For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
    • Astro Private Cloud overview
    • Astro Private Cloud features
      • Configure metrics
      • Configure liveness and readiness probes
      • Forward logs to Amazon S3
      • Platform and deployment alerts
      • Logs configuration
      • Export task logs
    • Release and lifecycle policy
    • Support policy

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
On this page
  • Architecture
  • Prerequisites
  • Advanced configuration
  • Partition by deployment
  • Multiple destinations
  • S3 lifecycle policies
  • Troubleshooting
  • Logs not appearing in S3
  • Permission denied errors
  • High latency
  • Related documentation
Platform Observability

Forward logs to Amazon S3

Edit this page
Built with

APC uses Vector for log collection and forwarding. You can configure Vector to send Airflow task logs to Amazon S3 for long-term storage, compliance, or integration with other analytics tools.

If you previously configured S3 log forwarding using Fluentd in APC 0.37 or earlier, you must replace your fluentd.s3 configuration with the Vector extraSinks configuration described in this document. Fluentd is no longer used for log collection in APC 1.0.

Architecture

Vector continues forwarding logs to Elasticsearch for the Airflow UI while also sending copies to S3.

The logs forwarded to S3 are Airflow task logs and deployment logs, not APC platform logs from Houston, Commander, or Registry.

Prerequisites

  • An existing S3 bucket
  • AWS IAM credentials with S3 write access
  • APC 1.0 or later
1

Configure AWS IAM

Create IAM policy

Create an IAM policy with S3 write permissions:

1{
2  "Version": "2012-10-17",
3  "Statement": [
4    {
5      "Effect": "Allow",
6      "Action": [
7        "s3:ListBucket"
8      ],
9      "Resource": "arn:aws:s3:::your-logs-bucket"
10    },
11    {
12      "Effect": "Allow",
13      "Action": [
14        "s3:PutObject",
15        "s3:GetObject"
16      ],
17      "Resource": "arn:aws:s3:::your-logs-bucket/*"
18    }
19  ]
20}

For more information on S3 permissions, see Amazon S3 actions.

Provide credentials to Vector

IRSA (Recommended)
EC2 instance profile
Static credentials

For EKS clusters, use IAM Roles for Service Accounts (IRSA) to securely provide AWS credentials:

  1. Create an IAM role with the S3 policy attached
  2. Configure the trust relationship for the Vector service account:
1{
2  "Version": "2012-10-17",
3  "Statement": [
4    {
5      "Effect": "Allow",
6      "Principal": {
7        "Federated": "arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E"
8      },
9      "Action": "sts:AssumeRoleWithWebIdentity",
10      "Condition": {
11        "StringEquals": {
12          "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E:sub": "system:serviceaccount:astronomer:astronomer-vector"
13        }
14      }
15    }
16  ]
17}
  1. Annotate the Vector service account in your values.yaml:
1vector:
2  serviceAccount:
3    annotations:
4      eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/vector-s3-role
2

Configure Vector S3 sink

Add the S3 sink to your values.yaml:

1vector:
2  extraSinks:
3    s3_logs:
4      type: aws_s3
5      inputs:
6        - transform_remove_fields
7      bucket: "your-logs-bucket"
8      region: "us-east-1"
9      key_prefix: "airflow-logs/{{ "{{ namespace }}" }}/{{ "{{ release }}" }}/%Y/%m/%d/"
10      compression: gzip
11      encoding:
12        codec: json
13      batch:
14        max_bytes: 10485760
15        timeout_secs: 300
16      request:
17        retry_attempts: 5

Configuration options

For a full list of available options, see the Vector aws_s3 sink configuration reference.

OptionDescriptionExample
bucketS3 bucket namemy-logs-bucket
regionAWS regionus-east-1
key_prefixS3 object key prefix with templatinglogs/%Y/%m/%d/
compressionCompression algorithmgzip, zstd, none
encoding.codecOutput formatjson, text, ndjson
batch.max_bytesMax batch size before flush10485760 (10MB)
batch.timeout_secsMax time before flush300 (5 minutes)

Key prefix templating

Use template variables in key_prefix:

VariableDescription
{{ "{{ namespace }}" }}Kubernetes namespace
{{ "{{ release }}" }}Deployment release name
%Y, %m, %dDate components
%H, %M, %STime components

Example: airflow-logs/{{ "{{ namespace }}" }}/%Y/%m/%d/%H/

3

Apply configuration

Push the configuration to your APC installation. For detailed instructions, see Apply a config change.

