[Yandex Cloud documentation](../../index.md) > [Yandex Managed Service for Apache Airflow™](../index.md) > [Step-by-step guides](index.md) > Clusters > Updating a cluster

# Updating an Apache Airflow™ cluster

After creating a cluster, you can edit its basic and advanced settings.

{% list tabs group=instructions %}

- Management console {#console}

    To change the cluster settings:

    1. Open the [folder dashboard](https://console.yandex.cloud).
    1. Navigate to **Managed Service for&nbsp;Apache&nbsp;Airflow™**.

    1. Select your cluster and click **Edit** in the top panel.

    1. Under **Basic parameters**, edit the cluster name and description, delete labels, or add new ones.

    1. Under **Access settings**, select a service account or [create a new one](../../iam/operations/sa/create.md#create-sa) with the `managed-airflow.integrationProvider` role. The cluster will thus get the permissions it needs to work with user resources. For more information, see [Impersonation](../concepts/impersonation.md).

        To update a service account in a Managed Service for Apache Airflow™ cluster, [assign](../../iam/operations/roles/grant.md) the [iam.serviceAccounts.user](../../iam/security/index.md#iam-serviceAccounts-user) role or higher to your Yandex Cloud account.

        {% note warning %}
        
        If the cluster already uses a service account to access objects from Object Storage, then changing it to a different service account may make these objects unavailable and interrupt the cluster operation. Before changing the service account settings, make sure that the cluster doesn't use the objects in question.
        
        {% endnote %}

    1. Under **Network settings**, select a [security group](../concepts/network.md#security-groups) for cluster network traffic or create a new group.

       Security group settings do not affect access to the [Apache Airflow™ web interface](af-interfaces.md#web-gui).

    1. In the settings sections of the Managed Service for Apache Airflow™ [components](../concepts/index.md#components), i.e., **Web server configuration**, **Scheduler configuration**, **Worker configuration**, and **DAG processor configuration** specify the number of instances and [computing resource configuration](../concepts/instance-types.md).

       {% note warning %}
              
       The _DAG processor_ component is available in Apache Airflow™ 3.0 or higher.
              
       {% endnote %}

    1. Under **Triggerer configuration**, enable or disable Triggerer. If it is enabled, specify the number of instances and resources.

    1. Under **Dependencies**, delete or add names of pip and deb packages.

    1. Under **DAG file storage**, select **Source type** and specify its parameters:
       * **S3**: Select an existing bucket or create a new one. This bucket will store DAG files.

          Make sure to [grant the `READ` permission](../../storage/operations/buckets/edit-acl.md) for this bucket to the cluster service account.

       * **Git**: Specify the repository address, working branch, path to the folder with DAG files, and the contents of the private SSH access key.

          The `RSA`, `DSA`, `ECDSA`, and `Ed25519` private keys in `PKCS#1`, `PKCS#8`, `OpenSSL`, and `OpenSSH` formats are supported.
          
          {% note warning %}
          
          * The repository address must allow connections via the SSH protocol.
          
          * The private key must not be password-protected.
          
          * To use a Git repository, [configure internet access through a NAT gateway](../../vpc/operations/create-nat-gateway.md) from the Managed Service for Apache Airflow™ cluster network. When configuring it, link a NAT gateway route table to all the cluster subnets.
          
          {% endnote %}

    1. Under **Advanced settings**:

        * Update the cluster [maintenance](../concepts/maintenance.md) time.
        * Enable or disable deletion protection.

    1. Under **Airflow configuration**:

        * Add, edit, or delete [Apache Airflow™ additional properties](https://airflow.apache.org/docs/apache-airflow/2.2.4/configurations-ref.html), e.g., the `api.maximum_page_limit` key with `150` for its value.

            Populate the fields manually or import a configuration from a file (see [sample configuration file](https://storage.yandexcloud.net/doc-files/managed-airflow/airflow.cfg)).

        * Enable or disable the **Use Lockbox Secret Backend** option allowing you to use secrets in [Yandex Lockbox](../../lockbox/concepts/index.md) to [store Apache Airflow™ configuration data, variables, and connection parameters](../concepts/impersonation.md#lockbox-integration).

            To extract the required information from the secret, the cluster service account must have the `lockbox.payloadViewer` [role](../../lockbox/security/index.md#lockbox-payloadViewer).
            
            You can assign this role either at the [folder level](../../iam/operations/roles/grant.md#cloud-or-folder) or [individual secret level](../../lockbox/operations/secret-access.md).

    1. Under **Logging**, enable or disable logging. If logging is enabled, specify the log group to write logs to and the minimum logging level. Logs generated by Apache Airflow™ components will be sent to Yandex Cloud Logging.

