Cloud Platforms and Data Providers
Operations for listing, adding, and modifying cloud provider configurations
You can manage Veza integrations using the management API and a Veza admin API key.
providers/aws
providers/awsSee Amazon Web Services for detailed instructions on authorizing Veza for AWS account discovery. Each account has the properties:
You can use the methods described below to view, create, modify, and delete AWS providers:
List AWS providers
GET {{vezaURL}}/api/v1/providers/aws
Returns information about each registered AWS account, including the status and id.
* indicates a required field.
Push an AWS provider configuration
POST {{vezaURL}}/api/v1/providers/aws
Configures a new AWS account for discovery and extraction. See Adding AWS Providers to Veza for additional details on the required fields.
A configuration can optionally set limits on the data sources and services to parse.
* indicates a required field.
Request Body
name*
string
Name for the AWS account in Veza
account_id*
string
AWS account ID
regions*
array
Any valid AWS region (deprecated)
data_plane_id*
string
Insight Point ID to use for discovery
credentials_type*
string
Authorization method, one of
STATIC
,
EC2_INSTANCE_PROFILE
ASSUME_CUSTOMER_ROLE
access_key_id
string
For static (user) credentials, provide the user access key id
secret_key
string
For static (user) credentials, provide the secret key
assume_role_name
string
For assume role credentials, the role name
assume_role_external_id
string
For assume role credentials, the role's trusted external ID
db_user*
string
Name of the local database user for RDS/Redshift extraction
services*
array
If not empty (default), only the listed services will be enabled
redshift_database_allow_list
array
string list of Redshift DB ARNs to explicitly allow
redshift_database_deny_list
array
List of Redshift DB ARNs to ignore
rds_database_allow_list
array
List of RDS DB names to explicitly allow
rds_database_deny_list
array
List of RDS DB names to ignore
s3_bucket_allow_list
array
String list of S3 bucket names to allow
s3_bucket_deny_list
array
List of S3 bucket names to ignore
Get AWS provider
GET {{vezaURL}}/api/v1/providers/aws/{id}
Returns configuration and status for the specified AWS provider.
* indicates a required field.
Path Parameters
id*
string
The AWS provider configuration id
Delete AWS provider
DELETE {{vezaURL}}/api/v1/providers/aws/{id}
Note that deleting the provider will remove all entities under the AWS account from Veza.
* indicates a required field.
Path Parameters
id
string
ID of the AWS account to remove
Update AWS provider
PATCH {{VezaUrl}}/api/v1/providers/aws/{id}
Update an
. You can provide field mask paths to only update specific properties.
* indicates a required field.
Path Parameters
id
string
The AWS provider ID
Query Parameters
update_mask.paths
array[string]
The set of field mask paths
Request Body
account_id
string
credentials type
enum
access_key_id
string
secret_key
string
assume_role_name
string
assume_role_external_id
string
regions
array
db_user
string
services
array
data_plane_id*
string
Get and Check trust Policies
Two additional requests provide details about the AWS IAM policies for the integration:
Get AWS Trust Policy for Assume Role External ID
GET {{vezaURL}}/api/v1/providers/aws:trustpolicy?assume_role_external_id={{string}}
For a given external ID, returns the IAM policy that should be applied in AWS to the role assumed for resource discovery.
When adding AWS accounts using the ASSUME_CUSTOMER_ROLE credentials type, use this request to generate the required trust policy (in addition to the required AWS permissions obtained with Check Policy).
* indicates a required field.
Query Parameters
Check Policy
GET {{vezaURL}}/api/v1/providers/aws/{{id}}:checkpolicy
Validates the current policy granting Veza AWS IAM permissions, and returns whether an update is required.
* indicates a required field.
Path Parameters
id*
string
AWS account id
providers/azure
providers/azureAn Azure configuration includes connection details and credentials, and may contain an optional auth certificate for connecting to SharePoint Online. A configuration can allow or deny individual datasources, or only include specific services .
See the Connecting to Azure for more details on integrating Veza with your Azure tenant, Active Directory, and SharePoint.
List Azure Providers
GET {{vezaURL}}/api/v1/providers/azure
Get the configuration and status for all configured Azure tenants
* indicates a required field.
Create Azure Provider
POST {{vezaURL}} /api/v1/providers/azure
Register a new Azure tenant for discovery.
* indicates a required field.
