docs: added additional GCS authentication information (#15112)

Co-authored-by: J Stickler <[email protected]> (cherry picked from commit 39c47e5)
grafana · Nov 26, 2024 · 0024d4e · 0024d4e
1 parent d468a41
commit 0024d4e
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/docs/sources/configure/storage.md b/docs/sources/configure/storage.md
@@ -237,9 +237,14 @@ storage_config:
   tsdb_shipper:
     active_index_directory: /loki/index
     cache_location: /loki/index_cache
-    cache_ttl: 24h         # Can be increased for faster performance over longer query periods, uses more disk space
+    cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space
   gcs:
       bucket_name: <bucket>
+      service_account: |    
+        {
+          "type": "service_account",
+          ...
+        }
 
 schema_config:
   configs:
@@ -252,6 +257,14 @@ schema_config:
         period: 24h
 ```
 
+`service_account` should contain JSON from either a GCP Console `client_credentials.json` file or a GCP service account key. If this value is blank, most services will fall back to GCP's Application Default Credentials (ADC) strategy. For more information about ADC, refer to [How Application Default Credentials works](https://cloud.google.com/docs/authentication/application-default-credentials).
+
+The [pre-defined `storage.objectUser` role](https://cloud.google.com/storage/docs/access-control/iam-roles) (or a custom role modeled after it) contains sufficient permissions for Loki to operate.
+
+{{< admonition type="note" >}}
+GCP recommends [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) instead of a service account key.
+{{< /admonition >}}
+
 ### AWS deployment (S3 Single Store)
 
 ```yaml