Set up an Argo CD connector

Capabilities

Resource	Sync	Provision
Accounts
Roles

The ArgoCD connector supports automatic account provisioning. When a new account is created by ConductorOne, the account’s password will be sent to a vault. This connector does not support account deprovisioning. You must deprovision accounts directly in ArgoCD.

Gather ArgoCD credentials

Configuring the connector requires you to pass in credentials generated in ArgoCD. Gather these credentials before you move on.

Create a Role with required permissions

The connector needs permissions to read and modify ArgoCD ConfigMaps. Create a Role that grants access to the following ConfigMaps:

argocd-rbac-cm: Contains RBAC policies and role grants (needs read and write access)
argocd-cm: Contains ArgoCD configuration including user accounts (needs write access for provisioning)

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: baton-argo-cd
  namespace: argocd
rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "patch", "update"]

Required Permissions Explained:

get: Read individual ConfigMaps (required to read argocd-rbac-cm and argocd-cm)
list: List ConfigMaps in the namespace (required to discover and access the ConfigMaps)
patch: Partially update ConfigMaps (used to modify RBAC policies and user accounts)
update: Fully update ConfigMaps (used as an alternative to patch for modifying ConfigMaps)

Apply with:

kubectl apply -f role.yaml

Create a RoleBinding

Bind the Role to the ServiceAccount so the connector can use the permissions:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: baton-argo-cd
  namespace: argocd
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: baton-argo-cd
subjects:
  - kind: ServiceAccount
    name: baton-argo-cd
    namespace: argocd

Apply with:

kubectl apply -f rolebinding.yaml

Gather additional credentials

To set up the connector, you’ll need:

The username and password for your ArgoCD admin account, or for a dedicated service account you’ve set up. Make sure the account used to configure the connector has the relevant permissions:

To sync (read) users and roles: get and list permissions for users and roles
To provision (read-write) users and roles: get and list permissions for users and roles, plus create permission for users and update permission for user role assignments. The built-in admin role has these permissions, or you can create a custom role.

Your ArgoCD API URL, which is the URL you use to access the ArgoCD UI.

The kubeconfig path or file to connect to the cluster where ArgoCD is running.The connector should be deployed in the same Kubernetes cluster as ArgoCD (such as in the argocd namespace). This allows the connector to automatically use the in-cluster configuration from the pod’s service account. No kubeconfig file is needed in this case. If one is provided, it will take precedence over in-cluster.Find more information on setting up an in-cluster configuration in the connector repo.

That’s it! Next, move on to the connector configuration instructions.

Configure the ArgoCD connector

To complete this task, you’ll need:

The Connector Administrator or Super Administrator role in ConductorOne
Access to the set of ArgoCD credentials generated by following the instructions above

Cloud-hosted
Self-hosted

Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.This connector does not support cloud hosting.

Follow these instructions to use the ArgoCD connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with ConductorOne, automatically syncing and uploading data at regular intervals. This data is immediately available in the ConductorOne UI for access reviews and access requests.

Step 1: Set up a new ArgoCD connector

In ConductorOne, navigate to Connectors > Add connector.

Search for Baton and click Add.

Choose how to set up the new ArgoCD connector:

Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app

Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed. If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.

Click Next.

In the Settings area of the page, click Edit.

Click Rotate to generate a new Client ID and Secret. Carefully copy and save these credentials. We’ll use them in Step 2.

Step 2: Create Kubernetes configuration files

Create two Kubernetes manifest files for your ArgoCD connector deployment:

Secrets configuration

# baton-argo-cd-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: baton-argo-cd-secrets
type: Opaque
stringData:
  # ConductorOne credentials
  BATON_CLIENT_ID: <ConductorOne client ID>
  BATON_CLIENT_SECRET: <ConductorOne client secret>

  # ArgoCD specific credentials
  BATON_USERNAME: <ArgoCD account username>
  BATON_PASSWORD: <ArgoCD account password>
  BATON_API_URL: <ArgoCD tenant API URL>

  # Optional: Include if you want ConductorOne to provision access using this connector
  BATON_PROVISIONING: true

See the connector’s README or run --help to see all available configuration flags and environment variables.

Deployment configuration

# baton-argo-cd.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: baton-argo-cd
  labels:
    app: baton-argo-cd
spec:
  selector:
    matchLabels:
      app: baton-argo-cd
  template:
    metadata:
      labels:
        app: baton-argo-cd
        baton: true
        baton-app: argo-cd
    spec:
      containers:
      - name: baton-argo-cd
        image: ghcr.io/conductorone/baton-argo-cd:latest
        imagePullPolicy: IfNotPresent
        env:
        - name: BATON_HOST_ID
          value: baton-argo-cd
        envFrom:
        - secretRef:
            name: baton-argo-cd-secrets

Step 3: Deploy the connector

Create a namespace in which to run ConductorOne connectors (if desired), then apply the secret config and deployment config files.

Check that the connector data uploaded correctly. In ConductorOne, click Applications. On the Managed apps tab, locate and click the name of the application you added the ArgoCD connector to. ArgoCD data should be found on the Entitlements and Accounts tabs.

That’s it! Your ArgoCD connector is now pulling access data into ConductorOne.

Welcome

Build connectors

Configure connectors

Deploy connectors

Upload connector data

Connector library

Set up an Argo CD connector

Capabilities

Gather ArgoCD credentials

Create a Role with required permissions

Create a RoleBinding

Gather additional credentials

Configure the ArgoCD connector

Step 1: Set up a new ArgoCD connector

Step 2: Create Kubernetes configuration files

Secrets configuration

Deployment configuration

Step 3: Deploy the connector

Welcome

Build connectors

Configure connectors

Deploy connectors

Upload connector data

Connector library

​Capabilities

​Gather ArgoCD credentials

​Create a Role with required permissions

​Create a RoleBinding

​Gather additional credentials

​Configure the ArgoCD connector

​Step 1: Set up a new ArgoCD connector

​Step 2: Create Kubernetes configuration files

​Secrets configuration

​Deployment configuration

​Step 3: Deploy the connector

Capabilities

Gather ArgoCD credentials

Create a Role with required permissions

Create a RoleBinding

Gather additional credentials

Configure the ArgoCD connector

Step 1: Set up a new ArgoCD connector

Step 2: Create Kubernetes configuration files

Secrets configuration

Deployment configuration

Step 3: Deploy the connector