Set up a Wiz connector

Capabilities
Gather Wiz credentials
Configure the Wiz connector

This connector is in beta. This means it’s undergoing ongoing testing and development while we gather feedback, validate functionality, and improve stability. Beta connectors are generally stable, but they may have limited feature support, incomplete error handling, or occasional issues.We recommend closely monitoring workflows that use this connector and contacting our Support team with any issues or feedback.

There are TWO Wiz connectors. The instructions below set up the Wiz IAM connector, which syncs users, roles, and projects from Wiz so that you can review and manage access.There is also a Wiz Insights connector that syncs security issues from Wiz as external insights, surfacing identity risk scores alongside access decisions in ConductorOne.

Capabilities

Resource	Sync	Provision
Accounts
Projects
Roles

Gather Wiz credentials

To configure the Wiz connector, you need administrator permissions in Wiz to create a service account with API access.

Create a new service account with the following scopes:

read:users - Syncs user accounts and role assignments
read:projects - Syncs project membership

Copy and save the Client ID and Client Secret securely.

Note your region-specific API endpoints:

API URL: Your Wiz GraphQL API endpoint (e.g., https://api.us17.app.wiz.io/graphql)
Auth endpoint: Your OAuth2 token endpoint (e.g., https://auth.app.wiz.io/oauth/token)

For more information, see Wiz documentation on service accounts.

Configure the Wiz connector

Cloud-hosted
Self-hosted

Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.

In ConductorOne, navigate to Integrations > Connectors and click Add connector.

Search for Wiz and click Add.

Choose how to set up the new Wiz connector:

Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that are not yet managed with ConductorOne)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app

Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.

Click Next.

Find the Settings area of the page and click Edit.

Enter the required configuration:

Wiz API URL (required): The Wiz GraphQL API endpoint for your region
Client ID (required): OAuth2 client ID from your Wiz service account
Client Secret (required): OAuth2 client secret from your Wiz service account
Auth Endpoint (required): OAuth2 token endpoint for authentication

Click Save.

The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your Wiz connector is now pulling access data into ConductorOne.

Follow these instructions to use the Wiz connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with ConductorOne, automatically syncing and uploading data at regular intervals. This data is immediately available in the ConductorOne UI for access reviews and access requests.

Step 1: Set up a new Wiz connector

In ConductorOne, navigate to Integrations > Connectors > Add connector.

Search for Baton and click Add.

Choose how to set up the new Wiz connector:

Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that are not yet managed with ConductorOne)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app

Click Next.

In the Settings area of the page, click Edit.

Click Rotate to generate a new Client ID and Secret.Carefully copy and save these credentials. They are used in Step 2.

Step 2: Create Kubernetes configuration files

Create two Kubernetes manifest files for your Wiz connector deployment:

Secrets configuration

# baton-wiz-win-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: baton-wiz-win-secrets
type: Opaque
stringData:
  # ConductorOne credentials
  BATON_CLIENT_ID: <ConductorOne client ID>
  BATON_CLIENT_SECRET: <ConductorOne client secret>

  # Wiz credentials
  BATON_WIZ_API_URL: <Your Wiz GraphQL API endpoint>
  BATON_WIZ_CLIENT_ID: <Your Wiz OAuth2 client ID>
  BATON_WIZ_CLIENT_SECRET: <Your Wiz OAuth2 client secret>
  BATON_WIZ_AUTH_ENDPOINT: <Your Wiz OAuth2 token endpoint>

See the connector’s README or run --help to see all available configuration flags and environment variables.

Deployment configuration

# baton-wiz-win.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: baton-wiz-win
  labels:
    app: baton-wiz-win
spec:
  selector:
    matchLabels:
      app: baton-wiz-win
  template:
    metadata:
      labels:
        app: baton-wiz-win
        baton: true
        baton-app: wiz-win
    spec:
      containers:
      - name: baton-wiz-win
        image: ghcr.io/conductorone/baton-wiz-win:latest
        imagePullPolicy: IfNotPresent
        env:
        - name: BATON_HOST_ID
          value: baton-wiz-win
        envFrom:
        - secretRef:
            name: baton-wiz-win-secrets

Step 3: Deploy the connector

Create a namespace in which to run ConductorOne connectors (if desired), then apply the secret config and deployment config files.

Check that the connector data uploaded correctly. In ConductorOne, click Applications. On the Managed apps tab, locate and click the name of the application you added the Wiz connector to. Wiz data should be found on the Entitlements and Accounts tabs.

That’s it! Your Wiz connector is now pulling access data into ConductorOne.

Set up Whimsical connector

Set up a Wiz Insights connector

⌘I

Welcome

Manage connectors

Deploy connectors

Upload connector data

Configurable connectors

Pre-built connectors

Set up a Wiz connector

Capabilities

Gather Wiz credentials

Configure the Wiz connector

Step 1: Set up a new Wiz connector

Step 2: Create Kubernetes configuration files

Secrets configuration

Deployment configuration

Step 3: Deploy the connector

Welcome

Manage connectors

Deploy connectors

Upload connector data

Configurable connectors

Pre-built connectors

​Capabilities

​Gather Wiz credentials

​Configure the Wiz connector

​Step 1: Set up a new Wiz connector

​Step 2: Create Kubernetes configuration files

​Secrets configuration

​Deployment configuration

​Step 3: Deploy the connector

Capabilities

Gather Wiz credentials

Configure the Wiz connector

Step 1: Set up a new Wiz connector

Step 2: Create Kubernetes configuration files

Secrets configuration

Deployment configuration

Step 3: Deploy the connector