For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
    • Overview
      • Create a Deployment
      • Execution mode
        • Overview
        • Shared responsibility model
        • Get started
        • Deploy Remote Execution project
        • Deploy a dbt project
        • Helm chart reference
      • Worker queues
      • Environment variables
      • Secrets backend
    • Book Office Hours

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
On this page
  • Astronomer responsibilities
  • Orchestration plane
  • Agent software and support
  • Customer responsibilities
  • Kubernetes infrastructure
  • Agent deployment and operations
  • Secrets and credentials
  • Data storage
  • Dag code and sources
  • Logging and observability
  • Security
  • Related documentation
Manage DeploymentsRemote Execution

Remote Execution shared responsibility model

Edit this page
Built with

Remote Execution uses a decoupled architecture where Astronomer manages the orchestration plane and the customer manages the execution plane. This document defines the responsibilities for each party.

For the general Astro shared responsibility model, see Shared responsibility model.

Astronomer responsibilities

Astronomer is responsible for managing the orchestration plane and supporting the Remote Execution platform, including:

Orchestration plane

  • Operating and maintaining the Airflow scheduler, API server, web server, and metadata database in Astro’s cloud infrastructure.
  • Managing the Remote Execution API that coordinates task distribution between the orchestration plane and customer-managed agents, and performs task lifecycle management.
  • Monitoring agent heartbeats and automatically rerouting tasks to healthy agents when an agent becomes unavailable.
  • Providing the Astro UI and Astro API for Deployment management, agent registration, and token creation.
  • Securing authentication and authorization for all orchestration plane interfaces, including the Astro UI, API, and CLI.
  • Maintaining data encryption at rest and in transit for all orchestration plane components.

Agent software and support

  • Publishing and maintaining Remote Execution Agent images.
  • Publishing and maintaining the Remote Execution Agent Helm chart.
  • Providing Astronomer support for Remote Execution configuration and troubleshooting.

Customer responsibilities

The customer is responsible for managing the execution plane and the infrastructure that Remote Execution Agents run on, including:

Kubernetes infrastructure

  • Provisioning and maintaining Kubernetes clusters where agents run.
  • Managing cluster capacity, node pools, and autoscaling to support agent workloads.
  • Applying Kubernetes and node OS security patches and version upgrades.
  • Configuring network policies, firewalls, and access controls within the cluster.
  • Ensuring network connectivity from agent clusters to the Astro orchestration plane. See Allowlist Astro domains.

Agent deployment and operations

  • Installing and configuring Remote Execution Agents using the Helm chart.
  • Creating and managing agent tokens for authenticating agents to the orchestration plane.
  • Pulling agent images from the Astronomer registry and storing them in a private registry when required.
  • Building and maintaining custom agent images with additional Python packages and OS-level dependencies required by Dag code.
  • Upgrading agents to latest (recommended) or other supported versions within the maintenance window.
  • Monitoring agent Pod health and resource utilization in Kubernetes.

Secrets and credentials

  • Configuring a secrets backend (AWS Secrets Manager, Azure Key Vault, Google Cloud Secret Manager, or HashiCorp Vault) for Airflow connections and variables.
  • Managing and rotating credentials stored in the secrets backend.
  • Configuring workload identity or service account permissions for agents to access the secrets backend.

Data storage

  • Configuring an XCom backend (AWS S3, Azure Blob Storage, or GCP Cloud Storage).
  • Provisioning and managing object storage buckets or containers used for XCom and logging.
  • Configuring IAM roles, managed identities, or service accounts for agent access to storage resources.
  • Managing storage lifecycle policies, encryption, and access controls.

Dag code and sources

  • Developing and maintaining Dag code with security and quality coding practices.
  • Configuring Dag sources (GitDagBundle or LocalDagBundle) for agent access to Dag code.
  • Managing Git repository authentication credentials for GitDagBundle configurations.
  • Building and deploying Remote Execution project images for both the orchestration and execution planes.

Logging and observability

  • Configuring task logging to preserve logs from agent Pods.
  • Provisioning and managing external logging platforms or object storage for log export.
  • It is recommended to enable Sentinel for agent health monitoring.
  • Optionally configuring OpenLineage for data lineage tracking.

Security

  • Managing user roles, permissions, and authentication assets (tokens, connections, environment variables).
  • Integrating with identity providers for secure SSO/MFA.
  • Managing customer-owned credentials.
  • Securing outbound network connections from agent clusters to the Astro orchestration plane.
  • Configuring private connectivity (AWS PrivateLink or Azure Private Link) when required.
  • Securing network communications between agents and data resources in the execution plane, including secrets backends, object storage, and data sources.
  • Managing IP allowlists and firewall rules for agent clusters.
  • Implementing and maintaining secure, high-quality data pipelines, including dependency and vulnerability management.

Related documentation

  • Shared responsibility model
  • Remote Execution overview
  • Security in Astro
  • Remote Execution Agent maintenance policy