LogoLogo
User GuideDeveloper DocumentationIntegrationsRelease Notes
  • 🏠Veza Documentation
  • ☑️Getting Started
  • 📖Veza Glossary
  • ❓Product FAQ
  • 🛡️Security FAQ
    • Advanced Security FAQ
  • Release Notes
    • 🗒️Release Notes
      • Release Notes: 2025-04-30
      • Release Notes: 2025-04-16
      • Release Notes: 2025-04-02
      • Release Notes: 2025-03-19
      • Archive
        • 2024.9.23
        • 2024.9.16
        • 2024.9.9
        • 2024.9.2
        • 2024.8.26
        • 2024.8.19
        • 2024.8.12
        • 2024.8.5
        • 2024.7.29
        • 2024.7.22
        • 2024.7.15
        • 2024.7.1
        • 2024.6.24
        • 2024.6.17
        • 2024.6.10
        • 2024.6.3
        • 2024.5.27
        • 2024.5.20
        • 2024.5.13
        • 2024.5.6
        • 2024.4.29
        • 2024.4.22
        • 2024.4.15
        • 2024.4.8
        • 2024.4.1
        • 2024.3.25
        • 2024.3.18
        • 2024.3.11
        • 2024.3.4
        • 2024.2.26
        • 2024.2.19
        • 2024.2.12
        • 2024.2.5
        • 2024.1.29
        • 2024.1.22
        • 2024.1.15
        • 2024.1.8
        • 2024.1.1
        • 2023.12.18
        • 2023.12.11
        • 2023.12.4
        • 2023.11.27
        • 2023.11.20
        • 2023.11.13
        • 2023.11.6
        • 2023.10.30
        • 2023.10.23
        • 2023.10.16
        • 2023.10.9
        • 2023.10.2
        • 2023.9.25
        • 2023.9.18
        • 2023.9.11
        • 2023.9.4
        • 2023.8.28
        • 2023.8.21
        • 2023.8.14
        • 2023.8.7
        • 2023.7.31
        • 2023.7.24
        • 2023.7.17
        • 2023.7.10
        • 2023.7.3
        • 2023.6.26
        • 2023.6.19
        • 2023.6.12
        • 2023.6.5
        • 2023.5.29
        • 2023.5.22
        • 2023.5.15
        • 2023.5.8
        • 2023.5.1
        • 2023.4.24
        • 2023.4.17
        • 2023.4.10
        • 2023.4.3
        • 2023.3.27
        • 2023.3.20
        • 2023.3.13
        • 2023.3.6
        • 2023.2.27
        • 2023.2.20
        • 2023.2.13
        • 2023.2.6
        • 2023.1.30
        • 2023.1.23
        • 2023.1.16
        • 2023.1.9
        • 2023.1.2
        • 2022.12.12
        • 2022.12.5
        • 2022.11.28
        • 2022.11.14
        • 2022.11.7
        • 2022.10.31
        • 2022.10.24
        • 2022.10.17
        • 2022.10.1
        • 2022.6.2
        • 2022.6.1
        • 2022.5.1
        • 2022.4.1
        • 2022.3.1
  • Features
    • 🔎Access Visibility
      • Graph
      • Query Builder
      • Saved Queries
      • Filters
      • Query Mode
      • Intermediate Entities
      • Regular Expressions
      • Tags
      • Tagged Entity Search
      • Assumed AWS IAM Roles
      • Veza Query Language
        • Quick Start
        • Syntax
        • VQL API
    • 💡Access Intelligence
      • Overview
      • Dashboards
        • Reports
        • Scheduled Exports of Query Results via a Secure Email Link
      • Risks
      • Analyze
      • Compare
      • Rules and Alerts
      • Entities
      • NHI Identify Classification Logic
      • NHI Secrets
    • 🔏Access Reviews
      • Get Started: Access Reviewers
      • Get Started: Review Operators
      • Access Review Tasks
        • Assign Reviewers
        • Create a Configuration
        • Create a Review
        • Draft Reviews
        • Edit a Configuration
        • Filters and Bulk Actions
        • Manage Access Reviews
        • Using the Reviewer Interface
        • Row Grouping for Access Reviews
        • Schedule an Access Review
      • Access Review Configuration
        • Access Reviews Query Builder
        • Access Reviews Global Settings
        • Configuring a Global Identity Provider
          • Alternate Manager Lookup
        • Customizing Default Columns
        • Email Notifications and Reminders
        • Identity Provider and HRIS Enrichment
        • Managers and Resource Owners
        • Multi-Level Review
        • 1-Step Access Reviews
        • On-Demand Reviews
        • Veza Actions for Access Reviews
        • Review Intelligence Policies
        • Review Presentation Options
        • Reviewer Selection Methods
        • Reviewer Digest Notifications
      • Access Review Scenarios
        • Access Reviews: Active Directory Security Groups
        • Access Reviews: Okta App Assignments
        • Access Reviews: Okta Group Membership
        • Access Reviews: Okta Admin Roles
        • Access Reviews: Azure AD Roles
        • Access Reviews with Saved Queries
        • Source-Only Access Reviews
    • 📊Access Monitoring
    • 🔄Lifecycle Management
      • Implementation and Core Concepts
      • Access Profiles
      • Policies
      • Conditions and Actions
      • Attribute Sync and Transformers
        • Lookup Tables
      • Integrations
        • Active Directory
        • Exchange Server
        • Okta
        • Salesforce
        • Workday
    • ⚖️Separation of Duties (SoD)