Request Body
name*
string
Name to display for the Azure tenant
client_id*
string
Client ID used to connect
client_secret*
string
The Client Secret
data_plane_id*
string
ID of the Insight Point used to connect (if applicable)
auth_certificate
string
Certificate for app-only SharePoint access
auth_certificate_password
string
Certificate password (if applicable)
services
array
string list of services to enable (e.g.
SQLSERVER
,
SHAREPOINT
,
AZUREVM
)
gather_personal_sites
boolean
Whether to gather personal SharePoint sites
gather_guest_users
boolean
Whether to parse identity metadata for Azure AD Guest users
gather_disabled_users
boolean
Whether to include disabled users
domains
array
Comma-separated list of domains to discover, ignoring any others
sql_server_database_allow_list
array
List of SQL DB names to allow
sql_server_database_deny_list
array
List of SQL DB names to deny
sql_server_schema_allow_list
array
List of SQL schema names to allow
sql_server_schema_deny_list
array
List of SQL schema names to deny
Get Azure Provider
GET {{vezaURL}}/api/v1/providers/azure/{id}
Return an existing provider configuration by ID.
* indicates a required field.
Path Parameters
id*
string
The Azure provider configuration ID
Delete Azure Provider
DELETE {{vezaURL}}/api/v1/providers/azure/{id}
Delete the provider configuration and its discovered entities.
* indicates a required field.
Path Parameters
id*
string
The Azure provider configuration ID
Update Azure Provider
PATCH {{vezaURL}}/api/v1/providers/azure/{id}
Update an existing provider configuration with new properties.
* indicates a required field.
Path Parameters
{id}*
string
The Azure provider configuration ID
Query Parameters
update_mask.paths
array[string]
the set of field mask paths
Request Body
tenant_id
string
client_id
string
client_secret
string
auth_certificate
string
auth_certificate_password
string
providers/google_cloud
providers/google_cloudEach Google Cloud provider configuration has the following properties, which can be obtained with a GET request to the providers/google_cloud endpoint:
To register a new Google Cloud and Workspace for discovery, use:
For more information about connecting to Google Cloud, see the configuration guide.
List Google Cloud Providers
GET baseurl/api/v1/providers/google_cloud
*
indicates a required field.
Request Body
name*
string
Friendly name for the Google Cloud connection
data_plane_id*
string
Insight Point to use to connect
workspace_email*
string
Email of the GCP workspace user to assume
customer_id*
string
Google Workspace customer ID
project_allow_list
array
List of names of any projects to allow for discovery
project_deny_list
array
List of names of any projects to ignore
domain_allow_list
array
List of names of domains to explicitly allow
domain_deny_list
array
List of domains to ignore
services
array
If specified, only the listed services will be discovered (e.g.
KEYMANAGEMENT
,
IAM
,
STORAGE
,
WORKSPACE
,
COMPUTE
.)
dataset_allow_list
array
List of BigQuery dataset names to allow
dataset_deny_list
array
List of BigQuery dataset names to ignore during parsing.
Add a Google Cloud Platform configuration
POST baseurl/api/v1/providers/google_cloud
Add a Google Cloud Platform configuration
* indicates a required field.
Request Body
name*
string
Friendly name for the Google Cloud connection
data_plane_id*
string
Insight Point to use to connect
workspace_email*
string
Email of the GCP workspace user to assume
customer_id*
string
Google Workspace customer ID
project_allow_list
array
List of names of any projects to allow for discovery
project_deny_list
array
List of names of any projects to ignore
domain_allow_list
array
List of names of domains to explicitly allow
domain_deny_list
array
List of domains to ignore
services
array
If specified, only the listed services will be discovered (such as
KEYMANAGEMENT
,
IAM
,
STORAGE
,
WORKSPACE
,
COMPUTE
.)
dataset_allow_list
array
List of BigQuery dataset names to allow
dataset_deny_list
array
List of BigQuery dataset names to ignore during parsing.
Get Google Cloud Platform configurations
GET baseurl/api/v1/providers/google_cloud/{id}
*
indicates a required field.
Delete Google Cloud Platform configuration
DELETE baseurl/api/v1/providers/google_cloud{id}
*
indicates a required field.
Patch Google Cloud Platform Configuration
PATCH baseurl/api/v1/providers/google_cloud
*
indicates a required field.
providers/snowflake
providers/snowflakeA Snowflake configuration has the following parameters:
See Connecting to Snowflake for more information about integrating Snowflake warehouses with Veza.
List Snowflake Providers
GET {{vezaURL}}/api/v1/providers/snowflake
Get the configuration and status for all configured Snowflake providers.