    1. Click **Save**.

- CLI {#cli}

    If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

    The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

    To change the cluster settings:

    1. View the description of the CLI command for updating a cluster:

        ```bash
        yc managed-airflow cluster update --help
        ```

    1. Provide a list of settings to update in the update cluster command:

        ```bash
        yc managed-airflow cluster update <cluster_name_or_ID> \
           --new-name <new_cluster_name> \
           --description <cluster_description> \
           --labels <label_list> \
           --service-account-id <service_account_ID> \
           --security-group-ids <security_group_IDs> \
           --webserver count=<number_of_instances>,`
                      `resource-preset-id=<resource_ID> \
           --scheduler count=<number_of_instances>,`
                      `resource-preset-id=<resource_ID> \
           --worker min-count=<minimum_number_of_instances>,`
                   `max-count=<maximum_number_of_instances>,`
                   `resource-preset-id=<resource_ID> \
           --triggerer count=<number_of_instances>,`
                      `resource-preset-id=<resource_ID> \
           --dag-processor count=<number_of_instances>,`
                      `resource-preset-id=<resource_ID> \ 
           --deb-packages <list_of_deb_packages> \
           --pip-packages <list_of_pip_packages> \
           --dags-bucket <bucket_name> \
           --gitsync repo=<repository_SSH_address>,`
                     `branch=<working_branch>,`
                     `subpath=<path_to_DAG_file_folder>,`
                     `ssh-key=<private_SSH_key>,`
                     `ssh-key-path=<path_to_private_SSH_key_file> \
           --maintenance-window type=<maintenance_type>,`
                                `day=<day_of_week>,`
                                `hour=<hour> \
           --deletion-protection \
           --lockbox-secrets-backend \
           --log-enabled \
           --log-folder-id <folder_ID> \
           --log-min-level <logging_level>
        ```

        Where:
        
        * `--name`: Cluster name.
        * `--description`: Cluster description.
        * `--labels`: List of labels. Provide labels in `<key>=<value>` format.
        * `--admin-password`: Admin user password. The password must be not less than 8 characters long and contain at least:
        
            * One uppercase letter
            * One lowercase letter
            * One number
            * One special character
        
        * `--service-account-id`: Service account ID.

        * `--security-group-ids`: List of [security group](../concepts/network.md#security-groups) IDs.
        * `--webserver`, `--scheduler`, `--worker`, `--triggerer`, `--dag-processor`: Managed Service for Apache Airflow™ [component](../concepts/index.md#components) configuration:
        
            * `count`: Number of instances in the cluster for the web server, scheduler, DAG processor, and Triggerer.
            * `min-count`, `max-count`: Minimum and maximum number of instances in the cluster for the worker.
            * `resource-preset-id`: [ID of the computing resources](../concepts/instance-types.md) of the web server, scheduler, DAG processor, worker, and Triggerer. The possible values are:
        
                * `c1-m2`: 1 vCPU, 2 GB RAM
                * `c1-m4`: 1 vCPU, 4 GB RAM
                * `c2-m4`: 2 vCPUs, 4 GB RAM
                * `c2-m8`: 2 vCPUs, 8 GB RAM
                * `c4-m8`: 4 vCPUs, 8 GB RAM
                * `c4-m16`: 4 vCPUs, 16 GB RAM
                * `c8-m16`: 8 vCPUs, 16 GB RAM
                * `c8-m32`: 8 vCPUs, 32 GB RAM
        
            {% note warning %}
                   
            The _DAG processor_ component is available in Apache Airflow™ 3.0 or higher.
                   
            {% endnote %}
        
        * `--deb-packages`, `--pip-packages`: Lists of deb and pip packages enabling you to install additional libraries and applications in the cluster for running DAG files:
        
            You can set version restrictions for the installed packages, e.g.:
        
            ```hcl
            --pip-packages "pandas==2.0.2,scikit-learn>=1.0.0,clickhouse-driver~=0.2.0"
            ```
        
            The package name format and version are defined by the install command: `pip install` for pip packages and `apt install` for deb packages.
        
        * DAG file source type and parameters:
        
            * `--dags-bucket`: Bucket name.
        
            * `--gitsync`: Git repo parameters:
        
              * `repo`: Repository address.
              * `branch`: Working branch.
              * `subpath`: Path to the DAG file folder in the repository.
              * `ssh-key`: Private SSH repository access key as a single string with `\n` as the new line characters.
              * `--identity-file`: Path to the file with the private SSH repository access key.
        
                Specify either `ssh-key` or `ssh-key-path`.
        
              The `RSA`, `DSA`, `ECDSA`, and `Ed25519` private keys in `PKCS#1`, `PKCS#8`, `OpenSSL`, and `OpenSSH` formats are supported.
              
              {% note warning %}
              
              * The repository address must allow connections via the SSH protocol.
              
              * The private key must not be password-protected.
              
