Platform Administration

Manage Workspaces and Deployments on Astronomer

A Workspace is the highest level of organization in Astro Private Cloud. From a Workspace, you can manage a collection of Clusters (which function as Data Planes), their associated Airflow Deployments, and the set of users with varying levels of access to those resources.

With the separated CP/DP architecture introduced in Astro Private Cloud 1.0:

  • The Control Plane (CP) hosts the Astro Private Cloud UI, API, and global services.
  • A Cluster represents a Data Plane (DP) and is where Airflow Deployments are created and run.
  • Each Workspace can span multiple Clusters, giving admins the flexibility to organize Deployments across environments such as dev, staging and production.

If you’re not a member of any Workspaces, you’ll be prompted to create one the first time you log in to the Astro Private Cloud UI. If you already have access to at least one Workspace, you can create a new one at any time using the New Workspace button in the sidebar.

This guide walks through best practices for creating and managing Workspaces as a Workspace Admin. It’s organized by the four tabs available from a Workspace’s menu in the Astro Private Cloud UI:

  • Workspace Settings > General
  • Workspace Settings > Users
  • Workspace Settings > Teams
  • Workspace Settings > Service Accounts

Workspace configuration tab location

Deployments

The most important function of Workspaces is to create and manage access to one or more Clusters and their associated Airflow Deployments.

An Airflow Deployment is an instance of Apache Airflow running within a Cluster (Data Plane). Each Deployment includes a scheduler, webserver, and one or more workers if you’re running the Celery or Kubernetes executors.

To create a new Deployment, navigate to the Deployments tab in your Workspace and select the New Deployment button. You can also create Deployments using the Astro CLI as described in the CLI Quickstart

Deployment Tab

You cannot use or share Deployments across Workspaces. You can push local dags and code to any Deployment at any time but there is currently no way to move an existing Airflow Deployment from one Workspace to another once created.

Settings

You can rename your Workspace or update its description in the Workspace Settings tab. While these fields have no effect on how tasks are executed, Astronomer recommends configuring them to give users an idea of the Workspace’s purpose and scope.

Users

You can see who has access to the Workspace in the Users tab of the Workspace Settings.

If you’d like to share access to other members of your organization, invite them to a Workspace you’re a part of. Once your team members are part of your Workspace, Deployment admins can grant them varying levels of access to Airflow Deployments within the Workspace. Likewise, Workspace admins can grant them varying levels of access to the entire Workspace.

An exact breakdown of user roles and their respective levels of access can be found in Manage User Permissions on an Astronomer Workspace.

In addition, Astro Private Cloud system admins can add or remove specific permissions for each type of user role. For more information on this feature, read Customize Permissions.

Teams

Use the Teams tab in Workspace Settings to manage group-based access controls. Teams allow you to assign permissions to groups of users.

The Teams tab displays a list of all teams with access to the Workspace, including their provider, description, and Workspace role. You can search for teams within the Workspace using the search bar.

To add a team to the Workspace, select the + Team button. In the Add Team to Workspace panel, search for and select an existing team. Assign the appropriate Workspace role, Viewer, Editor, or Admin, to define the team’s access level. Optionally, assign Deployment-level roles for individual Airflow Deployments by selecting Deployments and choosing the required role for each.

You can also apply Deployment roles in bulk by using the Select All option and applying the desired role to multiple Deployments simultaneously.

Service accounts

Use the Service Accounts tab of the Workspace Settings to create a Workspace-level service account. Service accounts generate a permanent API key that you can use automate any action at the Workspace level, such as deploying to your Workspace’s Airflow Deployments via a CI/CD tool of your choice.

To automate actions at the Deployment level, create a Deployment service account. For more information on this feature, read Deploy via CI/CD.