Show Remote Execution Agent task logs in Airflow UI

You can make task logs visible directly in the Airflow UI by exporting task logs to your object storage, and configuring the Astro API Server to securely retrieve them.

This requires:

Configuration in the Remote Execution Agent's Helm values.yaml.
Deployment configuration in the Astro UI.
Proper workload identities for the Remote Execution Agent, write access, and the Astro API Server, read access.

AWS
GCP
Azure

AWS

To display task logs directly in the Airflow UI for your Remote Execution Deployment, you must store the task logs in an S3 bucket located in the same region as the Deployment's cluster.

Configure the following environment variables in the Helm chart's values.yaml, and replace the path for the AIRFLOW__LOGGING__REMOTE_BASE_LOG_FOLDER value with your information:

commonEnv:
  - name: AIRFLOW__LOGGING__REMOTE_LOGGING
    value: "True"
  - name: AIRFLOW__LOGGING__REMOTE_LOG_CONN_ID
    value: "astro_aws_logging"
  - name: AIRFLOW_CONN_ASTRO_AWS_LOGGING
    value: "s3://"
  - name: AIRFLOW__LOGGING__REMOTE_BASE_LOG_FOLDER
    value: "s3://<bucket>/<deployment-id>"
  - name: AIRFLOW__LOGGING__LOGGING_CONFIG_CLASS
    value: "astronomer.runtime.logging.logging_config"
  - name: ASTRONOMER_ENVIRONMENT
    value: "cloud"

Mounting credentials manually

If you do not use workload identity and instead want to manually mount a credential, you must also add the following environment variable defining the location of a token file to your Remote Agent's values.yaml file. You can customize the file path, /tmp/logging-token, to the name of your logging token file.

  - name: ASTRO_LOGGING_AWS_WEB_IDENTITY_TOKEN_FILE
    value: "/tmp/logging-token"

Run helm upgrade to apply the change to your Agents.
In the Astro UI, navigate to your Deployment and click the Details tab. Click Edit in the Advanced section to access your logging configurations.
Select Bucket Storage in the Task Logs field and fill in the Bucket URL as s3://<bucket>/<deployment-id>. Or, use the path that you configured for AIRFLOW__LOGGING__REMOTE_BASE_LOG_FOLDER in your Remote Agent's Helm chart's values.yaml.
In the Workload Identity for Bucket Storage section, select Customer Managed Identity and follow the instructions to set up your Customer Managed Identity so that the identity you create has read access to the specified bucket and path.
(Optional) If your log bucket is in a different region from your Astro Deployment, you need to define the AWS region in the AIRFLOW__ASTRONOMER_PROVIDERS_LOGGING__AWS_REGION environment variable for Astronomer-managed components. In the Astro UI, navigate to your Deployment and click the Environment tab. Click Environment Variables, then click (+) Environment Variable to add the following environment variables to your Deployment:

AIRFLOW__ASTRONOMER_PROVIDERS_LOGGING__AWS_REGION <The region in which the S3 bucket is configured>

Configure the following environment variables in the Helm chart's values.yaml:

commonEnv:
  - name: AIRFLOW__LOGGING__REMOTE_LOGGING
    value: "True"
  - name: AIRFLOW__LOGGING__REMOTE_LOG_CONN_ID
    value: "astro_gcs_logging"
  - name: AIRFLOW_CONN_ASTRO_GCS_LOGGING
    value: "gcs://"
  - name: AIRFLOW__LOGGING__REMOTE_BASE_LOG_FOLDER
    value: "gs://<bucket>/<deployment-id>"
  - name: AIRFLOW__LOGGING__LOGGING_CONFIG_CLASS
    value: "astronomer.runtime.logging.logging_config"
  - name: ASTRONOMER_ENVIRONMENT
    value: "cloud"

info

The path for the AIRFLOW__LOGGING__REMOTE_BASE_LOG_FOLDER value is configurable. This is only an example format.

Do a helm upgrade to apply the change to your Agents.
In the Astro UI, navigate to your Deployment and click the Details tab. Click Edit in the Advanced section.
In the Task Logs field, select Bucket Storage and fill in the Bucket URL as gs://<bucket>/<deployment-id>. Or, use the path that you configured for AIRFLOW__LOGGING__REMOTE_BASE_LOG_FOLDER in your Remote Agent's Helm chart's values.yaml.
In the Workload Identity for Bucket Storage section, select Customer Managed Identity and follow the instructions to set up your Customer Managed Identity so that the identity you create has read access to the specified bucket and path.

tip

On GCP, you can authorize your Deployment to cloud resources using workload identity with the alternative methods described here.

info

To establish connectivity, you must enable Enabled from all networks in the networking settings of your storage account from which the Astro API server reads task logs.

For security, Astronomer recommends you assign the Storage Blob Data Reader role to the workload identity used by the API server and apply the following settings for your storage account:

Secure transfer required: Enabled
Allow Blob anonymous access: Disabled
Minimum TLS version: TLS 1.2 or higher

Configure the following environment variables in the Helm chart's values.yaml:

 commonEnv:
  - name: AIRFLOW__LOGGING__REMOTE_LOGGING
    value: "True"
  - name: AIRFLOW__LOGGING__REMOTE_LOG_CONN_ID
    value: "astro_azure_logs"
  - name: AIRFLOW_CONN_ASTRO_AZURE_LOGS
    value: "wasb://"
  - name: AIRFLOW__ASTRONOMER_PROVIDERS_LOGGING__AZURE_ACCOUNT_NAME
    value: "<storage-account>"
  - name: AIRFLOW__LOGGING__REMOTE_BASE_LOG_FOLDER
    value: "<deployment-id>"
  - name: AIRFLOW__AZURE_REMOTE_LOGGING__REMOTE_WASB_LOG_CONTAINER
    value: "<storage-account-container-name>"
  - name: AIRFLOW__LOGGING__LOGGING_CONFIG_CLASS
    value: "astronomer.runtime.logging.logging_config"
  - name: ASTRONOMER_ENVIRONMENT
    value: "cloud"

info

The path for the AIRFLOW__LOGGING__REMOTE_BASE_LOG_FOLDER value is configurable. This is only an example format.

Do a helm upgrade to apply the change to your Agents.
In the Astro UI, navigate to your Deployment and click the Details tab. Click Edit in the Advanced section.
Select Bucket Storage in the Task Logs field and fill in the Bucket URL using the following URL format: wasb://<container-name>@<storage-account>.blob.core.windows.net/<base-log-folder>. Replace <container-name> with the name of the container you created in your Azure Storage Account, and <storage-account> with the name of your Azure Storage Account.

For example, if you have the following

A storage account: mystorageaccount
A container:mycontainer
A base log folder is mydepl/af-logs

Then, the URL looks like:

wasb://mycontainer@mystorageaccount.blob.core.windows.net/mydepl/af-logs

In the Workload Identity for Bucket Storage section, select Customer Managed Identity and follow the instructions to set up your Customer Managed Identity so that the identity you create has read access to the specified bucket and path.
In the Astro UI, navigate to your Deployment and click the Environment tab. Click Edit Variables, then click Add Variable to add the following environment variables to your Deployment:

ASTRO_LOGGING_AZURE_CLIENT_ID: <Client ID for the managed identity that you want the API server to use to fetch task logs>
ASTRO_LOGGING_AZURE_TENANT_ID: <Tenant ID for the managed identity that you want the API server to use to fetch task logs>

Was this page helpful?