For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
    • Overview
      • Deployment health incidents
      • Astro alerts
      • Airflow email notifications
      • Export audit logs
        • Datadog
        • AWS CloudWatch
        • AWS S3 Bucket
        • Azure WASB
        • Google Cloud Storage
    • Book Office Hours

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
On this page
  • Export logs to a Secondary GCS Bucket
  • Prerequisites
  • Minimum Required Permissions
  • Overview of configuration options
  • Option 1: Customer‑Provided Workload Identity
  • Option 2: Service Account Impersonation
  • Option 3: Astro-provided Workload Identity
  • Troubleshooting
Platform observabilityIntegrate with data tools

Export logs to a Secondary GCS Bucket

Edit this page
Built with

Export logs to a Secondary GCS Bucket

By forwarding Airflow task logs from your Astro Deployment to an additional, customer‑managed GCS bucket, you can keep redundant copies of your execution history, integrate with existing log‑processing pipelines, and satisfy compliance or retention requirements that extend beyond the built‑in Astro logs.

Prerequisites

  • Your Deployment must run Astro Runtime 11.7.0 or later. See Upgrade Astro Runtime.
  • Your image must include astronomer-providers-logging==1.6.4 or later. The secondary GCS logging feature was introduced in this version.
  • You need a GCP account where you can create a GCP bucket and IAM resources.
  • A role with the minimum required permissions

Minimum Required Permissions

For all authentication methods, the service account or identity needs the following minimum permissions on the GCS bucket:

  • storage.objects.list: List matching log files
  • storage.objects.create: To create new log files
  • storage.objects.get: To read existing log files (for append operations)
  • storage.objects.update: To update existing log files

These permissions are included in the predefined roles/storage.objectUser role, or you can create a custom role with just these specific permissions.

Overview of configuration options

There are three methods to configure your Astro deployment to write logs to a secondary GCS bucket:

  1. Customer‑provided Workload Identity: Recommended if you already use this mechanism for other GCP services.
  2. Service Account Impersonation: Use this approach if you want to use an existing service account which is different than your Deployment’s workload identity.
  3. Astro-provided Workload Identity: Use this approach if you do not have an existing service account that your Deployment can impersonate.

The following environment variables are supported by this feature:

VariableRequiredExample value
AIRFLOW__ASTRO_SECONDARY_LOGS__GCS_ENABLEDYestrue
AIRFLOW__ASTRO_SECONDARY_LOGS__GCS_BASE_LOG_FOLDERYesgs://your-bucket-name/logs
AIRFLOW__ASTRO_SECONDARY_LOGS__GCS_IMPERSONATION_CHAINNotarget-service-account@YOUR_PROJECT_ID.iam.gserviceaccount.com

Option 1: Customer‑Provided Workload Identity

This approach uses Google Cloud Workload Identity to allow your Astro deployment to authenticate with Google Cloud using its Kubernetes service account identity.

  1. Attach a service account to your Astro Deployment
  2. Set the following environment variables in the Deployment:
1AIRFLOW__ASTRO_SECONDARY_LOGS__GCS_ENABLED=true
2AIRFLOW__ASTRO_SECONDARY_LOGS__GCS_BASE_LOG_FOLDER="gs://your-bucket-name/logs"

Option 2: Service Account Impersonation

Use this approach if you want to use an existing service account which is different than your Deployment’s workload identity.

  1. Follow the steps to setup service account impersonation, which allows your Astro deployment to impersonate a service account with the necessary permissions.
  2. Set the following environment variables in the Deployment:
1AIRFLOW__ASTRO_SECONDARY_LOGS__GCS_ENABLED=true
2AIRFLOW__ASTRO_SECONDARY_LOGS__GCS_BASE_LOG_FOLDER="gs://your-bucket-name/logs"
3AIRFLOW__ASTRO_SECONDARY_LOGS__GCS_IMPERSONATION_CHAIN="target-service-account@YOUR_PROJECT_ID.iam.gserviceaccount.com"

Option 3: Astro-provided Workload Identity

Use this approach if you do not have an existing service account that your deployment can impersonate.

  1. Follow instructions to grant an IAM role to your Deployment Workload Identity.
  2. Set the following environment variables in the Deployment:
1AIRFLOW__ASTRO_SECONDARY_LOGS__GCS_ENABLED=true
2AIRFLOW__ASTRO_SECONDARY_LOGS__GCS_BASE_LOG_FOLDER="gs://your-bucket-name/logs"

Troubleshooting

If you encounter issues with logging to the secondary GCS bucket:

  1. Check that the environment variables are correctly set in your Astro deployment
  2. Verify that your service account or Workload Identity has the necessary permissions
  3. For Workload Identity Federation, ensure the Kubernetes service account annotation is correctly configured
  4. For impersonation, check that the impersonation chain is correctly configured and the source identity has token creator permissions
  5. Check for any errors in your Airflow logs related to GCS authentication or permissions
  6. Test your authentication setup using the gcloud CLI or Google Cloud Console

If issues persist, contact Astronomer Support with the Deployment ID and any relevant error output.