Summary
- Added
setFieldstoEnvironmentObjectandEnvironmentObjectLinkresponses, andunsetFieldsto environment object link update overrides. Together they let clients distinguish a set-but-masked secret from an unset field, and clear a link override so it falls back to its parent value. - Changed the permission required to update Team roles from the org-wide
organization.teams.updatetoorganization.teamRoles.access. This fixes a regression where callers with only deployment-scoped team permissions received403errors when assigning a Team to a Deployment.
Added
- Properties
setFields(array of strings, required): added toEnvironmentObjectandEnvironmentObjectLink. Names the value and override fields that currently hold a value, including masked secrets. Map members are reported as dotted paths (for exampleextra.aws_secret).unsetFields(array of strings, maximum 100 items): added toUpdateEnvironmentObjectOverridesRequest. Names override fields to unset on a link so it inherits the parent value. A field can’t be both set and listed inunsetFieldsin the same request.
Changed
POST /organizations/{organizationId}/teams/{teamId}/roles(UpdateTeamRoles) now requires theorganization.teamRoles.accesspermission instead oforganization.teams.update. Individual role changes in the request are still authorized against their own scope (organization, workspace, or deployment).
Summary
- Added Private Network Egress mode for AWS clusters. When enabled, this mode disables public Internet connectivity from the cluster’s Deployments and metrics exports. Cluster create, update, and read schemas gain an
isPrivateNetworkEgressEnabledfield. - Added a
descriptionfield to environment objects. Environment object create, update, and read schemas now accept and return an optional description of up to 500 characters.
Added
- Properties
isPrivateNetworkEgressEnabled(boolean, AWS clusters only): added toCluster,CreateAwsClusterRequest, andUpdateDedicatedClusterRequest. When true, disables public Internet connectivity from the cluster’s Deployments and metrics exports.description(string): added toCreateEnvironmentObjectRequestandUpdateEnvironmentObjectRequest(maximum 500 characters), and toEnvironmentObject.
Summary
- Added
hasAiFeaturesDisabledand a requiredisBlockedEnableAiFeaturesto theOrganizationschema.hasAiFeaturesDisabledindicates whether AI features are disabled for the Organization, andisBlockedEnableAiFeaturesindicates whether the Organization is blocked from enabling AI features. - Added
hasAiFeaturesDisabledtoUpdateOrganizationRequestso callers can set whether AI features are disabled when updating an Organization.
Added
- Properties
Organization:hasAiFeaturesDisabled(boolean). Whether AI features are disabled for the Organization.Organization:isBlockedEnableAiFeatures(boolean, required). Whether the Organization is blocked from enabling AI features.UpdateOrganizationRequest:hasAiFeaturesDisabled(boolean). Whether AI features are disabled for the Organization.
Summary
- Added environment variable support to environment objects. A new
ENVIRONMENT_VARIABLEobject type lets you create, update, and read environment variables managed by the Astro Environment Manager, with an optional secret value. - Added SigV4 authentication for metrics export environment objects. A new
SIGV4auth type accepts ansigV4AssumeArnIAM role ARN and ansigV4StsRegionAWS STS region. - Added Disaster Recovery (DR) support for GCP clusters. Cluster create, update, and read schemas gain
drPodSubnetRange,drServiceSubnetRange, anddrServicePeeringRange, and the existing DR fields are no longer scoped to AWS only. - Added a
locationfield toProviderRegionfor multi-region DR compatibility.
Added
- Enum values
ENVIRONMENT_VARIABLE: added to the environment objecttypeenum onCreateEnvironmentObjectRequestandEnvironmentObject, and to thetypequery parameter onGET /organizations/{organizationId}/environment-objects.SIGV4: added to theauthTypeenum on the six metrics export schemas (CreateEnvironmentObjectMetricsExportRequest,CreateEnvironmentObjectMetricsExportOverridesRequest,UpdateEnvironmentObjectMetricsExportRequest,UpdateEnvironmentObjectMetricsExportOverridesRequest,EnvironmentObjectMetricsExport, andEnvironmentObjectMetricsExportOverrides).
- Schemas
CreateEnvironmentObjectEnvironmentVariableRequest:isSecret(boolean) andvalue(string).CreateEnvironmentObjectEnvironmentVariableOverridesRequest:value(string).UpdateEnvironmentObjectEnvironmentVariableRequest:value(string).UpdateEnvironmentObjectEnvironmentVariableOverridesRequest:value(string).EnvironmentObjectEnvironmentVariable:isSecret(boolean, required) andvalue(string, required).valueis returned empty when the variable is a secret.EnvironmentObjectEnvironmentVariableOverrides:value(string, required).
