Name: e.g., privacera-monitoring-container
    • Public access level: Private (no anonymous access)
  3. Click Create.

Step 3: Create a Service Principal

  1. Go to Azure Portal → Azure Active Directory → App registrations.
  2. Click New registration.
  3. Configure:
    • Name: e.g., privacera-monitoring-sp
    • Supported account types: Accounts in this organizational directory only
    • Redirect URI: Leave blank
  4. Click Register.
  5. After creation, note down:
    • Application (client) ID
    • Directory (tenant) ID

Step 4: Create a Client Secret

  1. In your app registration, go to Certificates & secrets.
  2. Click + New client secret.
  3. Configure:
    • Description: e.g., privacera-monitoring-secret
    • Expires: Choose an appropriate expiration (e.g., 24 months)
  4. Click Add.
  5. Copy the secret value immediately as it won't be shown again.

Step 5: Assign Permissions to the Service Principal

Note

"Make sure you have owner access to your storage account."

  1. Go to Storage Accounts → Your Storage Account → Access Control (IAM).
  2. Click + Add → Add role assignment.
  3. Configure:
    • Role: Storage Blob Data Contributor
    • Assign access to: Service principal
    • Select member: Choose the privacera-monitoring-sp service principal
  4. Click Save.

Step 6: Configure Loki for Azure

  1. SSH into the Privacera Manager instance.
  2. Navigate to the config directory:
Bash
1
cd ~/privacera/privacera-manager/config/custom-vars/
  1. Create the custom values file:
Bash
1
vi loki_custom_values.yml
  1. Add the following content:
YAML
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
loki:
  schemaConfig:
    configs:
    - from: "2024-04-01"
      store: tsdb
      object_store: azure
      schema: v13
      index:
        prefix: loki_index_
        period: 24h
  storage:
    bucketNames:
      chunks: <CONTAINER_NAME>
      ruler: <CONTAINER_NAME>
      admin: <CONTAINER_NAME>
  storage_config:
    tsdb_shipper:
      active_index_directory: /var/loki/index
      cache_location: /var/loki/cache
      cache_ttl: 168h
    azure:
      use_service_principal: true
      account_name: <STORAGE_ACCOUNT_NAME>
      tenant_id: <TENANT_ID>
      client_id: <CLIENT_ID>
      container_name: <CONTAINER_NAME>
      client_secret: <CLIENT_SECRET>
      request_timeout: 0
minio:
  enabled: false

Tip

  • Replace <CONTAINER_NAME>, <STORAGE_ACCOUNT_NAME>, <TENANT_ID>, <CLIENT_ID>, and <CLIENT_SECRET> with your Azure storage container name, storage account name, tenant ID, client ID, and client secret respectively.

Step 7: Redeploy Monitoring Components

a. Go to privacera-manager directory.

Bash
1
cd ~/privacera/privacera-manager.
b. Run setup to generate the required files.
Bash
1
./privacera-manager.sh setup
c. Install the monitoring components.
Bash
1
./pm_with_helm.sh install-monitoring
d. Run install to update the Grafana.
Bash
1
./pm_with_helm.sh install
e. Once done, run post-install.
Bash
1
./privacera-manager.sh post-install

Configure GCP Storage for Loki

Step 1: Create a GCS Bucket

  1. Go to GCP Console → Cloud Storage.
  2. Click Create Bucket.
  3. Configure:
    • Name: Globally unique
    • Region: As required
    • Storage class: Standard
    • Access control: Uniform
  4. Click Create.

Step 2: Create a Service Account

  1. Go to IAM & Admin → Service Accounts.
  2. Click Create Service Account.
  3. Provide a name and (optionally) a description.
  4. Skip assigning roles for now.
  5. Click Done.

Step 3: Grant Bucket Access to the Service Account

  1. Go back to your bucket → Permissions tab.
  2. Click Grant Access.
  3. Add your service account’s email.
  4. Assign the following roles:
    • Storage Admin
    • Storage Object Admin
  5. Click Save.

Step 4: Configure Workload Identity

  1. Open the service account details.
  2. Under Permissions, click + Grant Access.
  3. In New principals, add:
Text Only
1
<PROJECT_ID>.svc.id.goog[privacera-monitoirng/loki]

Tip

  • Replace <PROJECT_ID> with your GCP project id .
  • Default value for privacera monitoring namespace is privacera-monitoring and default k8s service account name is loki.
  1. Assign role:
    Service Account Workload Identity User
  2. Save the configuration.

Step 5: Configure Loki for GCP

  1. SSH into the Privacera Manager instance.
  2. Navigate to the config directory:
Bash
1
cd ~/privacera/privacera-manager/config/custom-vars/
  1. Create the custom values file:
Bash
1
vi loki_custom_values.yml
  1. Add the configuration below:
YAML
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
loki:
  schemaConfig:
    configs:
      - from: "2020-05-15"
        store: tsdb
        object_store: gcs
        schema: v13
        index:
          prefix: index_
          period: 24h
  storage:
    bucketNames:
      chunks: <GCP_BUCKET_NAME>
      ruler: <GCP_BUCKET_NAME>
      admin: <GCP_BUCKET_NAME>
  storage_config:
    tsdb_shipper:
      active_index_directory: var/loki/index
      cache_location: var/loki/index_cache
      gcs:
        bucket_name: <GCP_BUCKET_NAME>
minio:
  enabled: false

serviceAccount:
  annotations:
    iam.gke.io/gcp-service-account: <GCP_SERVICE_ACCOUNT>@<PROJECT_ID>.iam.gserviceaccount.com

Tip

  • Replace <GCP_BUCKET_NAME>, <GCP_SERVICE_ACCOUNT> & ` with your GCP bucket name, service account name and project id respectively.

Step 6: Redeploy Monitoring Components

a. Go to privacera-manager directory.

Bash
1
cd ~/privacera/privacera-manager.
b. Run setup to generate the required files.
Bash
1
./privacera-manager.sh setup
c. Install the monitoring components.
Bash
1
./pm_with_helm.sh install-monitoring
d. Run install to update the Grafana.
Bash
1
./pm_with_helm.sh install
e. Once done, run post-install.
Bash
1
./privacera-manager.sh post-install

Comments