$helm upgrade astronomer astronomer/astronomer \
>  -f values.yaml \
>  --namespace astronomer

Verify Vector pods restart with the new configuration:

$kubectl rollout status daemonset/astronomer-vector -n astronomer
4

Verify log delivery

Check Vector logs

$kubectl logs -n astronomer -l app=vector --tail=100 | grep -i s3

List S3 objects

$aws s3 ls s3://your-logs-bucket/airflow-logs/ --recursive | head -20

Read a log file

$aws s3 cp s3://your-logs-bucket/airflow-logs/path/to/file.json.gz - | gunzip | head -5

Advanced configuration

Partition by deployment

Organize logs by deployment namespace:

1vector:
2  extraSinks:
3    s3_logs:
4      type: aws_s3
5      inputs:
6        - transform_remove_fields
7      bucket: "your-logs-bucket"
8      key_prefix: "deployments/{{ "{{ namespace }}" }}/{{ "{{ pod }}" }}/%Y/%m/%d/"
9      # ... rest of config

Multiple destinations

Forward to both S3 and another system:

1vector:
2  extraSinks:
3    s3_archive:
4      type: aws_s3
5      inputs:
6        - transform_remove_fields
7      bucket: "archive-bucket"
8      # ... config
9
10    splunk_realtime:
11      type: splunk_hec
12      inputs:
13        - transform_remove_fields
14      endpoint: "https://splunk.example.com:8088"
15      token: "${SPLUNK_TOKEN}"

S3 lifecycle policies

Configure S3 lifecycle rules to manage log retention:

1{
2  "Rules": [
3    {
4      "ID": "ArchiveOldLogs",
5      "Status": "Enabled",
6      "Filter": {
7        "Prefix": "airflow-logs/"
8      },
9      "Transitions": [
10        {
11          "Days": 30,
12          "StorageClass": "STANDARD_IA"
13        },
14        {
15          "Days": 90,
16          "StorageClass": "GLACIER"
17        }
18      ],
19      "Expiration": {
20        "Days": 365
21      }
22    }
23  ]
24}

Apply via AWS CLI:

$aws s3api put-bucket-lifecycle-configuration \
>  --bucket your-logs-bucket \
>  --lifecycle-configuration file://lifecycle.json

Troubleshooting

Logs not appearing in S3

  1. Check Vector pod logs:

    $kubectl logs -n astronomer -l app=vector | grep -i error

  2. Verify AWS credentials:

    $kubectl exec -n astronomer -it ds/astronomer-vector -c vector -- \
    >  sh -c 'echo $AWS_ACCESS_KEY_ID'

  3. Inspect the logs for credential errors or permission issues.

    Look for lines containing CredentialsNotLoaded (no credentials found) or Invalid credentials (credentials rejected by AWS). For example:

    2026-04-16T18:27:48.827213Z ERROR vector::topology::builder: msg="Healthcheck failed." error=Invalid credentials component_kind="sink" component_type="aws_s3" component_id=s3_logs

    To see which credentials Vector loaded, look for lines matching aws_config::profile::credentials:

    2026-04-16T18:27:48.247566Z  INFO aws_config::profile::credentials: constructed abstract provider from config file chain=ProfileChain { base: AccessKey(Credentials { provider_name: "ProfileFile", access_key_id: "AKIA5WLLPVSPD7JDVSXF", secret_access_key: "** redacted **", expires_after: "never" }), chain: [] }

    These lines show the access key ID in use, which can help confirm whether the correct credentials are being picked up.

Permission denied errors

Verify your IAM policy includes both s3:PutObject and s3:ListBucket permissions. The bucket resource ARN should not include /* for ListBucket.

High latency

Adjust batch settings for faster delivery:

1vector:
2  extraSinks:
3    s3_logs:
4      batch:
5        max_bytes: 5242880    # 5MB
6        timeout_secs: 60      # 1 minute

Related documentation

  • Logs Configuration
  • Vector Documentation
  • AWS S3 Sink Reference