- Properties
environmentVariable: added toCreateEnvironmentObjectRequest,CreateEnvironmentObjectOverridesRequest,UpdateEnvironmentObjectRequest,UpdateEnvironmentObjectOverridesRequest, andEnvironmentObject.environmentVariableOverrides: added toEnvironmentObjectLink.sigV4AssumeArn(string) andsigV4StsRegion(string): added to all six metrics export schemas listed under Enum values.drPodSubnetRange,drServiceSubnetRange, anddrServicePeeringRange(string, GCP clusters only): added toCluster,CreateGcpClusterRequest, andUpdateDedicatedClusterRequest.enableReplicationTimeControl(boolean): added toCreateAzureClusterRequest,CreateGcpClusterRequest, andUpdateDedicatedClusterRequest.drRegionanddrVpcSubnetRange: added toUpdateDedicatedClusterRequest.location(string): added toProviderRegion. The multi-region location code for DR compatibility.
Changed
enableReplicationTimeControldescription updated from “S3 Replication Time Control” to “Bucket Storage Replication Time Control” onClusterandCreateAwsClusterRequest.drRegionis no longer AWS-only: removed “For AWS clusters only” onCreateAwsClusterRequest,CreateAzureClusterRequest, andCreateGcpClusterRequest.drVpcSubnetRangeis no longer AWS-only: removed “For AWS clusters only” onCluster,CreateAwsClusterRequest,CreateAzureClusterRequest, andCreateGcpClusterRequest.drSecondaryVpcCidrdescription now notes it applies to AWS clusters only onCreateAwsClusterRequest.POST /organizations/{organizationId}/environment-objects(CreateEnvironmentObject) description updated to include environment variables alongside connections, Airflow variables, and metrics export resources.
Summary
- Added two endpoints for managing allowed IP address ranges in bulk:
POST /organizations/{organizationId}/allowed-ip-address-ranges/bulk-createandPOST /organizations/{organizationId}/allowed-ip-address-ranges/bulk-delete. Each request accepts up to 1,000 items and processes the batch atomically.
Added
-
Endpoints
POST /organizations/{organizationId}/allowed-ip-address-ranges/bulk-create: Create up to 1,000 allowed IP address ranges for an Organization in one request. The batch is created atomically: if any value fails validation or conflicts with an existing range, no ranges are created. The endpoint is not idempotent, so a retry after an unacknowledged 2xx response can return409. On success, the endpoint returns the created ranges as anAllowedIpAddressRangesList. Requires theorganization.allowedIpAddressRanges.createpermission.POST /organizations/{organizationId}/allowed-ip-address-ranges/bulk-delete: Delete up to 1,000 allowed IP address ranges for an Organization in one request. The batch is deleted atomically. Unknown and duplicate IDs are accepted and ignored, and matching ranges for the Organization are deleted. The endpoint returns204with no response body. Requires theorganization.allowedIpAddressRanges.deletepermission.
-
Schemas
BulkCreateAllowedIpAddressRangesRequest: Request body for bulk create. Required:allowedIpAddressRanges, a non-empty array of up to 1,000 CIDR-format strings.BulkDeleteAllowedIpAddressRangesRequest: Request body for bulk delete. Required:allowedIpAddressRangeIds, a non-empty array of up to 1,000 allowed IP address range IDs.AllowedIpAddressRangesList: Response body for bulk create. Required:allowedIpAddressRanges, an array ofAllowedIpAddressRange.
Summary
- Added
podEphemeralStorageto the worker queue schemas so callers can set the ephemeral storage limit for each worker Pod.
Added
- Properties
WorkerQueue:podEphemeralStorage(string). The ephemeral storage limit for each worker Pod. Units are in Gibibytes orGi. Example:10Gi.WorkerQueueRequest:podEphemeralStorage(string). The ephemeral storage limit for each worker Pod. Must be a valid Kubernetes resource string, for example10Gi.UpdateWorkerQueueRequest:podEphemeralStorage(string). The ephemeral storage limit for each worker Pod. Must be a valid Kubernetes resource string, for example10Gi.
Summary
- Added
lastRotatedAttoApiTokenso callers can see when a token was last rotated. - Added a new
gitobject (CreateDeployGitRequeston requests,DeployGiton responses) onCreateDeployRequestandDeployfor attaching git commit metadata to a deploy. A newGENERICprovider value (alongsideGITHUB) supports non-GitHub remotes such as GitLab, Bitbucket, and self-hosted git via aremoteUrlfield. - Added
IBM_ENTERPRISEas a value onOrganizationProductPlan.productPlanName. - Narrowed
Workspace.defaultCloudProviderfrom a free-form string to the enumAWS,AZURE,GCP.