      • Managing SoD Risks with Veza
      • Creating SoD Detection Queries
      • Analyzing Separation of Duties Query Results
      • Example Separation of Duties Queries
      • SoD Manager Assignment
      • Access Reviews for SoD
  • Integrations
    • ✨Veza Integrations
      • Adobe Enterprise
      • Amazon Web Services
        • Add Existing AWS Accounts
        • Automatically Add New AWS Accounts
        • AWS DynamoDB
        • AWS KMS
        • AWS RDS MySQL
        • AWS RDS PostgreSQL
        • AWS Redshift
        • Activity Monitoring for AWS
        • Using AWS Secrets Manager for RDS Extraction
        • Notes & Supported Entities
      • Anaplan
      • Atlassian Cloud Products
      • Auth0
      • BambooHR
      • Bitbucket Data Center
      • BlackLine
      • Beeline
      • Boomi
      • Box
      • Bullhorn
      • Cassandra
      • Cisco Duo
      • Clickhouse
      • Concur
      • Confluence Server
      • Confluent
      • Coupa
      • Coupa Contingent Workforce
      • Crowdstrike Falcon
      • CSV Upload
        • CSV Upload Examples
        • CSV Upload Troubleshooting
        • CSV Upload API
      • Databricks (Single Workspace)
      • Databricks (Unity Catalog)
      • Delinea Secret Server
      • Device42
      • DocuSign
      • Dropbox
      • Egnyte
      • Expensify
      • Exchange Online (Microsoft 365)
      • Fastly
      • Google Cloud
        • Check Google Cloud Permissions
        • Notes & Supported Entities
      • Google Drive
      • GitHub
      • GitLab
      • HashiCorp Vault
      • HiBob
      • Hubspot
      • IBM Aspera
      • iManage
      • Ivanti Neurons
      • Jamf Pro
      • Jenkins
      • JFrog Artifactory
      • Jira Data Center
      • Kubernetes
      • LastPass
      • Looker
      • MongoDB
      • Microsoft Active Directory
      • Microsoft Azure
        • Azure SQL Database
        • Azure PostgreSQL Database
        • Microsoft Dynamics 365 CRM
        • Microsoft Dynamics 365 ERP
        • Notes & Supported Entities
      • Microsoft Azure AD
      • Microsoft SharePoint Online
      • Microsoft SharePoint Server
      • Microsoft SQL Server
      • MuleSoft
      • MySQL
      • NetSuite
      • New Relic
      • Okta
        • Okta MFA status
      • OneLogin
      • OpenAI
      • Oracle Cloud Infrastructure
      • Oracle Database
      • Oracle Database (AWS RDS)
      • Oracle E-Business Suite (EBS)
      • Oracle EPM
      • Oracle Fusion Cloud
      • Oracle JD Edwards EnterpriseOne
      • PagerDuty
      • Palo Alto Networks SASE/Prisma Access
      • PingOne
      • PostgreSQL
      • Power BI
      • Privacera
      • PTC Windchill
      • Qualys
      • QNXT
      • Ramp
      • Redis Cloud
      • Rollbar
      • Salesforce
      • Salesforce Commerce Cloud
      • SCIM integration
      • ServiceNow
      • Slack
      • Smartsheet
      • Snowflake
        • Snowflake Native Application
        • Snowflake Masking Policies
        • Exporting Saved Query Results to Snowflake
        • Audit Log Export
        • Event Export
      • Solarwinds
      • Spotio
      • Sumo Logic
      • Tableau Cloud
      • Teleport
      • Terraform
      • ThoughtSpot
      • Trello
      • Trino (PrestoSQL)
      • UKGPro
      • Veza
      • Windows Server
        • Enterprise Deployment
      • Workato
      • Workday
      • YouTrack
      • Zendesk
      • Zip
      • Zoom
      • Zscaler
      • 1Password
    • 🎯Integrations Overview
    • ⚠️Prerequisites and Connectivity
      • Insight Point
        • Deploying an Insight Point using the install script
        • Deploy with AWS EC2
        • Deploy with Virtual Appliance
          • Deploy with Virtual Appliance (Legacy)
        • Deploy with Azure Container Instances
        • Insight Point (Helm Chart)
      • Certificates with OpenSSL
    • ⚙️Configuring Integrations
      • Integrations FAQ
      • Extraction and Discovery Intervals
      • Custom Identity Mappings
      • Limiting Extractions
      • Enrichment Rules
      • ℹ️Running Veza Scripts with Python
  • Administration
    • 🛠️Veza Administration
      • Securing Your Veza Tenant
      • Veza Actions
        • Slack
        • ServiceNow
        • Jira
        • Webhooks
      • Virtual Private Veza
      • System Events
      • Sign-In Settings
        • Single Sign-On with Okta
        • Single Sign-On with Okta (OIDC)
        • Single Sign-On with Microsoft Entra
      • User Management
        • Multi-factor Authentication
        • Team Management
        • Support User Access
  • Developers
    • 🌐Veza APIs
      • Authentication
      • Troubleshooting
      • Pagination
      • Open Authorization API
        • Getting Started
        • Core Concepts
          • Connector Requirements
          • Using OAA Templates
          • Providers, Data Sources, Names and Types
          • Sourcing and Extracting Metadata
          • Naming and Identifying OAA Entities
