fix(operator): provide AWS region in environment variable for STS mode (#21136)

2026-03-13 09:33:58 +08:00 · 2026-03-12 18:03:23 +01:00
parent 5e47080621
commit cb261d9534
3 changed files with 22 additions and 3 deletions
--- a/operator/internal/manifests/storage/configure.go
+++ b/operator/internal/manifests/storage/configure.go
@@ -222,11 +222,13 @@ func tokenAuthCredentials(opts Options) []corev1.EnvVar {
 			return []corev1.EnvVar{
 				envVarFromValue(EnvAWSCredentialsFile, path.Join(tokenAuthConfigDirectory, KeyAWSCredentialsFilename)),
 				envVarFromValue(EnvAWSSdkLoadConfig, "true"),
+				envVarFromValue(EnvAWSRegion, opts.S3.Region),
 			}
 		} else {
 			return []corev1.EnvVar{
 				envVarFromSecret(EnvAWSRoleArn, opts.SecretName, KeyAWSRoleArn),
 				envVarFromValue(EnvAWSWebIdentityTokenFile, ServiceAccountTokenFilePath),
+				envVarFromValue(EnvAWSRegion, opts.S3.Region),
 			}
 		}
 	case lokiv1.ObjectStorageSecretAzure:
--- a/operator/internal/manifests/storage/configure_test.go
+++ b/operator/internal/manifests/storage/configure_test.go
@@ -867,8 +867,9 @@ func TestConfigureDeploymentForStorageType(t *testing.T) {
 				SharedStore:    lokiv1.ObjectStorageSecretS3,
 				CredentialMode: lokiv1.CredentialModeToken,
 				S3: &S3StorageConfig{
-					STS:      true,
 					Audience: "test",
+					Region:   "test-region",
+					STS:      true,
 				},
 			},
 			dpl: &appsv1.Deployment{
@@ -919,6 +920,10 @@ func TestConfigureDeploymentForStorageType(t *testing.T) {
 											Name:  "AWS_WEB_IDENTITY_TOKEN_FILE",
 											Value: "/var/run/secrets/storage/serviceaccount/token",
 										},
+										{
+											Name:  "AWS_REGION",
+											Value: "test-region",
+										},
 									},
 								},
 							},
@@ -960,7 +965,8 @@ func TestConfigureDeploymentForStorageType(t *testing.T) {
 				SharedStore:    lokiv1.ObjectStorageSecretS3,
 				CredentialMode: lokiv1.CredentialModeTokenCCO,
 				S3: &S3StorageConfig{
-					STS: true,
+					Region: "test-region",
+					STS:    true,
 				},
 				OpenShift: OpenShiftOptions{
 					Enabled: true,
@@ -1012,6 +1018,10 @@ func TestConfigureDeploymentForStorageType(t *testing.T) {
 											Name:  "AWS_SDK_LOAD_CONFIG",
 											Value: "true",
 										},
+										{
+											Name:  "AWS_REGION",
+											Value: "test-region",
+										},
 									},
 								},
 							},
@@ -2065,7 +2075,8 @@ func TestConfigureStatefulSetForStorageType(t *testing.T) {
 				SharedStore:    lokiv1.ObjectStorageSecretS3,
 				CredentialMode: lokiv1.CredentialModeTokenCCO,
 				S3: &S3StorageConfig{
-					STS: true,
+					Region: "test-region",
+					STS:    true,
 				},
 				OpenShift: OpenShiftOptions{
 					Enabled: true,
@@ -2117,6 +2128,10 @@ func TestConfigureStatefulSetForStorageType(t *testing.T) {
 											Name:  "AWS_SDK_LOAD_CONFIG",
 											Value: "true",
 										},
+										{
+											Name:  "AWS_REGION",
+											Value: "test-region",
+										},
 									},
 								},
 							},
--- a/operator/internal/manifests/storage/var.go
+++ b/operator/internal/manifests/storage/var.go
@@ -7,6 +7,8 @@ const (
 	EnvAlibabaCloudAccessKeyID = "ALIBABA_CLOUD_ACCESS_KEY_ID"
 	// EnvAlibabaCloudAccessKeySecret is the environment variable to specify the AlibabaCloud client secret to access S3.
 	EnvAlibabaCloudAccessKeySecret = "ALIBABA_CLOUD_ACCESS_KEY_SECRET"
+	// EnvAWSRegion configures the AWS region the client uses for operations.
+	EnvAWSRegion = "AWS_REGION"
 	// EnvAWSAccessKeyID is the environment variable to specify the AWS client id to access S3.
 	EnvAWSAccessKeyID = "AWS_ACCESS_KEY_ID"
 	// EnvAWSAccessKeySecret is the environment variable to specify the AWS client secret to access S3.