Operations for listing, adding, and modifying cloud provider configurations
Last updated
Was this helpful?
You can manage Veza integrations using the management API and a Veza admin .
providers/awsSee for detailed instructions on authorizing Veza for AWS account discovery. Each account has the properties:
You can use the methods described below to view, create, modify, and delete AWS providers:
GET {{vezaURL}}/api/v1/providers/aws
Returns information about each registered AWS account, including the status and id.
* indicates a required field.
POST {{vezaURL}}/api/v1/providers/aws
* indicates a required field.
name*
string
Name for the AWS account in Veza
account_id*
string
AWS account ID
regions*
array
Any valid AWS region (deprecated)
data_plane_id*
string
Insight Point ID to use for discovery
credentials_type*
string
Authorization method, one of
STATIC
,
EC2_INSTANCE_PROFILE
ASSUME_CUSTOMER_ROLE
access_key_id
string
For static (user) credentials, provide the user access key id
secret_key
string
For static (user) credentials, provide the secret key
assume_role_name
string
For assume role credentials, the role name
assume_role_external_id
string
For assume role credentials, the role's trusted external ID
db_user*
string
Name of the local database user for RDS/Redshift extraction
services*
array
If not empty (default), only the listed services will be enabled. Valid values include:
Redshift: REDSHIFT
Redshift Cluster: REDSHIFT_CLUSTER
S3: S3
RDS PostgreSQL: RDS_POSTGRES
RDS MySQL: RDS_MYSQL
RDS Oracle: RDS_ORACLE
RDS: RDS
DynamoDB: DYNAMODB
KMS: KMS
EMR: EMR
Organizations: ORGANIZATIONS
EC2: EC2
Identity Center: SSO
Cognito: COGNITO
Lambda: LAMBDA
Secrets Manager: SECRETS_MANAGER
ECR: ECR
EKS: EKS
Databricks: AWS_DATABRICKS
KMS: KMS
EMR: EMR
Organizations: ORGANIZATIONS
EC2: EC2
Identity Center: SSO
Cognito: COGNITO
Lambda: LAMBDA
Secrets Manager: SECRETS_MANAGER
ECR: ECR
EKS: EKS
Databricks: AWS_DATABRICKS
redshift_database_allow_list
array
string list of Redshift DB ARNs to explicitly allow
redshift_database_deny_list
array
List of Redshift DB ARNs to ignore
rds_database_allow_list
array
List of RDS DB names to explicitly allow
rds_database_deny_list
array
List of RDS DB names to ignore
s3_bucket_allow_list
array
String list of S3 bucket names to allow
s3_bucket_deny_list
array
List of S3 bucket names to ignore
GET {{vezaURL}}/api/v1/providers/aws/{id}
Returns configuration and status for the specified AWS provider.
* indicates a required field.
id*
string
The AWS provider configuration id
DELETE {{vezaURL}}/api/v1/providers/aws/{id}
Note that deleting the provider will remove all entities under the AWS account from Veza.
* indicates a required field.
id
string
ID of the AWS account to remove
PATCH {{VezaUrl}}/api/v1/providers/aws/{id}
Update an
. You can provide field mask paths to only update specific properties.
* indicates a required field.
id
string
The AWS provider ID
update_mask.paths
array[string]
The set of field mask paths
account_id
string
credentials type
enum
access_key_id
string
secret_key
string
assume_role_name
string
assume_role_external_id
string
regions
array
db_user
string
services
array
data_plane_id*
string
Two additional requests provide details about the AWS IAM policies for the integration:
GET {{vezaURL}}/api/v1/providers/aws:trustpolicy?assume_role_external_id={{string}}
When adding AWS accounts using the ASSUME_CUSTOMER_ROLE credentials type, use this request to generate the required trust policy (in addition to the required AWS permissions obtained with Check Policy).
* indicates a required field.
assume_role_external_id
string
to include in the policy
GET {{vezaURL}}/api/v1/providers/aws/{{id}}:checkpolicy
Validates the current policy granting Veza AWS IAM permissions, and returns whether an update is required.
* indicates a required field.
id*
string
AWS account id
providers/azureGET {{vezaURL}}/api/v1/providers/azure
Get the configuration and status for all configured Azure tenants
* indicates a required field.
POST {{vezaURL}} /api/v1/providers/azure
Register a new Azure tenant for discovery.