          • Modeling Users, Permissions, and Roles
          • Custom Properties
          • Tagging with OAA
          • Cross Service IdP Connections
          • Incremental Updates
        • OAA Push API
          • OAA Operations
        • OAA Templates
          • Custom Application
          • Custom Identity Provider
          • Custom HRIS Provider
        • OAA .NET SDK
          • C# OAA Application Connector
        • OAA Python SDK
          • Application Outline
          • oaaclient modules
            • Client
            • Structures
            • Templates
            • Utils
        • Sample Apps
        • Example Connectors
      • Integration APIs
        • Enable/Disable Providers
        • Cloud Platforms and Data Providers
        • Identity Providers
        • Data Sources
        • Sync and Parse Status
      • Query APIs
        • Quick Start
        • Query Builder Terminology
        • Query Builder Parameters
        • Query Builder Results
        • List saved queries
        • Save a query
        • Get a saved query
        • Update a query
        • Delete a query
        • Get query node destinations
        • Get query nodes
        • Get query result
        • Get query spec node destinations
        • Get query spec nodes
        • Get query spec results
        • Private APIs
          • Get Access Relationship
          • Role Existence
          • Role Maintenance
          • Cohort Role Analysis
        • Tags
          • Create, Add, Remove Tag
          • Promoted Tags
      • Access Reviews APIs
        • Workflow Parameters Reference
        • List Workflows
        • List Certifications
        • List Certification Results
        • Update Certification Result
        • Force Update Result
        • Update Webhook Info
        • Get Certification Result
        • Manage Reviewer Deny List
        • Quick Filters
        • Help Page Templates
        • Smart Action Definitions
        • Delegate Reviewers
        • List Reviewer Infos
        • Get Access Graph
        • Automations API
        • Global Settings APIs
      • System Audit Logs
      • System Events
      • Notification Templates
        • Notification Templates API
      • Team and User Management APIs
        • Team API Keys
      • SCIM Provisioning
        • SCIM API Reference
        • SCIM Provisioning with Okta
  • Product Updates
    • 🆕Product Updates
      • Product Update: March'25
      • Product Update: February'25
      • UX Update - Integration Management
      • Product Update: January'25
      • Product Update: December'24
      • Product Update: November'24
      • Product Update: October'24
      • Product Update: September'24
      • Product Update: August'24
      • UX Update: Veza Integrations
      • Product Update: July'24
      • Product Update: June'24
      • Product Update: May'24
      • Product Update: April'24
      • UX Update - Enhanced Reviewer Experience for Veza Access Reviews
      • Product Update: March'24
      • Product Update: February'24
      • Design Update: February'24
      • UX Update - New Navigation Experience
      • UX Update - Access Review Dashboards
      • Building Veza’s Platform and Products
      • Veza Product Update - Jan'24
      • Veza Product Update - 2H 2023
      • Veza Product Update - December'23
      • Veza Product Update - November'23
      • Veza Product Update - October'23
      • Veza Product Update - September'23
      • Veza Product Update - August'23
      • Veza Product Update - July'23
      • Veza Product Update - June'23
      • Veza Product Update - May'23
      • Veza Product Update - April'23
      • Veza Product Update - March'23
      • Veza Product Update - Feb'23
      • Veza Product Update - Jan'23
Powered by GitBook
On this page
  • providers/aws
  • List AWS providers
  • Push an AWS provider configuration
  • Get AWS provider
  • Delete AWS provider
  • Update AWS provider
  • Get AWS Trust Policy for Assume Role External ID
  • Check Policy
  • providers/azure
  • List Azure Providers
  • Create Azure Provider
  • Get Azure Provider
  • Delete Azure Provider
  • Update Azure Provider
  • providers/google_cloud
  • List Google Cloud Providers
  • Add a Google Cloud Platform configuration
  • Get Google Cloud Platform configurations
  • Delete Google Cloud Platform configuration
  • Patch Google Cloud Platform Configuration
  • providers/snowflake
  • List Snowflake Providers
  • Create Snowflake Provider
  • Get Snowflake Provider
  • Delete Snowflake Provider
  • Update Snowflake Provider
  • providers/sqlserver
  • List SQL Server configurations
  • Create a new SQL Server configuration
  • Get SQL Server configurations
  • Delete SQL Server configuration
  • Patch SQL Server configuration
  • providers/trino
  • List Trino Providers
  • Create Trino Provider
  • Get Trino Provider
  • Delete Trino Provider
  • Update Trino Provider