              * To use a Git repository, [configure internet access through a NAT gateway](../../vpc/operations/create-nat-gateway.md) from the Managed Service for Apache Airflow™ cluster network. When configuring it, link a NAT gateway route table to all the cluster subnets.
              
              {% endnote %}
        
            Specify either `--dags-bucket` or `--gitsync`.
        
        * `--maintenance-window`: [Maintenance window](../concepts/maintenance.md) settings (including for stopped clusters), where `type` is the maintenance type:
        
            * `anytime`: Any time (default).
            * `weekly`: On a schedule. For this value, also specify the following:
                * `day`: Day of week, i.e., `MON`, `TUE`, `WED`, `THU`, `FRI`, `SAT`, or `SUN`.
                * `hour`: Sequence number of UTC hour interval, from `1` to `24`.
            
                  > For example, `1` stands for the interval from `00:00` to `01:00`, and `5`, from `04:00` to `05:00`.
        
        * `--deletion-protection`: Enables cluster protection against accidental deletion.
        
            Even if it is enabled, one can still connect to the cluster manually and delete it.
        
        * `--lockbox-secrets-backend`: Enables using secrets in [Yandex Lockbox](../../lockbox/concepts/index.md) to [store Apache Airflow™ configuration data, variables, and connection parameters](../concepts/impersonation.md#lockbox-integration).
        * `--airflow-config`: [Apache Airflow™](https://airflow.apache.org/docs/apache-airflow/2.2.4/configurations-ref.html) additional properties. Provide them in `<configuration_section>.<key>=<value>` format, such as the following:
        
            ```bash
            --airflow-config core.load_examples=False
            ```
        
        * Logging parameters:
        
            * `--log-enabled`: Enables logging. Logs generated by Apache Airflow™ components will be sent to Yandex Cloud Logging.
            * `--log-folder-id`: Folder ID. Logs will be written to the default [log group](../../logging/concepts/log-group.md) for this folder.
            * `--log-group-id`: Custom log group ID. Logs will be written to this group.
        
                Specify one of the two parameters: `--log-folder-id` or `--log-group-id`.
        
            * `--log-min-level`: Minimum logging level. Possible values: `TRACE`, `DEBUG`, `INFO` (default), `WARN`, `ERROR`, and `FATAL`.

        You can get the cluster ID and name with the [list of clusters in the folder](cluster-list.md#list-clusters).

- Terraform {#tf}

    To change the cluster settings:

    1. Open the current Terraform configuration file with the infrastructure plan.

        To learn how to create this file, refer to [Creating a cluster](cluster-create.md).

    1. To change cluster settings, change the required field values in the configuration file.

        {% note alert %}

        Do not change the cluster name and password using Terraform. This will delete the existing cluster and create a new one.

        {% endnote %}

        Here is the configuration file example:
        
        ```hcl
        resource "yandex_airflow_cluster" "<cluster_name>" {
          name        = "<cluster_name>"
          description = "<cluster_description>"
        
          labels = { <label_list> }
        
          admin_password     = "<admin_password>"
          service_account_id = "<service_account_ID>"
          subnet_ids         = ["<list_of_subnet_IDs>"]
          security_group_ids = ["<list_of_security_group_IDs>"]
        
          webserver = {
            count              = <number_of_instances>
            resource_preset_id = "<resource_ID>"
          }
        
          scheduler = {
            count              = <number_of_instances>
            resource_preset_id = "<resource_ID>"
          }
        
          worker = {
            min_count          = <minimum_number_of_instances>
            max_count          = <maximum_number_of_instances>
            resource_preset_id = "<resource_ID>"
          }
        
          triggerer = {
            count              = <number_of_instances>
            resource_preset_id = "<resource_ID>"
          }
          dag_processor = {
            count              = <number_of_instances>
            resource_preset_id = "<resource_ID>"
          }
        
          pip_packages = ["list_of_pip_packages"]
          deb_packages = ["list_of_deb_packages"]
        
          code_sync = {
            s3 = {
              bucket = "<bucket_name>"
            }
          }
        
          maintenance_window = {
            type = "<maintenance_type>"
            day  = "<day_of_week>"
            hour = <hour>
          }
        
          deletion_protection = <deletion_protection>
        
          lockbox_secrets_backend = {
            enabled = <usage_of_secrets>
          }
        
          airflow_config = {
            <configuration_section> = {
              <key> = "<value>"
            }
          }
        
          logging = {
            enabled   = <use_of_logging>
            folder_id = "<folder_ID>"
            min_level = "<logging_level>"
          }
        }
        
        resource "yandex_vpc_network" "<network_name>" { name = "<network_name>" }
        
        resource "yandex_vpc_subnet" "<subnet_name>" {
          name           = "<subnet_name>"
          zone           = "<availability_zone>"
          network_id     = "<network_ID>"
          v4_cidr_blocks = ["<range>"]
        }
        ```
        
        Where:
        
        * `name`: Cluster name.
        * `description`: Cluster description.
        * `labels`: List of labels. Provide labels in `<key> = "<value>"` format.
        * `admin_password`: Admin user password. The password must be not less than 8 characters long and contain at least:
        
            * One uppercase letter
            * One lowercase letter
            * One number
            * One special character
        
        * `service_account_id`: Service account ID.

