Skip to main content

Astro audit logs

caution

This feature is in Private Preview.

Astro audit logs record Astro control plane administrative activities and events. You can use the audit logs to determine who did what, where, and when. You can also use audit logs to ensure your organization is meeting its security and regulatory requirements. For example, you can use audit logs to determine when users were added to your organization or to individual Workspaces.

Available audit log data

The following categories of event data are available in the audit log:

  • API events: The data generated by user actions in the Cloud UI, Astro CLI, or from internal processing actions in the Astro control plane.
  • Airflow UI access: The data generated when users access the Airflow UI.
  • Astronomer container registry access: The data generated when users access the Astronomer container registry with the Astro CLI.

The audit log file is provided as a JSON file. Every entry in the audit log file corresponds to an event, and event attributes provide additional information about the specific event.

Common fields

The following table lists the common fields shared by all three categories of event data.

FieldDescription
subjectIdA unique identifier that identifies the initiator of the request. The value can be user ID or an API key.
subjectTypeA unique identifier that identifies the subject of the request. The value can be USER or SERVICEKEY.
organizationIdA unique identifier that identifies your organization. This is the value displayed in the Cloud UI Settings page.
timestampThe date and time the event occurred.
sourceIpThe IP address of the originating request.
userAgentThe application used to make the request.
correlationIdA unique identifier for the request.

API event fields

The following table lists the fields that are unique to API events.

FieldDescription
operationNameThe name of the API event. For example, createUserInvite or workspaceCreate.
graphqlClientNameThe type of client making the request. The values are cloud-ui or cli.
requestInputThe input for the API request.
requestBodyRaw graphQL for the event.

The following table maps some common operationName attributes to their corresponding requestInput attributes.

EventoperationName attributerequestInput attributes
The Organization is updated.updateOrganizationid, name
A new user is invited to an organization.createUserInviteinviteeEmail, role
A user has accepted their invite to an organization.updateUserInvite
A user is deleted from an organization.deleteUserInviteinviteId
A user is assigned a new role.assignUserOrganizationRolerole, userId
A user is removed from an organization.deleteOrganizationUserorganizationId, userId
A Workspace is created.createWorkspacelabel, organizationId
A Workspace is updated.updateWorkspacelabel, id
A Workspace is deleted.deleteWorkspaceid
A user is added to a Workspace, or a user role is updated.assignUserWorkspaceRoleemail, role, workspaceId
A user is removed from a workspace.deleteUserWorkspaceRoleuserId, workspaceId
A new Deployment is created.createDeploymentlabel, workspaceId
A Deployment is updated.updateDeploymentdeploymentSpec
A Deployment variable is updated.updateDeploymentVariablesisSecret, key
An API key is created for a Deployment.createDeploymentApiKeydeploymentId, role
An API key is deleted for a Deployment.deleteDeploymentApiKeyid
The code for a Deployment is updated.ImageCreatedeploymentId

Use your analytics or audit tool to view additional attribute mapping information.

Airflow UI access event fields

The following table lists the fields that are unique to Airflow UI access events.

FieldDescription
targetUrlThe URL for the canonical name record in the Airflow webserver that runs in the Astro control dataplane. For example, https://cl8gwrnw601f10tyxhgrhaayw.astronomer.run.
pathThe relative path of the page being accessed. For example, /dzl9chy4/configuration.
methodThe HTTP method for the request.

Astronomer container registry access event fields

The following table lists the fields that are unique to Astronomer container registry access events.

FieldDescription
deploymentIdA unique identifier that identifies the Deployment on which the event occurred.
pathThe path to the image in the registry.
methodThe HTTP method for the request.

Export audit logs

Audit logs are retained for 90 days. Organization Owner permissions are required to export audit logs.

  1. In the Cloud UI, click the Settings tab.

  2. Select the number days of audit data to export in the Audit Logs area and then click Export.

    The extracted audit log data is saved as a JSON file in your downloads directory with the default filename <astro-organization-name>-logs-<number-of-days>-days-<date>.json.

You can also export logs using the Astro CLI.

  1. Run the following command to enable the feature:

    astro config set -g beta.audit_logs true
  2. Run the following command to export audit logs as a GZIP file to your current directory:

    astro organization audit-logs --organization-name=<your-organization-name>