Was this helpful?

Export as PDF
  1. Developers
  2. Veza APIs
  3. Integration APIs

Cloud Platforms and Data Providers

Operations for listing, adding, and modifying cloud provider configurations

PreviousEnable/Disable ProvidersNextIdentity Providers

Last updated 1 month ago

Was this helpful?

You can manage Veza integrations using the management API and a Veza admin .

providers/aws

See for detailed instructions on authorizing Veza for AWS account discovery. Each account has the properties:

{
  "values": [
    {
      "id": "883dd869-8762-4187-8767-1c387de14b4b",
      "vendor_id": "123456789010",
      "name": "AWS-CTR01a",
      "type": "AWS",
      "state": "ENABLED",
      "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
      "status": "SUCCESS",
      "account_id": "123456789010",
      "credentials_type": "STATIC",
      "access_key_id": "AKIA6FRNZGGIOEBZ6BEA",
      "assume_role_name": "",
      "regions": [
        "us-east-2",
        "us-east-1",
        "us-west-2",
        "us-west-1"
      ],
      "db_user": "cai_user",
      "services": [],
      "redshift_database_allow_list": [
        "string"
      ],
      "redshift_database_deny_list": [
        "string"
      ],
      "rds_database_allow_list": [
        "string"
      ],
      "rds_database_deny_list": [],
      "s3_bucket_allow_list": [],
      "s3_bucket_deny_list": []
    }
  ]
}

You can use the methods described below to view, create, modify, and delete AWS providers:

List AWS providers

GET {{vezaURL}}/api/v1/providers/aws

Returns information about each registered AWS account, including the status and id.