        * `subnet_ids`: List of subnet IDs.

            {% note info %}

            Once a cluster is created, you cannot change its subnets.

            {% endnote %}

        * `security_group_ids`: List of [security group](../concepts/network.md#security-groups) IDs.
        * `webserver`, `scheduler`, `worker`, `triggerer`, `dag_processor`: Managed Service for Apache Airflow™ [component](../concepts/index.md#components) configuration:
        
            * `count`: Number of instances in the cluster for the web server, scheduler, DAG processor, and Triggerer.
            * `min_count`, `max_count`: Minimum and maximum number of instances in the cluster for the worker.
            * `resource_preset_id`: ID of the computing resources of the web server, scheduler, DAG processor, worker, and Triggerer. The possible values are:
        
                * `c1-m2`: 1 vCPU, 2 GB RAM
                * `c1-m4`: 1 vCPU, 4 GB RAM
                * `c2-m4`: 2 vCPUs, 4 GB RAM
                * `c2-m8`: 2 vCPUs, 8 GB RAM
                * `c4-m8`: 4 vCPUs, 8 GB RAM
                * `c4-m16`: 4 vCPUs, 16 GB RAM
                * `c8-m16`: 8 vCPUs, 16 GB RAM
                * `c8-m32`: 8 vCPUs, 32 GB RAM
            
            {% note warning %}
                   
            The _DAG processor_ component is available in Apache Airflow™ 3.0 or higher.
                   
            {% endnote %}
        
        * `deb_packages`, `pip_packages`: Lists of deb and pip packages enabling you to install additional libraries and applications in the cluster for running DAG files:
        
            You can set version restrictions for the installed packages, e.g.:
        
            ```hcl
            pip_packages = ["pandas==2.0.2","scikit-learn>=1.0.0","clickhouse-driver~=0.2.0"]
            ```
        
            The package name format and version are defined by the install command: `pip install` for pip packages and `apt install` for deb packages.
        
        * `code_sync`: DAG file source type and parameters.
        
          * `s3.bucket`: Bucket name.
        
          * `git_sync`: Git repo parameters:
        
            * `repo`: Repository address.
            * `branch`: Working branch.
            * `sub_path`: Path to the DAG file folder in the repository.
            * `ssh_key`: Private SSH repository access key, single-line with new line characters `\n`.
        
            The `RSA`, `DSA`, `ECDSA`, and `Ed25519` private keys in `PKCS#1`, `PKCS#8`, `OpenSSL`, and `OpenSSH` formats are supported.
            
            {% note warning %}
            
            * The repository address must allow connections via the SSH protocol.
            
            * The private key must not be password-protected.
            
            * To use a Git repository, [configure internet access through a NAT gateway](../../vpc/operations/create-nat-gateway.md) from the Managed Service for Apache Airflow™ cluster network. When configuring it, link a NAT gateway route table to all the cluster subnets.
            
            {% endnote %}
        
          Specify either `s3` or `git_sync`.
        
        * `maintenance_window`: [Maintenance window](../concepts/maintenance.md) settings, including for stopped clusters:
        
            * `type`: Maintenance type. The possible values include:
                * `ANYTIME`: Any time.
                * `WEEKLY`: On schedule.
            * `day`: Day of week for the `WEEKLY` type, i.e., `MON`, `TUE`, `WED`, `THU`, `FRI`, `SAT`, or `SUN`.
            * `hour`: Time of day (UTC) for the `WEEKLY` type, from `1` to `24`.
        
        * `deletion_protection`: Enables cluster protection against accidental deletion. The possible values are `true` or `false`.
        
            Even if it is enabled, one can still connect to the cluster manually and delete it.
        
        * `lockbox_secrets_backend.enabled`: Enables using secrets in [Yandex Lockbox](../../lockbox/concepts/index.md) to [store Apache Airflow™ configuration data, variables, and connection parameters](../concepts/impersonation.md#lockbox-integration). The possible values are `true` or `false`.
        * `airflow_config`: [Apache Airflow™](https://airflow.apache.org/docs/apache-airflow/2.2.4/configurations-ref.html) additional properties, e.g., `core` for configuration section, `load_examples` for key, and `False` for value.
        * `logging`: Logging parameters:
        
            * `enabled`: Enables logging. Logs generated by Apache Airflow™ components will be sent to Yandex Cloud Logging. The possible values are `true` or `false`.
            * `folder_id`: Folder ID. Logs will be written to the default [log group](../../logging/concepts/log-group.md) for this folder.
            * `log_group_id`: Custom log group ID. Logs will be written to this group.
        
