Cloud Platforms and Data Providers
Operations for listing, adding, and modifying cloud provider configurations
You can manage Veza integrations using the management API and a Veza admin API key.
providers/aws
providers/awsSee Amazon Web Services for detailed instructions on authorizing Veza for AWS account discovery. Each account has the properties:
You can use the methods described below to view, create, modify, and delete AWS providers:
List AWS providers
GET {{vezaURL}}/api/v1/providers/aws
Returns information about each registered AWS account, including the status and id.
* indicates a required field.
Push an AWS provider configuration
POST {{vezaURL}}/api/v1/providers/aws
Configures a new AWS account for discovery and extraction. See Adding AWS Providers to Veza for additional details on the required fields.
A configuration can optionally set limits on the data sources and services to parse.
* indicates a required field.
Request Body
| Name | Type | Description |
|---|---|---|
name* | string | Name for the AWS account in Veza |
account_id* | string | AWS account ID |
regions* | array | Any valid AWS region (deprecated) |
data_plane_id* | string | Insight Point ID to use for discovery |
credentials_type* | string | Authorization method, one of
,
|
access_key_id | string | For static (user) credentials, provide the user access key id |
secret_key | string | For static (user) credentials, provide the secret key |
assume_role_name | string | For assume role credentials, the role name |
assume_role_external_id | string | For assume role credentials, the role's trusted external ID |
db_user* | string | Name of the local database user for RDS/Redshift extraction |
services* | array | If not empty (default), only the listed services will be enabled |
redshift_database_allow_list | array | string list of Redshift DB ARNs to explicitly allow |
redshift_database_deny_list | array | List of Redshift DB ARNs to ignore |
rds_database_allow_list | array | List of RDS DB names to explicitly allow |
rds_database_deny_list | array | List of RDS DB names to ignore |
s3_bucket_allow_list | array | String list of S3 bucket names to allow |
s3_bucket_deny_list | array | List of S3 bucket names to ignore |
Get AWS provider
GET {{vezaURL}}/api/v1/providers/aws/{id}
Returns configuration and status for the specified AWS provider.
* indicates a required field.
Path Parameters
| Name | Type | Description |
|---|---|---|
id* | string | The AWS provider configuration id |
Delete AWS provider
DELETE {{vezaURL}}/api/v1/providers/aws/{id}
Note that deleting the provider will remove all entities under the AWS account from Veza.
* indicates a required field.
Path Parameters
| Name | Type | Description |
|---|---|---|
id | string | ID of the AWS account to remove |
Update AWS provider
PATCH {{VezaUrl}}/api/v1/providers/aws/{id}
Update an
. You can provide field mask paths to only update specific properties.
* indicates a required field.
Path Parameters
| Name | Type | Description |
|---|---|---|
id | string | The AWS provider ID |
Query Parameters
| Name | Type | Description |
|---|---|---|
update_mask.paths | array[string] | The set of field mask paths |
Request Body
| Name | Type | Description |
|---|---|---|
account_id | string | |
credentials type | enum | |
access_key_id | string | |
secret_key | string | |
assume_role_name | string | |
assume_role_external_id | string | |
regions | array | |
db_user | string | |
services | array | |
data_plane_id* | string |
Get and Check trust Policies
Two additional requests provide details about the AWS IAM policies for the integration:
Get AWS Trust Policy for Assume Role External ID
GET {{vezaURL}}/api/v1/providers/aws:trustpolicy?assume_role_external_id={{string}}
For a given external ID, returns the IAM policy that should be applied in AWS to the role assumed for resource discovery.
When adding AWS accounts using the ASSUME_CUSTOMER_ROLE credentials type, use this request to generate the required trust policy (in addition to the required AWS permissions obtained with Check Policy).
* indicates a required field.
Query Parameters
| Name | Type | Description |
|---|---|---|
assume_role_external_id | string | to include in the policy |
Check Policy
GET {{vezaURL}}/api/v1/providers/aws/{{id}}:checkpolicy
Validates the current policy granting Veza AWS IAM permissions, and returns whether an update is required.
* indicates a required field.
Path Parameters
| Name | Type | Description |
|---|---|---|
id* | string | AWS account id |
providers/azure
providers/azureAn Azure configuration includes connection details and credentials, and may contain an optional auth certificate for connecting to SharePoint Online. A configuration can allow or deny individual datasources, or only include specific services .
See the Connecting to Azure for more details on integrating Veza with your Azure tenant, Active Directory, and SharePoint.
List Azure Providers
GET {{vezaURL}}/api/v1/providers/azure
Get the configuration and status for all configured Azure tenants
* indicates a required field.
Create Azure Provider
POST {{vezaURL}} /api/v1/providers/azure
Register a new Azure tenant for discovery.
* indicates a required field.