* indicates a required field.
name*
string
Name to display for the Azure tenant
tenant_id*
string
The Azure
client_id*
string
Client ID used to connect
client_secret*
string
The Client Secret
data_plane_id*
string
ID of the Insight Point used to connect (if applicable)
auth_certificate
string
Certificate for app-only SharePoint access
auth_certificate_password
string
Certificate password (if applicable)
services
array
string list of services to enable (e.g.
SQLSERVER
,
SHAREPOINT
,
AZUREVM
)
gather_personal_sites
boolean
Whether to gather personal SharePoint sites
gather_guest_users
boolean
Whether to parse identity metadata for Azure AD Guest users
gather_disabled_users
boolean
Whether to include disabled users
domains
array
Comma-separated list of domains to discover, ignoring any others
sql_server_database_allow_list
array
List of SQL DB names to allow
sql_server_database_deny_list
array
List of SQL DB names to deny
sql_server_schema_allow_list
array
List of SQL schema names to allow
sql_server_schema_deny_list
array
List of SQL schema names to deny
GET {{vezaURL}}/api/v1/providers/azure/{id}
Return an existing provider configuration by ID.
* indicates a required field.
id*
string
The Azure provider configuration ID
DELETE {{vezaURL}}/api/v1/providers/azure/{id}
Delete the provider configuration and its discovered entities.
* indicates a required field.
id*
string
The Azure provider configuration ID
PATCH {{vezaURL}}/api/v1/providers/azure/{id}
Update an existing provider configuration with new properties.
* indicates a required field.
{id}*
string
The Azure provider configuration ID
update_mask.paths
array[string]
the set of field mask paths
tenant_id
string
client_id
string
client_secret
string
auth_certificate
string
auth_certificate_password
string
providers/google_cloudEach Google Cloud provider configuration has the following properties, which can be obtained with a GET request to the providers/google_cloud endpoint:
To register a new Google Cloud and Workspace for discovery, use:
GET baseurl/api/v1/providers/google_cloud
*
indicates a required field.
name*
string
Friendly name for the Google Cloud connection
credentials_json*
string
JSON
data_plane_id*
string
Insight Point to use to connect
workspace_email*
string
Email of the GCP workspace user to assume
customer_id*
string
Google Workspace customer ID
project_allow_list
array
List of names of any projects to allow for discovery
project_deny_list
array
List of names of any projects to ignore
domain_allow_list
array
List of names of domains to explicitly allow
domain_deny_list
array
List of domains to ignore
services
array
If specified, only the listed services will be discovered (e.g.
KEYMANAGEMENT
,
IAM
,
STORAGE
,
WORKSPACE
,
COMPUTE
.)
dataset_allow_list
array
List of BigQuery dataset names to allow
dataset_deny_list
array
List of BigQuery dataset names to ignore during parsing.
POST baseurl/api/v1/providers/google_cloud
Add a Google Cloud Platform configuration
* indicates a required field.
name*
string
Friendly name for the Google Cloud connection
credentials_json*
string
JSON
data_plane_id*
string
Insight Point to use to connect
workspace_email*
string
Email of the GCP workspace user to assume
customer_id*
string
Google Workspace customer ID
project_allow_list
array
List of names of any projects to allow for discovery
project_deny_list
array
List of names of any projects to ignore
domain_allow_list
array
List of names of domains to explicitly allow
domain_deny_list
array
List of domains to ignore
services
array
If specified, only the listed services will be discovered (such as
KEYMANAGEMENT
,
IAM
,
STORAGE
,
WORKSPACE
,
COMPUTE
.)
dataset_allow_list
array
List of BigQuery dataset names to allow
dataset_deny_list
array
List of BigQuery dataset names to ignore during parsing.
GET baseurl/api/v1/providers/google_cloud/{id}
*
indicates a required field.
DELETE baseurl/api/v1/providers/google_cloud{id}
*
indicates a required field.
PATCH baseurl/api/v1/providers/google_cloud
*
indicates a required field.
providers/snowflakeA Snowflake configuration has the following parameters:
GET {{vezaURL}}/api/v1/providers/snowflake
Get the configuration and status for all configured Snowflake providers.
* indicates a required field.
POST {{vezaURL}}/api/v1/providers/snowflake
Register a new Snowflake provider for discovery.