              Specify one of the two parameters: `folder_id` or `log_group_id`.
        
            * `min_level`: Minimum logging level. Possible values: `TRACE`, `DEBUG`, `INFO` (default), `WARN`, `ERROR`, and `FATAL`.

    1. Make sure the settings are correct.

        1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
        1. Run this command:
        
           ```bash
           terraform validate
           ```
        
           Terraform will show any errors found in your configuration files.

    1. Confirm resource changes.

        1. Run this command to view the planned changes:
        
           ```bash
           terraform plan
           ```
        
           If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
        
        1. If everything looks correct, apply the changes:
           1. Run this command:
        
              ```bash
              terraform apply
              ```
        
           1. Confirm updating the resources.
           1. Wait for the operation to complete.

    For more information, see [this Terraform provider guide](../../terraform/resources/airflow_cluster.md).

- REST API {#api}

    To change the cluster settings:

    1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

        ```bash
        export IAM_TOKEN="<IAM_token>"
        ```

    1. Create a file named `body.json` and paste the following code into it:

        ```json
        {
          "updateMask": "<list_of_parameters_to_update>",
          "name": "<cluster_name>",
          "description": "<cluster_description>",
          "labels": { <label_list> },
          "configSpec": {
            "airflow": {
              "config": { <list_of_properties> }
            },
            "webserver": {
              "count": "<number_of_instances>",
              "resources": {
                "resourcePresetId": "<resource_ID>"
              }
            },
            "scheduler": {
              "count": "<number_of_instances>",
              "resources": {
                "resourcePresetId": "<resource_ID>"
              }
            },
            "triggerer": {
              "count": "<number_of_instances>",
              "resources": {
                "resourcePresetId": "<resource_ID>"
              }
            },
            "worker": {
              "minCount": "<minimum_number_of_instances>",
              "maxCount": "<maximum_number_of_instances>",
              "resources": {
                "resourcePresetId": "<resource_ID>"
              }
            },
            "dependencies": {
              "pipPackages": [ <list_of_pip_packages> ],
              "debPackages": [ <list_of_deb_packages> ]
            },
            "lockbox": {
              "enabled": <usage_of_secrets>
            },
            "dagProcessor": {
              "count": "<number_of_instances>",
              "resources": {
                "resourcePresetId": "<resource_ID>"
              }
            }
          },
          "codeSync": {
            "s3": {
              "bucket": "<bucket_name>"
            },
            "gitSync": {
              "repo": "<repository_SSH_address>",
              "branch": "<working_branch>",
              "subPath": "<path_to_DAG_file_folder>",
              "sshKey": "<private_SSH_key>"
            }
          },  
          "networkSpec": {
            "securityGroupIds": [ <list_of_security_group_IDs> ]
          },
          "maintenanceWindow": {
            "weeklyMaintenanceWindow": {
              "day": "<day_of_week>",
              "hour": "<hour>"
            }
          },
          "deletionProtection": <deletion_protection>,
          "serviceAccountId": "<service_account_ID>",
          "logging": {
            "enabled": <use_of_logging>,
            "minLevel": "<logging_level>",
            "folderId": "<folder_ID>"
          }
        }
        ```

        Where:

        * `updateMask`: Comma-separated string of settings you want to update.

            {% note warning %}

            When you update a cluster, all parameters of the object you are changing that have not been explicitly provided in the request will take their defaults. To avoid this, list the settings you want to change in the `updateMask` parameter.

            {% endnote %}

        * `name`: Cluster name.
        * `description`: Cluster description.
        * `labels`: List of labels provided in `"<key>": "<value>"` format.
        * `config`: Cluster configuration:

            * `airflow.config`: [Advanced Apache Airflow™ properties](https://airflow.apache.org/docs/apache-airflow/2.2.4/configurations-ref.html) provided in `"<configuration_section>.<key>": "<value>"` format, e.g.:

                ```json
                "airflow": {
                  "config": {
                    "core.load_examples": "False"
                  }
                }
                ```

            * `webserver`, `scheduler`, `triggerer`, `worker`, `dagProcessor`: Managed Service for Apache Airflow™ [component](../concepts/index.md#components) configuration:

                * `count`: Number of instances in the cluster for the web server, scheduler, DAG processor, and Triggerer.
                * `minCount`, `maxCount`: Minimum and maximum number of instances in the cluster for the worker.
                * `resources.resourcePresetId`: ID of the computing resources of the web server, scheduler, DAG processor, worker, and Triggerer. The possible values are:

                    * `c1-m2`: 1 vCPU, 2 GB RAM
                    * `c1-m4`: 1 vCPU, 4 GB RAM
                    * `c2-m4`: 2 vCPUs, 4 GB RAM
                    * `c2-m8`: 2 vCPUs, 8 GB RAM
                    * `c4-m8`: 4 vCPUs, 8 GB RAM
                    * `c4-m16`: 4 vCPUs, 16 GB RAM
                    * `c8-m16`: 8 vCPUs, 16 GB RAM
                    * `c8-m32`: 8 vCPUs, 32 GB RAM

                {% note warning %}
                       
                The _DAG processor_ component is available in Apache Airflow™ 3.0 or higher.
                       