Request Body
| Name | Type | Description |
|---|---|---|
name* | string | Name to display for the Azure tenant |
tenant_id* | string | The Azure |
client_id* | string | Client ID used to connect |
client_secret* | string | The Client Secret |
data_plane_id* | string | ID of the Insight Point used to connect (if applicable) |
auth_certificate | string | Certificate for app-only SharePoint access |
auth_certificate_password | string | Certificate password (if applicable) |
services | array | string list of services to enable (e.g.
,
,
) |
gather_personal_sites | boolean | Whether to gather personal SharePoint sites |
gather_guest_users | boolean | Whether to parse identity metadata for Azure AD Guest users |
gather_disabled_users | boolean | Whether to include disabled users |
domains | array | Comma-separated list of domains to discover, ignoring any others |
sql_server_database_allow_list | array | List of SQL DB names to allow |
sql_server_database_deny_list | array | List of SQL DB names to deny |
sql_server_schema_allow_list | array | List of SQL schema names to allow |
sql_server_schema_deny_list | array | List of SQL schema names to deny |
Get Azure Provider
GET {{vezaURL}}/api/v1/providers/azure/{id}
Return an existing provider configuration by ID.
* indicates a required field.
Path Parameters
| Name | Type | Description |
|---|---|---|
id* | string | The Azure provider configuration ID |
Delete Azure Provider
DELETE {{vezaURL}}/api/v1/providers/azure/{id}
Delete the provider configuration and its discovered entities.
* indicates a required field.
Path Parameters
| Name | Type | Description |
|---|---|---|
id* | string | The Azure provider configuration ID |
Update Azure Provider
PATCH {{vezaURL}}/api/v1/providers/azure/{id}
Update an existing provider configuration with new properties.
* indicates a required field.
Path Parameters
| Name | Type | Description |
|---|---|---|
{id}* | string | The Azure provider configuration ID |
Query Parameters
| Name | Type | Description |
|---|---|---|
update_mask.paths | array[string] | the set of field mask paths |
Request Body
| Name | Type | Description |
|---|---|---|
tenant_id | string | |
client_id | string | |
client_secret | string | |
auth_certificate | string | |
auth_certificate_password | string |
providers/google_cloud
providers/google_cloudEach Google Cloud provider configuration has the following properties, which can be obtained with a GET request to the providers/google_cloud endpoint:
To register a new Google Cloud and Workspace for discovery, use:
For more information about connecting to Google Cloud, see the configuration guide.
List Google Cloud Providers
GET baseurl/api/v1/providers/google_cloud
*
indicates a required field.
Request Body
| Name | Type | Description |
|---|---|---|
name* | string | Friendly name for the Google Cloud connection |
credentials_json* | string | |
data_plane_id* | string | Insight Point to use to connect |
workspace_email* | string | Email of the GCP workspace user to assume |
customer_id* | string | Google Workspace customer ID |
project_allow_list | array | List of names of any projects to allow for discovery |
project_deny_list | array | List of names of any projects to ignore |
domain_allow_list | array | List of names of domains to explicitly allow |
domain_deny_list | array | List of domains to ignore |
services | array | If specified, only the listed services will be discovered (e.g.
,
,
,
,
.) |
dataset_allow_list | array | List of BigQuery dataset names to allow |
dataset_deny_list | array | List of BigQuery dataset names to ignore during parsing. |
Add a Google Cloud Platform configuration
POST baseurl/api/v1/providers/google_cloud
Add a Google Cloud Platform configuration
* indicates a required field.
Request Body
| Name | Type | Description |
|---|---|---|
name* | string | Friendly name for the Google Cloud connection |
credentials_json* | string | |
data_plane_id* | string | Insight Point to use to connect |
workspace_email* | string | Email of the GCP workspace user to assume |
customer_id* | string | Google Workspace customer ID |
project_allow_list | array | List of names of any projects to allow for discovery |
project_deny_list | array | List of names of any projects to ignore |
domain_allow_list | array | List of names of domains to explicitly allow |
domain_deny_list | array | List of domains to ignore |
services | array | If specified, only the listed services will be discovered (such as
,
,
,
,
.) |
dataset_allow_list | array | List of BigQuery dataset names to allow |
dataset_deny_list | array | List of BigQuery dataset names to ignore during parsing. |
Get Google Cloud Platform configurations
GET baseurl/api/v1/providers/google_cloud/{id}
*
indicates a required field.
Delete Google Cloud Platform configuration
DELETE baseurl/api/v1/providers/google_cloud{id}
*
indicates a required field.
Patch Google Cloud Platform Configuration
PATCH baseurl/api/v1/providers/google_cloud
*
indicates a required field.
providers/snowflake
providers/snowflakeA Snowflake configuration has the following parameters:
See Connecting to Snowflake for more information about integrating Snowflake warehouses with Veza.
List Snowflake Providers
GET {{vezaURL}}/api/v1/providers/snowflake
Get the configuration and status for all configured Snowflake providers.