* indicates a required field.

{
  "values": [
    {
      "id": "883dd869-8762-4187-8767-1c387de14b4b",
      "vendor_id": "123456789012",
      "name": "AWS-CTR01a",
      "type": "AWS",
      "state": "ENABLED",
      "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
      "status": "SUCCESS",
      "account_id": "123456789012",
      "credentials_type": "STATIC",
      "access_key_id": "AKIA6QYCTEMKPE4SGTHL",
      "assume_role_name": "",
      "regions": [
        "us-east-2",
        "us-east-1",
        "us-west-2",
        "us-west-1"
      ],
      "db_user": "cai_user",
      "services": []
    },
    {
      "id": "cc16edb4-4064-4996-b17e-2c94a3f2ab09",
      "vendor_id": "123456789013",
      "name": "aws_demo",
      "type": "AWS",
      "state": "ENABLED",
      "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
      "status": "SUCCESS",
      "account_id": "123456789013",
      "credentials_type": "STATIC",
      "access_key_id": "AKIA6FRNZGGIOEBZ6BEA",
      "assume_role_name": "",
      "regions": [
        "us-east-2",
        "us-east-1",
        "us-west-2",
        "us-west-1"
      ],
      "db_user": "awsuser",
      "services": []
    }
  ]
}

Push an AWS provider configuration

POST {{vezaURL}}/api/v1/providers/aws

* indicates a required field.

Request Body

Name
Type
Description

name*

string

Name for the AWS account in Veza

account_id*

string

AWS account ID

regions*

array

Any valid AWS region (deprecated)

data_plane_id*

string

Insight Point ID to use for discovery

credentials_type*

string

Authorization method, one of

STATIC

,

EC2_INSTANCE_PROFILE

ASSUME_CUSTOMER_ROLE

access_key_id

string

For static (user) credentials, provide the user access key id

secret_key

string

For static (user) credentials, provide the secret key

assume_role_name

string

For assume role credentials, the role name

assume_role_external_id

string

For assume role credentials, the role's trusted external ID

db_user*

string

Name of the local database user for RDS/Redshift extraction

services*

array

If not empty (default), only the listed services will be enabled. Valid values include:

  • Redshift: REDSHIFT

  • Redshift Cluster: REDSHIFT_CLUSTER

  • S3: S3

  • RDS PostgreSQL: RDS_POSTGRES

  • RDS MySQL: RDS_MYSQL

  • RDS Oracle: RDS_ORACLE

  • RDS: RDS

  • DynamoDB: DYNAMODB

  • KMS: KMS

  • EMR: EMR

  • Organizations: ORGANIZATIONS

  • EC2: EC2

  • Identity Center: SSO

  • Cognito: COGNITO

  • Lambda: LAMBDA

  • Secrets Manager: SECRETS_MANAGER

  • ECR: ECR

  • EKS: EKS

  • Databricks: AWS_DATABRICKS

  • KMS: KMS

  • EMR: EMR

  • Organizations: ORGANIZATIONS

  • EC2: EC2

  • Identity Center: SSO

  • Cognito: COGNITO

  • Lambda: LAMBDA

  • Secrets Manager: SECRETS_MANAGER

  • ECR: ECR

  • EKS: EKS

  • Databricks: AWS_DATABRICKS

redshift_database_allow_list

array

string list of Redshift DB ARNs to explicitly allow

redshift_database_deny_list

array

List of Redshift DB ARNs to ignore

rds_database_allow_list

array

List of RDS DB names to explicitly allow

rds_database_deny_list

array

List of RDS DB names to ignore

s3_bucket_allow_list

array

String list of S3 bucket names to allow

s3_bucket_deny_list

array

List of S3 bucket names to ignore

{
  "value": {
    "id": "string",
    "vendor_id": "string",
    "name": "string",
    "type": "string",
    "state": "string",
    "data_plane_id": "string",
    "status": "string",
    "account_id": "string",
    "credentials_type": "STATIC",
    "access_key_id": "string",
    "assume_role_name": "string",
    "regions": [
      "string"
    ],
    "db_user": "string",
    "services": [
      "AWS_SERVICE_UNKNOWN"
    ]
  }
}

Get AWS provider

GET {{vezaURL}}/api/v1/providers/aws/{id}

Returns configuration and status for the specified AWS provider.

