Retrieve Argo Workflow Logs Programmatically with Hera and Kubectl

Use Hera's workflow_logs method with proper RBAC and consider external logging systems for scalable access to Argo workflow logs.

JR

2 minute read

Use Hera’s workflow_logs method with proper RBAC and consider external logging systems for scalable access to Argo workflow logs.

Actionable Workflow

  1. Check RBAC permissions for the service account used by Argo workflows:

    kubectl auth can-i get pods/logs -n <argo-namespace> --as=system:serviceaccount:<argo-namespace>:<service-account>

    If denied, update the service account’s role.

  2. Use Hera’s workflow_logs method in Python:

    from hera import Hera  
workflow = Hera(namespace="argo-workflows").workflow("workflow-name")  
logs = workflow.logs()  # Returns combined logs from all containers  
print(logs)

    Note: Requires Hera v0.12.0+ and proper service account permissions.

  3. Fallback to kubectl via subprocess if Hera’s method fails:

    import subprocess  
def get_workflow_logs(workflow_name, namespace):  
    cmd = ["kubectl", "logs", "-n", namespace, "wf", workflow_name, "--container", "main"]  
    return subprocess.check_output(cmd, text=True)

Policy Example: RBAC for Log Access

Bind a ClusterRole to the Argo service account to allow log access:

apiVersion: rbac.authorization.k8s.io/v1  
kind: ClusterRoleBinding  
metadata:  
  name: argo-log-access  
subjects:  
- kind: ServiceAccount  
  name: argo-workflow  
  namespace: argo-workflows  
roleRef:  
  kind: ClusterRole  
  name: log-reader  
  apiGroup: rbac.authorization.k8s.io

Create the log-reader ClusterRole with permissions:

apiVersion: rbac.authorization.k8s.io/v1  
kind: ClusterRole  
metadata:  
  name: log-reader  
rules:  
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get", "list"]

Tooling

  • Loki + Promtail: Centralized logging with Argo integration.
    • Deploy Loki stack via Helm: 
      helm repo add grafana https://grafana.github.io/helm-charts  
helm install loki grafana/loki-stack --set=promtail.enabled=true
    • Query logs in Grafana using {namespace=argo-workflows, pod_name=~wf-*}.
  • FluentBit: Forward logs to cloud services (e.g., AWS CloudWatch).

Tradeoffs

  • Hera’s workflow_logs: Simple for small-scale use but may lack granularity (e.g., per-container logs).
  • kubectl subprocess: Reliable but bypasses Hera’s abstractions, increasing maintenance overhead.
  • External logging (Loki): Scalable but adds operational complexity.

Troubleshooting

  • “Forbidden” errors: Verify RBAC bindings with kubectl get rolebindings -n <argo-namespace>.
  • Empty logs: Check workflow phase (workflow.status.phase)—logs may not be available if workflow is still running.
  • Hera timeouts: Increase timeout in code: 
    logs = workflow.logs(timeout=300)  # 5-minute timeout
  • Incorrect container name: Use workflow.pods() to list pods and inspect container names.

If Hera’s workflow_logs consistently fails, prioritize fixing RBAC or adopt Loki for long-term reliability. For quick scripts, the kubectl subprocess method is a pragmatic fallback.

Source thread: At my wits end - how do I get logs from an Argo workflow?

comments powered by Disqus