To retrieve a valid insight point ID, navigate to Administration > Insight Point, and find the id of the one you will use for the connection to Snowflake.
* indicates a required field.
name*
string
A name for the Snowflake configuration
account_locator*
string
The Snowflake account locator (e.g.
xy12345)
region*
string
The AWS, GCP, or Azure region for the Snowflake account
cloud*
string
Cloud provider for the Snowflake account (valid values are
AWS, Azure, or GCP)
user*
string
The username of the local Snowflake user to be used for discovery (e.g.
veza_user)
password*
string
Password for the local user
role*
string
The role the local user will use to conduct queries, e.g.
cai_role
.
warehouse*
string
The default Snowflake
compute_wh, or the name of another warehouse Veza can use for extraction at runtime
data_plane_id*
string
GUID to use for discovery
GET {{vezaURL}}/api/v1/providers/snowflake/{id}
Retrieve an existing Snowflake configuration by ID.
* indicates a required field.
id*
string
The Snowflake provider ID
DELETE {{vezaURL}}/api/v1/providers/snowflake/{id}
Delete a Snowflake provider configuration and its discovered entities.
* indicates a required field.
id*
string
The Snowflake provider ID
PATCH {{VezaURL}}/api/v1/providers/snowflake/{id}
Update an existing Snowflake provider configuration with new properties.
* indicates a required field.
{id}*
string
The Snowflake provider ID
update_mask.paths
array[string]
The set of field mask paths
providers/sqlserverEach SQL server configuration contains the following properties, which can be obtained with a GET request to providers/sqlserver.
To register a new SQL server for discovery, use:
GET baseurl/api/v1/providers/sqlserver
*
indicates a required field.
POST baseurl/api/v1/providers/sqlserver
*
indicates a required field.
GET baseurl/api/v1/providers/sqlserver/{id}
*
indicates a required field.
DELETE baseurl/api/v1/providers/sqlserver/{id}
*
indicates a required field.
PATCH baseurl/api/v1/providers/sqlserver/{id}
*
indicates a required field.
providers/trinoVeza gathers metadata for Trino both by connecting as a local user and by reading the Trino access control file, which must be made available to Veza as an S3 object. Each Trino provider configuration has the structure:
GET {{vezaURL}}/api/v1/providers/trino
Get the configuration and status for all current Trino providers.
* indicates a required field.
POST {{vezaURL}}/api/v1/providers/trino
Add a Trino provider by providing the host, local user credentials, and a path and authentication method for the Trino access control file stored in AWS S3.
* indicates a required field.
id*
string
Name for the provider
host*
string
The address of the Trino Coordinator
port*
int
The port to use for the connection
username*
string
Trino local username
password*
string
Trino local user password
data_plane_id*
string
Insight Point ID
aws_s3_object_config*
object
contains path and authorization details for file system access control S3 object
ssl_certificate
string
Upload the
configured for the Trino coordinator
GET {{vezaURL}}/api/v1/providers/trino/{id}
Retrieve an existing Trino provider configuration by ID.
* indicates a required field.
id*
string
The Trino provider ID
DELETE {{vezaURL}}/api/v1/providers/trino/{id}
Delete a Trino provider and its discovered entities.
* indicates a required field.
id
string
The Trino provider ID
PATCH {{VezaURL}}/api/v1/providers/trino/{id}
Update an existing Trino configuration with new properties.
* indicates a required field.
{id}*
string
The Trino provider ID
update_mask.paths
array[string]
The set of field mask paths
Configures a new AWS account for discovery and extraction. See for additional details on the required fields.
A configuration can optionally set on the data sources and services to parse.
For a given external ID, returns the IAM policy that should be to the role assumed for resource discovery.
An Azure configuration includes connection details and credentials, and may contain an optional auth certificate for connecting to . A configuration can allow or deny individual datasources, or only include specific services .
See the for more details on integrating Veza with your Azure tenant, Active Directory, and SharePoint.
For more information about connecting to Google Cloud, see the .
See for more information about integrating Snowflake warehouses with Veza.
For more information about connecting to SQL server, see the .
The default credentials_type "STATIC" uses an access key and secret ID to read the Trino access control file in S3. If connecting to AWS using a role, change the type to assume_customer_role and provide .
See for more information about integrating your Trino resources with Veza.