* indicates a required field.
Create Snowflake Provider
POST {{vezaURL}}/api/v1/providers/snowflake
Register a new Snowflake provider for discovery.
To retrieve a valid insight point ID, navigate to Administration > Insight Point, and find the id of the one you will use for the connection to Snowflake.
* indicates a required field.
Request Body
| Name | Type | Description |
|---|---|---|
name* | string | A name for the Snowflake configuration |
account_locator* | string | The Snowflake account locator (e.g.
|
region* | string | The AWS, GCP, or Azure region for the Snowflake account |
cloud* | string | Cloud provider for the Snowflake account (valid values are
|
user* | string | The username of the local Snowflake user to be used for discovery (e.g.
|
password* | string | Password for the local user |
role* | string | The role the local user will use to conduct queries, e.g.
. |
warehouse* | string | The default Snowflake
|
data_plane_id* | string | GUID to use for discovery |
Get Snowflake Provider
GET {{vezaURL}}/api/v1/providers/snowflake/{id}
Retrieve an existing Snowflake configuration by ID.
* indicates a required field.
Path Parameters
| Name | Type | Description |
|---|---|---|
id* | string | The Snowflake provider ID |
Delete Snowflake Provider
DELETE {{vezaURL}}/api/v1/providers/snowflake/{id}
Delete a Snowflake provider configuration and its discovered entities.
* indicates a required field.
Path Parameters
| Name | Type | Description |
|---|---|---|
id* | string | The Snowflake provider ID |
Update Snowflake Provider
PATCH {{VezaURL}}/api/v1/providers/snowflake/{id}
Update an existing Snowflake provider configuration with new properties.
* indicates a required field.
Path Parameters
| Name | Type | Description |
|---|---|---|
{id}* | string | The Snowflake provider ID |
Query Parameters
| Name | Type | Description |
|---|---|---|
update_mask.paths | array[string] | The set of field mask paths |
providers/sqlserver
providers/sqlserverEach SQL server configuration contains the following properties, which can be obtained with a GET request to providers/sqlserver.
To register a new SQL server for discovery, use:
For more information about connecting to SQL server, see the configuration guide.
List SQL Server configurations
GET baseurl/api/v1/providers/sqlserver
*
indicates a required field.
Create a new SQL Server configuration
POST baseurl/api/v1/providers/sqlserver
*
indicates a required field.
Get SQL Server configurations
GET baseurl/api/v1/providers/sqlserver/{id}
*
indicates a required field.
Delete SQL Server configuration
DELETE baseurl/api/v1/providers/sqlserver/{id}
*
indicates a required field.
Patch SQL Server configuration
PATCH baseurl/api/v1/providers/sqlserver/{id}
*
indicates a required field.
providers/trino
providers/trinoVeza gathers metadata for Trino both by connecting as a local user and by reading the Trino access control file, which must be made available to Veza as an S3 object. Each Trino provider configuration has the structure:
The default credentials_type "STATIC" uses an access key and secret ID to read the Trino access control file in S3. If connecting to AWS using a role, change the type to assume_customer_role and provide the role name, external ID, and AWS account ID.
See Connecting to Trino for more information about integrating your Trino resources with Veza.
List Trino Providers
GET {{vezaURL}}/api/v1/providers/trino
Get the configuration and status for all current Trino providers.
* indicates a required field.
Create Trino Provider
POST {{vezaURL}}/api/v1/providers/trino
Add a Trino provider by providing the host, local user credentials, and a path and authentication method for the Trino access control file stored in AWS S3.
* indicates a required field.
Request Body
| Name | Type | Description |
|---|---|---|
id* | string | Name for the provider |
host* | string | The address of the Trino Coordinator |
port* | int | The port to use for the connection |
username* | string | Trino local username |
password* | string | Trino local user password |
data_plane_id* | string | Insight Point ID |
aws_s3_object_config* | object | contains path and authorization details for file system access control S3 object |
ssl_certificate | string |
Get Trino Provider
GET {{vezaURL}}/api/v1/providers/trino/{id}
Retrieve an existing Trino provider configuration by ID.
* indicates a required field.
Path Parameters
| Name | Type | Description |
|---|---|---|
id* | string | The Trino provider ID |
Delete Trino Provider
DELETE {{vezaURL}}/api/v1/providers/trino/{id}
Delete a Trino provider and its discovered entities.
* indicates a required field.
Path Parameters
| Name | Type | Description |
|---|---|---|
id | string | The Trino provider ID |
Update Trino Provider
PATCH {{VezaURL}}/api/v1/providers/trino/{id}
Update an existing Trino configuration with new properties.
* indicates a required field.
Path Parameters
| Name | Type | Description |
|---|---|---|
{id}* | string | The Trino provider ID |
Query Parameters
| Name | Type | Description |
|---|---|---|
update_mask.paths | array[string] | The set of field mask paths |
Last updated