Shine a light on shadow apps

ConductorOne Docs

Work with self-hosted Baton connectors

Open-source Baton connectors can be hosted in your own infrastructure. Once deployed, upload the connector's data, either manually or automatically via an S3 bucket integrated with ConductorOne.

๐Ÿ“‹ Your deployment workflow

To deploy a self-hosted connector, follow this process:

  1. Create or obtain the authentication credentials for the application you’re connecting.

  2. Install the connector and run a sync to collect and format the application’s access data.

  3. Upload the data to ConductorOne using either a manual or automated method.

    Prefer to run your self-hosted Baton connector as a service in your environment? Follow the instructions in Host a Baton connector in service mode.

Step 1: Locate or generate connector credentials

  1. Navigate to the GitHub repo for the Baton open-source connector you’re using. Go to Baton connectors for links to the GitHub repos for all available open-source connectors.

  2. In the Prerequisites section of the GitHub repo’s README file, find the list of credentials you’ll need to set up the Baton connector.

  3. Locate or create and save the necessary credentials. We’ll use them in Step 2.

    Need help locating the necessary credentials? See the Integrate your (application’s name) instance section of the corresponding ConductorOne-managed integration documentation.

Step 2: Install the connector and sync data

  1. Use the commands shown in the connector’s README file to install the connector, passing in the credentials generated in Step 1 as appropriate. Brew, Docker, and source command options are available.

Run baton-<APP> --help to see the list of flags to be used when passing your credentials to the connector.

Each installation method includes a resources command. This command runs the sync on the connector and stores the gathered data in a sync.c1z file.

Now that you’ve collected the connector data, you can choose to manually upload the data to ConductorOne or to sync the data to an S3 bucket integrated with ConductorOne.

Step 3: Upload data to ConductorOne

You can upload your application’s data either manually our automatically. Follow the instructions below to set up your chosen method.

If you’d prefer to run your self-hosted Baton connector as a service in your environment, go to Host a Baton connector in service mode and skip to Step 3: Set up the Baton integration.

Option 1: Manually upload connector data

Manually uploading data to ConductorOne from an open-source connector is ideal when testing data ingested from the connector before automating the data upload process, or for times when you only need a single data sync.

  1. In ConductorOne, navigate to an existing application you wish to add the connector data to, or create a new application.

    • To create a new application, follow the steps in Create a custom application.
    • To use an existing application, open Apps and click Applications and then select the application’s name from the list.

  2. On the application’s page, click the Data sources tab.

  3. Click Import app data and select From file.

  4. Click Choose file and select the sync.c1z file.

Once the upload is complete, ConductorOne adds the information pulled from the connector about accounts, groups, roles, resources, and grants (as relevant) to the application.

To update the information in ConductorOne, re-run the resources command and re-upload the file to ConductorOne using the process above.

Option 2: Automatically sync connector data to an S3 bucket

The most convenient option is to automate the process of running of the sync and ingestion of the data into ConductorOne. You can automatically pull connector data into an application by using an AWS S3 bucket as a data source.

Before you begin: Complete Steps 1-3 in Integrate with an S3 bucket to set up your data storage location.

  1. In ConductorOne, navigate to an existing application you wish to add the connector data to, or create a new application.

    • To create a new application, follow the steps in Create a custom application.
    • To use an existing application, open Apps and click Applications, then select the application’s name from the list.

  2. On the application’s page, click the Data sources tab.

  3. Click Import app data and select From data source.

  4. Choose the data source you set up in Step 1 from the Choose a datasource dropdown.

  5. In the File name field, enter sync.c1z.

  6. Create a new file named sync.sh and make the file executable by running the following: chmod +x sync.sh.

  7. Copy and paste the code below into the sync.sh file, adapting it to suit the Baton connector you’re using. See the connector’s README file for more information. We’ve used the baton-okta connector as an example here:

    #!/bin/bash
set -e

export BATON_API_TOKEN=oktaAPIToken
export BATON_DOMAIN=domain-1234.okta.com
export AWS_ACCESS_KEY_ID="your AWS access key"
export AWS_SECRET_ACCESS_KEY="your AWS secret access key"
export AWS_REGION="us-west-2"
export BATON_FILE="s3://my-bucket/baton-sync.c1z"

baton-okta

    This script syncs data from the connector (in this case, Okta) and uploads it to your configured S3 bucket. Once the upload is complete, ConductorOne adds the information pulled from the connector about accounts, groups, roles, resources, and grants (as relevant) to the application.

You can run the script on demand, or set up a scheduler to run it periodically. The S3 bucket syncs with ConductorOne once an hour.