To use Azure Storage as Thanos object store, you need to precreate a storage account from Azure portal or using Azure CLI. Follow the instructions from the Azure Storage Documentation.

Now create a .YAML file named object-store.yaml with the following format:

type: AZURE
config:
  storage_account: ""
  storage_account_key: ""
  container: ""
  # config.endpoint is only needed if primary blob service endpoint domain is not blob.core.windows.net
  # Example: blob.core.chinacloudapi.cn
  endpoint: ""
  max_retries: 0

AWS/S3 Federation

Kubecost uses a shared storage bucket to store metrics from clusters, known as durable storage, in order to provide a single-pane-of-glass for viewing cost across many clusters. Multi-cluster is an enterprise feature of Kubecost.

There are multiple methods to provide Kubecost access to an S3 bucket. This guide has two examples:

1. Using a Kubernetes secret

2. Attaching an AWS Identity and Access Management (IAM) role to the service account used by Prometheus

Both methods require an S3 bucket. Our example bucket is named kc-thanos-store.

This is a simple S3 bucket with all public access blocked. No other bucket configuration changes should be required.

Once created, add an IAM policy to access this bucket. See our AWS Thanos IAM Policy doc for instructions.

Method 1: Kubernetes Secret Method

To use the Kubernetes secret method for allowing access, create a YAML file named object-store.yaml with contents similar to the following example. See region to endpoint mappings here.

type: S3
config:
  bucket: "kc-thanos-store"
  endpoint: "s3.amazonaws.com"
  region: "us-east-1"
  access_key: "<your-access-key>"
  secret_key: "<your-secret-key>"
  insecure: false
  signature_version2: false
  put_user_metadata:
      "X-Amz-Acl": "bucket-owner-full-control"
  http_config:
    idle_conn_timeout: 90s
    response_header_timeout: 2m
    insecure_skip_verify: false
  trace:
    enable: true
  part_size: 134217728

Method 2: Attach IAM role to Service Account Method

Instead of using a secret key in a file, many will want to use this method.

Attach the policy to the Thanos pods service accounts. Your object-store.yaml should follow the format below when using this option, which does not contain the secret_key and access_key fields.

type: S3
config:
  bucket: "kc-thanos-store"
  endpoint: "s3.amazonaws.com"
  region: "us-east-1"
  insecure: false
  signature_version2: false
  put_user_metadata:
      "X-Amz-Acl": "bucket-owner-full-control"
  http_config:
    idle_conn_timeout: 90s
    response_header_timeout: 2m
    insecure_skip_verify: false
  trace:
    enable: true
  part_size: 134217728

Then, follow this AWS guide to enable attaching IAM roles to pods.

You can define the IAM role to associate with a service account in your cluster by creating a service account in the same namespace as Kubecost and adding an annotation to it of the form eks.amazonaws.com/role-arn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/<IAM_ROLE_NAME> as described here.

Once that annotation has been created, configure the following:

.Values.prometheus.serviceAccounts.server.create: false
.Values.prometheus.serviceAccounts.server.name: serviceAccount # to the name of your created service account
.Values.thanos.compact.serviceAccount: serviceAccount
.Values.thanos.store.serviceAccount: serviceAccount

Thanos Encryption With S3 and KMS

You can encrypt the S3 bucket where Kubecost data is stored in AWS via S3 and KMS. However, because Thanos can store potentially millions of objects, it is suggested that you use bucket-level encryption instead of object-level encryption. More details available in these external docs:

• Thanos S3 storage doc

• Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys

• Configuring an S3 Bucket Key at the Object Level

Troubleshooting

Visit the Configuring Thanos doc for troubleshooting help.

Start by creating a new Google Cloud Storage bucket. The following example uses a bucket named thanos-bucket. Next, download a service account JSON file from Google's service account manager (steps).

Now create a YAML file named object-store.yaml in the following format, using your bucket name and service account details:

type: GCS
config:
  bucket: "thanos-bucket"
  service_account: |-
    {
      "type": "service_account",
      "project_id": "...",
      "private_key_id": "...",
      "private_key": "...",
      "client_email": "...",
      "client_id": "...",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "token_uri": "https://oauth2.googleapis.com/token",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "client_x509_cert_url": ""
    }

Note: Because this is a YAML file, it requires this specific indention.

Warning: Do not apply a retention policy to your Thanos bucket, as it will prevent Thanos compaction from completing.

In order to create an AWS IAM policy for use with Thanos:

1. Navigate to the AWS console and select IAM.

2. Select Policies in the Navigation menu, then select Create Policy.

3. Add the following JSON in the policy editor:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::<your-bucket-name>/*",
                "arn:aws:s3:::<your-bucket-name>"
            ]
        }
    ]
}
```

4. Select Review policy and name this policy, e.g. kc-thanos-store-policy.

1. Navigate to Users in IAM control panel, then select Add user.

2. Provide a username (e.g. kubecost-thanos-service-account) and select Programmatic access.

3. Select Attach existing policies directly, search for the policy name provided in Step 4, then create the user.
4. Capture your Access Key ID and secret in the view below:

If you don’t want to use a service account, IAM credentials retrieved from an instance profile are also supported. You must get both access key and secret key from the same method (i.e. both from service or instance profile). More info on retrieving credentials here.