                {% endnote %}

            * `dependencies`: Lists of packages enabling you to install additional libraries and applications for running DAG files in the cluster:

                * `pipPackages`: List of pip packages.
                * `debPackages`: List of deb packages.

                You can set version restrictions for the installed packages, e.g.:

                ```bash
                "dependencies": {
                  "pipPackages": [
                    "pandas==2.0.2",
                    "scikit-learn>=1.0.0",
                    "clickhouse-driver~=0.2.0"
                  ]
                }
                ```

                The package name format and version are defined by the install command: `pip install` for pip packages and `apt install` for deb packages.

            * `lockbox.enabled`: Enables using secrets in [Yandex Lockbox](../../lockbox/concepts/index.md) to [store Apache Airflow™ configuration data, variables, and connection parameters](../concepts/impersonation.md#lockbox-integration). The possible values are `true` or `false`.

        * `network.securityGroupIds`: List of [security group](../concepts/network.md#security-groups) IDs.

        * `codeSync`: DAG file source type and parameters.

            * `s3.bucket`: Bucket name.

            * `gitSync`: Git repo parameters:

              * `repo`: Repository address.
              * `branch`: Working branch.
              * `subPath`: Path to the DAG file folder in the repository.
              * `sshKey`: Private SSH repository access key, single-line with new line characters `\n`.

              The `RSA`, `DSA`, `ECDSA`, and `Ed25519` private keys in `PKCS#1`, `PKCS#8`, `OpenSSL`, and `OpenSSH` formats are supported.
              
              {% note warning %}
              
              * The repository address must allow connections via the SSH protocol.
              
              * The private key must not be password-protected.
              
              * To use a Git repository, [configure internet access through a NAT gateway](../../vpc/operations/create-nat-gateway.md) from the Managed Service for Apache Airflow™ cluster network. When configuring it, link a NAT gateway route table to all the cluster subnets.
              
              {% endnote %}

            Specify either `s3` or `gitSync`.

        * `maintenanceWindow`: [Maintenance window](../concepts/maintenance.md) settings (including for disabled clusters). In `maintenanceWindow`, provide one of the two parameters:
          
            * `anytime`: Maintenance can take place at any time.
            * `weeklyMaintenanceWindow`: Maintenance takes place once a week at the specified time:
          
              * `day`: Day of week in `DDD` format: `MON`, `TUE`, `WED`, `THU`, `FRI`, `SAT`, or `SUN`.
              * `hour`: Time of day (UTC) in `HH` format, from `1` to `24`.

        * `deletionProtection`: Enables cluster protection against accidental deletion. The possible values are `true` or `false`.

            Even with deletion protection on, one can still connect to the cluster manually and delete it.

        * `serviceAccountId`: ID of the service account with the `managed-airflow.integrationProvider` [role](../../iam/concepts/access-control/roles.md). The cluster will thus get the permissions it needs to work with user resources. For more information, see [Impersonation](../concepts/impersonation.md).

            To update a service account in a Managed Service for Apache Airflow™ cluster, [assign](../../iam/operations/roles/grant.md) the [iam.serviceAccounts.user](../../iam/security/index.md#iam-serviceAccounts-user) role or higher to your Yandex Cloud account.

            {% note warning %}
            
            If the cluster already uses a service account to access objects from Object Storage, then changing it to a different service account may make these objects unavailable and interrupt the cluster operation. Before changing the service account settings, make sure that the cluster doesn't use the objects in question.
            
            {% endnote %}

        * `logging`: Logging parameters:

            * `enabled`: Enables logging. Logs generated by Apache Airflow™ components will be sent to Yandex Cloud Logging. The possible values are `true` or `false`.
            * `minLevel`: Minimum logging level. The possible values are `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`, and `FATAL`.
            * `folderId`: Folder ID. Logs will be written to the default [log group](../../logging/concepts/log-group.md) for this folder.
            * `logGroupId`: Custom log group ID. Logs will be written to this group.

                Specify either `folderId` or `logGroupId`.

    1. Call the [Cluster.Update](../api-ref/Cluster/update.md) method, e.g., via the following [cURL](https://curl.se/) request:

        ```bash
        curl \
            --request PATCH \
            --header "Authorization: Bearer $IAM_TOKEN" \
            --url 'https://airflow.api.cloud.yandex.net/managed-airflow/v1/clusters/<cluster_ID>' \
            --data '@body.json'
        ```

        You can request the cluster ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

    1. Check the [server response](../api-ref/Cluster/update.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

    To change the cluster settings:

    1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

        ```bash
        export IAM_TOKEN="<IAM_token>"
        ```

    1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
       
       ```bash
       cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
       ```
       
       Below, we assume that the repository contents reside in the `~/cloudapi/` directory.

