Nailing the Security Audit with RRCU

ConductorOne docs

Work with self-hosted connectors

Connectors can be hosted in your own infrastructure. Once deployed, upload the connector's data, either manually or automatically via an S3 bucket integrated with ConductorOne.

📋 Your deployment workflow

To deploy a self-hosted connector, follow this process:

  1. Create or obtain the authentication credentials for the application you’re connecting.

  2. Install the connector and run a sync to collect and format the application’s access data.

  3. Upload the data to ConductorOne using either a manual or automated method.

    Prefer to run your self-hosted Baton connector as a service in your environment? Follow the instructions in Host a Baton connector in service mode.

Step 1: Locate or generate connector credentials

  1. Navigate to the GitHub repo for the connector you’re using. Go to Baton connectors for links to the GitHub repos for all available connectors.

  2. In the Prerequisites section of the GitHub repo’s README file, find the list of credentials you’ll need to set up the Baton connector.

  3. Locate or create and save the necessary credentials. We’ll use them in Step 2.

    Need help locating the necessary credentials? See the Integrate your (application’s name) instance section of the corresponding ConductorOne-managed cloud connector.

Step 2: Install the connector and sync data

  1. Use the commands shown in the connector’s README file to install the connector, passing in the credentials generated in Step 1 as appropriate. Brew, Docker, and source command options are available.

Run baton-<APP> --help to see the list of flags to be used when passing your credentials to the connector.

Each installation method includes a resources command. This command runs the sync on the connector and stores the gathered data in a sync.c1z file.

Now that you’ve collected the connector data, you can choose to manually upload the data to ConductorOne or to sync the data to an S3 bucket integrated with ConductorOne. The next step walks through each option.

Step 3: Upload data to ConductorOne

You can upload your application’s data either manually our automatically. Follow the instructions below to set up your chosen method.

If you’d prefer to run your self-hosted Baton connector as a service in your environment, go to Host a Baton connector in service mode and skip to Step 3: Set up the Baton connector.

Option 1: Manually upload connector data

Manually uploading data to ConductorOne from an self-hosted connector is ideal when testing data ingested from the connector before automating the data upload process, or for times when you only need a single data sync.

  1. In ConductorOne, navigate to an existing application you wish to add the connector data to, or create a new application.

    • To create a new application, follow the steps in Create custom applications.
    • To use an existing application, click Applications. On the Managed apps tab, select the application’s name from the list.
  2. On the application’s page, scroll down to the Connectors area of the page.

  3. Click Import app data and select From file.

  4. Click Choose file and select the sync.c1z file.

Once the upload is complete, ConductorOne adds the information pulled from the connector about accounts, groups, roles, resources, and grants (as relevant) to the application.

To update the information in ConductorOne, re-run the resources command and re-upload the file to ConductorOne using the process above.

Option 2: Automatically sync connector data to an S3 bucket

The most convenient option is to automate the process of running of the sync and ingestion of the data into ConductorOne. You can automatically pull connector data into an application by using an AWS S3 bucket as a data source.

Before you begin: Complete Steps 1-3 in Set up an external data source.

  1. In ConductorOne, navigate to an existing application you wish to add the connector data to, or create a new application.

    • To create a new application, follow the steps in Create custom applications.
    • To use an existing application, click Applications. On the Managed apps tab, select the application’s name from the list.
  2. On the application’s page, scroll down to the Connectors area of the page.

  3. Click Import app data and select From data source.

  4. Choose the data source you set up in Step 1 from the Choose a datasource dropdown.

  5. In the File name field, enter sync.c1z.

  6. Create a new file named sync.sh and make the file executable by running the following: chmod +x sync.sh.

  7. Copy and paste the code below into the sync.sh file, adapting it to suit the Baton connector you’re using. See the connector’s README file for more information. We’ve used the baton-okta connector as an example here:

    #!/bin/bash
    set -e
    
    export BATON_API_TOKEN=oktaAPIToken
    export BATON_DOMAIN=domain-1234.okta.com
    export AWS_ACCESS_KEY_ID="your AWS access key"
    export AWS_SECRET_ACCESS_KEY="your AWS secret access key"
    export AWS_REGION="us-west-2"
    export BATON_FILE="s3://my-bucket/baton-sync.c1z"
    
    baton-okta
    

    This script syncs data from the connector (in this case, Okta) and uploads it to your configured S3 bucket. Once the upload is complete, ConductorOne adds the information pulled from the connector about accounts, groups, roles, resources, and grants (as relevant) to the application.

You can run the script on demand, or set up a scheduler to run it periodically. The S3 bucket syncs with ConductorOne once an hour.