* indicates a required field.

Path Parameters

Name
Type
Description

id*

string

The AWS provider configuration id

{
 "id": "<string>",
 "vendor_id": "<string>",
 "name": "<string>",
 "type": "<string>",
 "state": "<string>",
 "data_plane_id": "<string>",
 "status": "<string>",
 "account_id": "<string>",
 "credentials_type": "STATIC",
 "access_key_id": "<string>",
 "assume_role_name": "<string>",
 "regions": [
  "<string>",
  "<string>"
 ],
 "db_user": "<string>",
 "services": [
  "AWS_SERVICE_UNKNOWN",
  "AWS_SERVICE_UNKNOWN"
 ]
}

Delete AWS provider

DELETE {{vezaURL}}/api/v1/providers/aws/{id}

Note that deleting the provider will remove all entities under the AWS account from Veza.

* indicates a required field.

Path Parameters

Name
Type
Description

id

string

ID of the AWS account to remove

{}

Update AWS provider

PATCH {{VezaUrl}}/api/v1/providers/aws/{id}

Update an

. You can provide field mask paths to only update specific properties.

* indicates a required field.

Path Parameters

Name
Type
Description

id

string

The AWS provider ID

Query Parameters

Name
Type
Description

update_mask.paths

array[string]

The set of field mask paths

Request Body

Name
Type
Description

account_id

string

credentials type

enum

access_key_id

string

secret_key

string

assume_role_name

string

assume_role_external_id

string

regions

array

db_user

string

services

array

data_plane_id*

string

{
  "value": {
    "id": "string",
    "vendor_id": "string",
    "name": "string",
    "type": "UNKNOWN_PROVIDER",
    "state": "STARTED",
    "data_plane_id": "string",
    "status": "PENDING",
    "account_id": "string",
    "credentials_type": "STATIC",
    "access_key_id": "string",
    "assume_role_name": "string",
    "regions": [
      "string"
    ],
    "db_user": "string",
    "services": [
      "AWS_SERVICE_UNKNOWN"
    ]
  }
}

Get and Check trust Policies

Two additional requests provide details about the AWS IAM policies for the integration:

Get AWS Trust Policy for Assume Role External ID

GET {{vezaURL}}/api/v1/providers/aws:trustpolicy?assume_role_external_id={{string}}

When adding AWS accounts using the ASSUME_CUSTOMER_ROLE credentials type, use this request to generate the required trust policy (in addition to the required AWS permissions obtained with Check Policy).

* indicates a required field.

Query Parameters

Name
Type
Description

assume_role_external_id

string

to include in the policy

{
 "trust_policy_json": "<string>"
}

Check Policy

GET {{vezaURL}}/api/v1/providers/aws/{{id}}:checkpolicy

Validates the current policy granting Veza AWS IAM permissions, and returns whether an update is required.

* indicates a required field.

Path Parameters

Name
Type
Description

id*

string

AWS account id

{
 "requires_update": "<boolean>",
 "aws_account_id": "<string>",
 "current_policy": "<string>",
 "required_policy": "<string>",
 "required_actions": [
  "<string>",
  "<string>"
 ],
 "overprivileged_actions": [
  "<string>",
  "<string>"
 ]
}

providers/azure

{
  "name": "string",
  "tenant_id": "string",
  "client_id": "string",
  "client_secret": "string",
  "data_plane_id": "string",
  "auth_certificate": "string",
  "auth_certificate_password": "string",
  "services": [
    "AZURE_SERVICE_UNKNOWN"
  ],
  "gather_guest_users": true,
  "gather_disabled_users": true,
  "domains": [
    "string"
  ],
  "gather_personal_sites": true,
  "sql_server_database_allow_list": [
    "string"
  ],
  "sql_server_database_deny_list": [
    "string"
  ],
  "sql_server_schema_allow_list": [
    "string"
  ],
  "sql_server_schema_deny_list": [
    "string"
  ]
}

List Azure Providers

GET {{vezaURL}}/api/v1/providers/azure

Get the configuration and status for all configured Azure tenants

* indicates a required field.