    1. Create a file named `body.json` and paste the following code into it:

        ```json
        {
          "cluster_id": "<cluster_ID>",
          "update_mask": "<list_of_settings_to_update>",
          "name": "<cluster_name>",
          "description": "<cluster_description>",
          "labels": { <label_list> },
          "config_spec": {
            "airflow": {
              "config": { <list_of_properties> }
            },
            "webserver": {
              "count": "<number_of_instances>",
              "resources": {
                "resource_preset_id": "<resource_ID>"
              }
            },
            "scheduler": {
              "count": "<number_of_instances>",
              "resources": {
                "resource_preset_id": "<resource_ID>"
              }
            },
            "triggerer": {
              "count": "<number_of_instances>",
              "resources": {
                "resource_preset_id": "<resource_ID>"
              }
            },
            "worker": {
              "min_count": "<minimum_number_of_instances>",
              "max_count": "<maximum_number_of_instances>",
              "resources": {
                "resource_preset_id": "<resource_ID>"
              }
            },
            "dependencies": {
              "pip_packages": [ <list_of_pip_packages> ],
              "deb_packages": [ <list_of_deb_packages> ]
            },
            "lockbox": {
              "enabled": <usage_of_secrets>
            },
            "dag_processor": {
              "count": "<number_of_instances>",
              "resources": {
                "resource_preset_id": "<resource_ID>"
              }
            }
          },
          "code_sync": {
            "s3": {
              "bucket": "<bucket_name>"
            },
            "git_sync": {
              "repo": "<repository_SSH_address>",
              "branch": "<working_branch>",
              "sub_path": "<path_to_DAG_file_folder>",
              "ssh_key": "<private_SSH_key>"
            }
          },
          "network_spec": {
            "security_group_ids": [ <list_of_security_group_IDs> ]
          },
          "maintenance_window": {
            "weekly_maintenance_window": {
              "day": "<day_of_week>",
              "hour": "<hour>"
            }
          },
          "deletion_protection": <deletion_protection>,
          "service_account_id": "<service_account_ID>",
          "logging": {
            "enabled": <use_of_logging>,
            "min_level": "<logging_level>",
            "folder_id": "<folder_ID>"
          }
        }
        ```

        Where:

        * `cluster_id`: Cluster ID. You can get it with the [list of clusters in the folder](cluster-list.md#list-clusters).
        * `update_mask`: List of settings you want to update as an array of strings (`paths[]`).

            {% cut "Format for listing settings" %}

            ```yaml
            "update_mask": {
                "paths": [
                    "<setting_1>",
                    "<setting_2>",
                    ...
                    "<setting_N>"
                ]
            }
            ```

            {% endcut %}

            {% note warning %}

            When you update a cluster, all parameters of the object you are changing that have not been explicitly provided in the request will take their defaults. To avoid this, list the settings you want to change in the `update_mask` parameter.

            {% endnote %}

        * `name`: Cluster name.
        * `description`: Cluster description.
        * `labels`: List of labels provided in `"<key>": "<value>"` format.
        * `config_spec`: Cluster configuration:

            * `airflow.config`: [Advanced Apache Airflow™ properties](https://airflow.apache.org/docs/apache-airflow/2.2.4/configurations-ref.html) provided in `"<configuration_section>.<key>": "<value>"` format, e.g.:

                ```json
                "airflow": {
                  "config": {
                    "core.load_examples": "False"
                  }
                }
                ```

            * `webserver`, `scheduler`, `triggerer`, `worker`, `dag_processor`: Managed Service for Apache Airflow™ [component](../concepts/index.md#components) configuration:

                * `count`: Number of instances in the cluster for the web server, scheduler, DAG processor, and Triggerer.
                * `min_count`, `max_count`: Minimum and maximum number of instances in the cluster for the worker.
                * `resources.resource_preset_id`: ID of the computing resources of the web server, scheduler, DAG processor, worker, and Triggerer. The possible values are:

                    * `c1-m2`: 1 vCPU, 2 GB RAM
                    * `c1-m4`: 1 vCPU, 4 GB RAM
                    * `c2-m4`: 2 vCPUs, 4 GB RAM
                    * `c2-m8`: 2 vCPUs, 8 GB RAM
                    * `c4-m8`: 4 vCPUs, 8 GB RAM
                    * `c4-m16`: 4 vCPUs, 16 GB RAM
                    * `c8-m16`: 8 vCPUs, 16 GB RAM
                    * `c8-m32`: 8 vCPUs, 32 GB RAM

                {% note warning %}
                       
                The _DAG processor_ component is available in Apache Airflow™ 3.0 or higher.
                       