Added
-
Schemas
CreateDeployGitRequestandDeployGit: Git commit metadata associated with a deploy. Required:commitSha,provider. Optional:account,authorName,authorUrl,authorUsername,beforeCommitSha,branch,commitUrl,path,remoteUrl,repo.provideracceptsGITHUBorGENERIC. ForGITHUB, supplyaccountandrepoand leaveremoteUrlempty. ForGENERIC, supplyremoteUrland leaveaccountandrepoempty.
-
Properties
ApiToken:lastRotatedAt(string, date-time). The time when the API token was last rotated.CreateDeployRequest,Deploy:git(object). Git commit metadata for the deploy. SeeCreateDeployGitRequestandDeployGit.
-
Enum values
OrganizationProductPlan.productPlanName:IBM_ENTERPRISE.
Changed
- Schemas
Workspace.defaultCloudProvider: Now restricted to the enumAWS,AZURE,GCP(previously a free-form string).
Summary
- Create Deployment requests now require only
nameandworkspaceId. The server resolves infrastructure from Workspace defaults (or auto-selects when the Organization has a single non-shared cluster), infers the Deploymenttypefrom the resolved cluster, and applies defaults for runtime version, executor, scheduler size, and related fields. This reduces the create Deployment API from roughly 15 required fields down to 2. - Added
defaultClusterId,defaultCloudProvider, anddefaultRegiononWorkspaceso Workspace admins can pre-configure target infrastructure for new Deployments.defaultClusterIdis mutually exclusive withdefaultCloudProvideranddefaultRegion. - Added
GET /organizations/{organizationId}/deployments/{deploymentId}/logsandGET /users/selfendpoints. - Added
hasAllowedIpAddressRangesandshouldEnforceDedicatedClustersas required properties on theOrganizationschema. - Added
workspaceIdanddeploymentIdfilters toGET /organizations/{organizationId}/teams.
Added
-
Endpoints
GET /organizations/{organizationId}/deployments/{deploymentId}/logs: Get logs for an Astro Deployment. Supports filtering by log source (scheduler,triggerer,worker,webserver,dag-processor,apiserver), time range, text search, and pagination.GET /users/self: Get the authenticated user’s profile, roles, invites, and feature flags. Supports an optionalcreateIfNotExistquery parameter.
-
Schemas
CreateDeploymentInstanceSpecRequestau: Integer. Astro unit allocation for the Deployment pod. Minimum5, maximum24. Optional.replicas: Integer. Number of pod replicas. Minimum1, maximum4. Optional.
UpdateDeploymentInstanceSpecRequestau: Integer. Astro unit allocation for the Deployment pod. Minimum5, maximum24. Required.replicas: Integer. Number of pod replicas. Minimum1, maximum4. Required.
DeploymentLog- Required:
limit,maxNumResults,offset,resultCount,results,searchId. results: Array ofDeploymentLogEntry.
- Required:
DeploymentLogEntry- Required:
raw(string),source(enum:scheduler,webserver,triggerer,worker,dag-processor,apiserver),timestamp(number).
- Required:
SelfUser- Required:
avatarUrl,createdAt,fullName,id,status,updatedAt,username. - Also includes
featureFlags,invites,isIdpManaged,organizationId, androles.
- Required:
SelfUserFeatureFlag,SelfUserInvite,SelfUserRole,SelfUserRoleScope: Supporting schemas forSelfUser.UpdateWorkerQueueRequest: Used by theworkerQueuesarray onUpdateDedicatedDeploymentRequest,UpdateHybridDeploymentRequest, andUpdateStandardDeploymentRequest. Required fields:isDefault,maxWorkerCount,minWorkerCount,name,workerConcurrency.
-
Properties
CreateWorkspaceRequestandUpdateWorkspaceRequest:defaultCloudProvider(enum:AWS,AZURE,GCP),defaultClusterId, anddefaultRegion. Workspace admins use these fields to pre-configure target infrastructure for new Deployments. When a create Deployment request omitsclusterId,cloudProvider, andregion, the server uses these Workspace defaults.defaultClusterIdis mutually exclusive withdefaultCloudProvideranddefaultRegion.Organization:hasAllowedIpAddressRanges(boolean, required) indicating whether the Organization has at least one allowed IP address range configured, andshouldEnforceDedicatedClusters(boolean, required).UpdateOrganizationRequest:shouldEnforceDedicatedClusters(boolean).Workspace:defaultCloudProvider,defaultClusterId, anddefaultRegion(strings) reflecting the configured defaults.
-
Query parameters
GET /organizations/{organizationId}/teams:workspaceIdanddeploymentIdfilter the response to Teams with a role in the specified Workspace or Deployment.
Changed
- Removed required fields on create Deployment requests. When a field is omitted, the server applies a default. The only remaining required fields are
nameandworkspaceId.