{
  "values": [
    {
      "id": "string",
      "vendor_id": "string",
      "name": "string",
      "type": "UNKNOWN_PROVIDER",
      "state": "STARTED",
      "data_plane_id": "string",
      "status": "PENDING",
      "account_id": "string",
      "tenant_id": "string",
      "client_id": "string"
    }
  ]
}

Create Azure Provider

POST {{vezaURL}} /api/v1/providers/azure

Register a new Azure tenant for discovery.

* indicates a required field.

Request Body

Name
Type
Description

name*

string

Name to display for the Azure tenant

tenant_id*

string

The Azure

client_id*

string

Client ID used to connect

client_secret*

string

The Client Secret

data_plane_id*

string

ID of the Insight Point used to connect (if applicable)

auth_certificate

string

Certificate for app-only SharePoint access

auth_certificate_password

string

Certificate password (if applicable)

services

array

string list of services to enable (e.g.

SQLSERVER

,

SHAREPOINT

,

AZUREVM

)

gather_personal_sites

boolean

Whether to gather personal SharePoint sites

gather_guest_users

boolean

Whether to parse identity metadata for Azure AD Guest users

gather_disabled_users

boolean

Whether to include disabled users

domains

array

Comma-separated list of domains to discover, ignoring any others

sql_server_database_allow_list

array

List of SQL DB names to allow

sql_server_database_deny_list

array

List of SQL DB names to deny

sql_server_schema_allow_list

array

List of SQL schema names to allow

sql_server_schema_deny_list

array

List of SQL schema names to deny

{
  "value": {
    "id": "string",
    "vendor_id": "string",
    "name": "string",
    "type": "UNKNOWN_PROVIDER",
    "state": "STARTED",
    "data_plane_id": "string",
    "status": "PENDING",
    "account_id": "string",
    "tenant_id": "string",
    "client_id": "string"
  }
}

Get Azure Provider

GET {{vezaURL}}/api/v1/providers/azure/{id}

Return an existing provider configuration by ID.

* indicates a required field.

Path Parameters

Name
Type
Description

id*

string

The Azure provider configuration ID

{
  "value": {
    "id": "string",
    "vendor_id": "string",
    "name": "string",
    "type": "UNKNOWN_PROVIDER",
    "state": "STARTED",
    "data_plane_id": "string",
    "status": "PENDING",
    "account_id": "string",
    "tenant_id": "string",
    "client_id": "string"
  }
}

Delete Azure Provider

DELETE {{vezaURL}}/api/v1/providers/azure/{id}

Delete the provider configuration and its discovered entities.

* indicates a required field.

Path Parameters

Name
Type
Description

id*

string

The Azure provider configuration ID

{}

Update Azure Provider

PATCH {{vezaURL}}/api/v1/providers/azure/{id}

Update an existing provider configuration with new properties.

* indicates a required field.

Path Parameters

Name
Type
Description

{id}*

string

The Azure provider configuration ID

Query Parameters

Name
Type
Description

update_mask.paths

array[string]

the set of field mask paths

Request Body

Name
Type
Description

tenant_id

string

client_id

string

client_secret

string

auth_certificate

string

auth_certificate_password

string

{
  "value": {
    "id": "string",
    "vendor_id": "string",
    "name": "string",
    "type": "AZURE",
    "state": "STARTED",
    "data_plane_id": "string",
    "status": "PENDING",
    "account_id": "string",
    "tenant_id": "string",
    "client_id": "string"
  }
}

providers/google_cloud

Each Google Cloud provider configuration has the following properties, which can be obtained with a GET request to the providers/google_cloud endpoint:

{
    "id": "fa04e92f-6e0d-4285-ba58-86a20c6941ff",
    "vendor_id": "datasource",
    "name": "Dev-GoogleCloudAccount-0",
    "type": "GOOGLE_CLOUD",
    "state": "ENABLED",
    "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
    "status": "SUCCESS",
    "customer_id": "datasource",
    "workspace_email": "dev@veza.com",
    "project_allow_list": [
      "string"
    ],
    "project_deny_list": [
      "string"
    ],
    "domain_allow_list": [
      "string"
    ],
    "domain_deny_list": [
      "string"
    ],
    "services": [
      "GOOGLE_CLOUD_SERVICE_UNKNOWN"
    ],
    "dataset_allow_list": [
      "string"
    ],
    "dataset_deny_list": [
      "string"
    ]
  }