                {% endnote %}

            * `dependencies`: Lists of packages enabling you to install additional libraries and applications for running DAG files in the cluster:

                * `pip_packages`: List of pip packages.
                * `deb_packages`: List of deb packages.

                You can set version restrictions for the installed packages, e.g.:

                ```bash
                "dependencies": {
                  "pip_packages": [
                    "pandas==2.0.2",
                    "scikit-learn>=1.0.0",
                    "clickhouse-driver~=0.2.0"
                  ]
                }
                ```

                The package name format and version are defined by the install command: `pip install` for pip packages and `apt install` for deb packages.

            * `lockbox.enabled`: Enables using secrets in [Yandex Lockbox](../../lockbox/concepts/index.md) to [store Apache Airflow™ configuration data, variables, and connection parameters](../concepts/impersonation.md#lockbox-integration). The possible values are `true` or `false`.

        * `network_spec.security_group_ids`: List of [security group](../concepts/network.md#security-groups) IDs.

        * `code_sync`: DAG file source type and parameters.

            * `s3.bucket`: Bucket name.

            * `git_sync`: Git repo parameters:

              * `repo`: Repository address.
              * `branch`: Working branch.
              * `sub_path`: Path to the DAG file folder in the repository.
              * `ssh_key`: Private SSH repository access key, single-line with new line characters `\n`.

              The `RSA`, `DSA`, `ECDSA`, and `Ed25519` private keys in `PKCS#1`, `PKCS#8`, `OpenSSL`, and `OpenSSH` formats are supported.
              
              {% note warning %}
              
              * The repository address must allow connections via the SSH protocol.
              
              * The private key must not be password-protected.
              
              * To use a Git repository, [configure internet access through a NAT gateway](../../vpc/operations/create-nat-gateway.md) from the Managed Service for Apache Airflow™ cluster network. When configuring it, link a NAT gateway route table to all the cluster subnets.
              
              {% endnote %}

            Specify either `s3` or `git_sync`.

        * `maintenance_window`: [Maintenance window](../concepts/maintenance.md) settings (including for disabled clusters). In `maintenance_window`, provide one of the two parameters:
          
            * `anytime`: Maintenance can take place at any time.
            * `weekly_maintenance_window`: Maintenance takes place once a week at the specified time:
          
              * `day`: Day of week in `DDD` format: `MON`, `TUE`, `WED`, `THU`, `FRI`, `SAT`, or `SUN`.
              * `hour`: Time of day (UTC) in `HH` format, from `1` to `24`.

        * `deletion_protection`: Enables cluster protection against accidental deletion. The possible values are `true` or `false`.

            Even with deletion protection on, one can still connect to the cluster manually and delete it.

        * `service_account_id`: ID of the service account with the `managed-airflow.integrationProvider` [role](../../iam/concepts/access-control/roles.md). The cluster will thus get the permissions it needs to work with user resources. For more information, see [Impersonation](../concepts/impersonation.md).

            To update a service account in a Managed Service for Apache Airflow™ cluster, [assign](../../iam/operations/roles/grant.md) the [iam.serviceAccounts.user](../../iam/security/index.md#iam-serviceAccounts-user) role or higher to your Yandex Cloud account.

            {% note warning %}
            
            If the cluster already uses a service account to access objects from Object Storage, then changing it to a different service account may make these objects unavailable and interrupt the cluster operation. Before changing the service account settings, make sure that the cluster doesn't use the objects in question.
            
            {% endnote %}

        * `logging`: Logging parameters:

            * `enabled`: Enables logging. Logs generated by Apache Airflow™ components will be sent to Yandex Cloud Logging. The possible values are `true` or `false`.
            * `min_level`: Minimum logging level. The possible values are `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`, and `FATAL`.
            * `folder_id`: Folder ID. Logs will be written to the default [log group](../../logging/concepts/log-group.md) for this folder.
            * `log_group_id`: Custom log group ID. Logs will be written to this group.

                Specify either `folder_id` or `log_group_id`.

    1. Call the [ClusterService.Update](../api-ref/grpc/Cluster/update.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

        ```bash
        grpcurl \
            -format json \
            -import-path ~/cloudapi/ \
            -import-path ~/cloudapi/third_party/googleapis/ \
            -proto ~/cloudapi/yandex/cloud/airflow/v1/cluster_service.proto \
            -rpc-header "Authorization: Bearer $IAM_TOKEN" \
            -d @ \
            airflow.api.cloud.yandex.net:443 \
            yandex.cloud.airflow.v1.ClusterService.Update \
            < body.json
        ```

    1. Check the [server response](../api-ref/grpc/Cluster/create.md#yandex.cloud.operation.Operation) to make sure your request was successful.

{% endlist %}