For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
    • Astro Private Cloud overview
    • Astro Private Cloud features
      • Configure a secrets backend
      • Configure Kerberos database authentication
      • Third-party ingress controllers
      • Network configuration
      • Bring your own service accounts
      • Configure security contexts
      • Read-only root filesystem
      • TLS certificate management
        • Overview
        • Set up audit log shipping
        • Configuration reference
        • Log schema and operations

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
On this page
  • What gets audited
  • How it works
  • Supported sinks
  • Default state
  • Next steps
Security and complianceAPC audit logging

APC audit logging overview

Edit this page
Built with

Astro Private Cloud (APC) audit logging produces a structured, per-action record of administrative activity on the Astro Private Cloud control plane. Each event captures who performed the action, what was changed, and the outcome. Events are emitted as JSON by the APC API and APC Worker components and are shipped to one configured external sink by a Vector sidecar.

Use audit logging to support internal compliance programs, answer after-the-fact questions about control plane changes, and investigate security events.

APC audit logging is introduced in Astro Private Cloud 2.x.

What gets audited

APC audit logging emits an audit event for each successful or failed administrative action, including:

  • Workspace and Deployment lifecycle changes.
  • User, team, service account, and role binding changes.
  • Authentication events such as sign-in, sign-out, and password reset.
  • Cluster registration and cluster configuration changes.
  • Background worker operations that modify Deployments or cluster state.

Each event is a JSON object with stable field names. For the full event schema, the list of audited operations, and message formatting rules, see Audit log schema and operations.

How it works

APC audit logging uses a Vector sidecar that runs alongside the APC API and APC Worker Pods.

  1. The APC API writes structured JSON events to standard output as it normally does.
  2. A built-in log wrapper script tees the APC API’s output to a shared volume that the Vector sidecar reads.
  3. Vector parses each line, keeps only entries where audit == true, adds Kubernetes and platform metadata, normalizes the timestamp to @timestamp, and converts the level field to uppercase.
  4. Vector delivers the transformed event to the configured sink.

APC audit logging doesn’t depend on the sidecar. If the sidecar is disabled, the APC API continues to emit audit events to standard output.

Supported sinks

Each sink is supported on a specific Kubernetes platform for the Astro Private Cloud control plane. Cross-cloud configurations, such as shipping to AWS CloudWatch Logs from a GKE cluster, aren’t supported.

SinkSupported Kubernetes platformAuthentication options
AWS CloudWatch LogsAmazon EKSIAM Roles for Service Accounts (IRSA); static AWS credentials secret
GCP Cloud LoggingGoogle Kubernetes Engine (GKE)Workload Identity; GCP service account JSON key secret
ElasticsearchAmazon EKS, GKE, or AKSBasic auth or anonymous, each optionally with a custom CA

For this release, exactly one sink can be enabled per installation. Enabling more than one sink results in a Helm validation error. Enabling the sidecar without a sink also fails validation.

Default state

APC audit logging is disabled by default. The sidecar isn’t injected and no audit events are shipped to any external system until you enable it through Helm values.

Because APC audit logging always writes audit events to standard output, you can inspect recent events with kubectl logs on the APC API or APC Worker Pods even when the sidecar is disabled. Use the sidecar when you need durable, long-term retention in a sink that you can query.

Next steps

  • To enable audit log shipping, see Set up audit log shipping.
  • To review every Helm value that controls the sidecar and its sinks, see Audit logging configuration reference.
  • To understand the shape of each audit event and the full inventory of audited operations, see Audit log schema and operations.