* indicates a required field.
Create Snowflake Provider
POST {{vezaURL}}/api/v1/providers/snowflake
Register a new Snowflake provider for discovery.
To retrieve a valid insight point ID, navigate to Administration > Insight Point, and find the id of the one you will use for the connection to Snowflake.
* indicates a required field.
Request Body
name*
string
A name for the Snowflake configuration
account_locator*
string
The Snowflake account locator (e.g.
xy12345)
region*
string
The AWS, GCP, or Azure region for the Snowflake account
cloud*
string
Cloud provider for the Snowflake account (valid values are
AWS, Azure, or GCP)
user*
string
The username of the local Snowflake user to be used for discovery (e.g.
veza_user)
password*
string
Password for the local user
role*
string
The role the local user will use to conduct queries, e.g.
cai_role
.
warehouse*
string
The default Snowflake
compute_wh, or the name of another warehouse Veza can use for extraction at runtime
Get Snowflake Provider
GET {{vezaURL}}/api/v1/providers/snowflake/{id}
Retrieve an existing Snowflake configuration by ID.
* indicates a required field.
Path Parameters
id*
string
The Snowflake provider ID
Delete Snowflake Provider
DELETE {{vezaURL}}/api/v1/providers/snowflake/{id}
Delete a Snowflake provider configuration and its discovered entities.
* indicates a required field.
Path Parameters
id*
string
The Snowflake provider ID
Update Snowflake Provider
PATCH {{VezaURL}}/api/v1/providers/snowflake/{id}
Update an existing Snowflake provider configuration with new properties.
* indicates a required field.
Path Parameters
{id}*
string
The Snowflake provider ID
Query Parameters
update_mask.paths
array[string]
The set of field mask paths
providers/sqlserver
providers/sqlserverEach SQL server configuration contains the following properties, which can be obtained with a GET request to providers/sqlserver.
To register a new SQL server for discovery, use:
For more information about connecting to SQL server, see the configuration guide.
List SQL Server configurations
GET baseurl/api/v1/providers/sqlserver
*
indicates a required field.
Create a new SQL Server configuration
POST baseurl/api/v1/providers/sqlserver
*
indicates a required field.
Get SQL Server configurations
GET baseurl/api/v1/providers/sqlserver/{id}
*
indicates a required field.
Delete SQL Server configuration
DELETE baseurl/api/v1/providers/sqlserver/{id}
*
indicates a required field.
Patch SQL Server configuration
PATCH baseurl/api/v1/providers/sqlserver/{id}
*
indicates a required field.
providers/trino
providers/trinoVeza gathers metadata for Trino both by connecting as a local user and by reading the Trino access control file, which must be made available to Veza as an S3 object. Each Trino provider configuration has the structure:
The default credentials_type "STATIC" uses an access key and secret ID to read the Trino access control file in S3. If connecting to AWS using a role, change the type to assume_customer_role and provide the role name, external ID, and AWS account ID.
See Connecting to Trino for more information about integrating your Trino resources with Veza.
List Trino Providers
GET {{vezaURL}}/api/v1/providers/trino
Get the configuration and status for all current Trino providers.
* indicates a required field.
Create Trino Provider
POST {{vezaURL}}/api/v1/providers/trino
Add a Trino provider by providing the host, local user credentials, and a path and authentication method for the Trino access control file stored in AWS S3.
* indicates a required field.
Request Body
id*
string
Name for the provider
host*
string
The address of the Trino Coordinator
port*
int
The port to use for the connection
username*
string
Trino local username
password*
string
Trino local user password
data_plane_id*
string
Insight Point ID
aws_s3_object_config*
object
contains path and authorization details for file system access control S3 object
Get Trino Provider
GET {{vezaURL}}/api/v1/providers/trino/{id}
Retrieve an existing Trino provider configuration by ID.
* indicates a required field.
Path Parameters
id*
string
The Trino provider ID
Delete Trino Provider
DELETE {{vezaURL}}/api/v1/providers/trino/{id}
Delete a Trino provider and its discovered entities.
* indicates a required field.
Path Parameters
id
string
The Trino provider ID
Update Trino Provider
PATCH {{VezaURL}}/api/v1/providers/trino/{id}
Update an existing Trino configuration with new properties.
* indicates a required field.
Path Parameters
{id}*
string
The Trino provider ID
Query Parameters
update_mask.paths
array[string]
The set of field mask paths
Last updated