To register a new Google Cloud and Workspace for discovery, use:

PUT <VezaUrl>/api/v1/providers/google_cloud
-d
{
    "name": "friendly name",
    "credentials_json": "service account credentials.json",
    "data_plane_id": "Insight Point id",
    "workspace_email": "workspace user for service account",
    "customer_id": "workspace customer id",
    "project_allow_list": [
      "project names to allow"
    ],
    "project_deny_list": [
      "project", "names", "to", "ignore"
    ],
    "domain_allow_list": [],
    "domain_deny_list": [],
    "services": [],
    "dataset_allow_list": [],
    "dataset_deny_list": []
  }

List Google Cloud Providers

GET baseurl/api/v1/providers/google_cloud

*

indicates a required field.

Request Body

Name
Type
Description

name*

string

Friendly name for the Google Cloud connection

credentials_json*

string

JSON

data_plane_id*

string

Insight Point to use to connect

workspace_email*

string

Email of the GCP workspace user to assume

customer_id*

string

Google Workspace customer ID

project_allow_list

array

List of names of any projects to allow for discovery

project_deny_list

array

List of names of any projects to ignore

domain_allow_list

array

List of names of domains to explicitly allow

domain_deny_list

array

List of domains to ignore

services

array

If specified, only the listed services will be discovered (e.g.

KEYMANAGEMENT

,

IAM

,

STORAGE

,

WORKSPACE

,

COMPUTE

.)

dataset_allow_list

array

List of BigQuery dataset names to allow

dataset_deny_list

array

List of BigQuery dataset names to ignore during parsing.

Add a Google Cloud Platform configuration

POST baseurl/api/v1/providers/google_cloud

Add a Google Cloud Platform configuration

* indicates a required field.

Request Body

Name
Type
Description

name*

string

Friendly name for the Google Cloud connection

credentials_json*

string

JSON

data_plane_id*

string

Insight Point to use to connect

workspace_email*

string

Email of the GCP workspace user to assume

customer_id*

string

Google Workspace customer ID

project_allow_list

array

List of names of any projects to allow for discovery

project_deny_list

array

List of names of any projects to ignore

domain_allow_list

array

List of names of domains to explicitly allow

domain_deny_list

array

List of domains to ignore

services

array

If specified, only the listed services will be discovered (such as

KEYMANAGEMENT

,

IAM

,

STORAGE

,

WORKSPACE

,

COMPUTE

.)

dataset_allow_list

array

List of BigQuery dataset names to allow

dataset_deny_list

array

List of BigQuery dataset names to ignore during parsing.

Get Google Cloud Platform configurations

GET baseurl/api/v1/providers/google_cloud/{id}

*

indicates a required field.

Delete Google Cloud Platform configuration

DELETE baseurl/api/v1/providers/google_cloud{id}

*

indicates a required field.

Patch Google Cloud Platform Configuration

PATCH baseurl/api/v1/providers/google_cloud

*

indicates a required field.

providers/snowflake

A Snowflake configuration has the following parameters:

{
    "name": "string",
    "account_locator": "xy12345",
    "region": "us-east-2",
    "cloud": "aws",
    "user": "veza@vezacloud.ai",
    "password": "p@ssword123!",
    "role": "veza_role",
    "warehouse": "compute_wh",
    "data_plane_id": "a2e32a80...",
    "database_allow_list": [],
    "database_deny_list": ["db1", "db2"]
}

List Snowflake Providers

GET {{vezaURL}}/api/v1/providers/snowflake

Get the configuration and status for all configured Snowflake providers.

* indicates a required field.

{
  "values": [
    {
      "id": "string",
      "vendor_id": "string",
      "name": "string",
      "type": "UNKNOWN_PROVIDER",
      "state": "STARTED",
      "data_plane_id": "string",
      "status": "PENDING",
      "account_locator": "string",
      "region": "string",
      "cloud": "string",
      "user": "string",
      "role": "string",
      "warehouse": "string"
    }
  ]
}

Create Snowflake Provider

POST {{vezaURL}}/api/v1/providers/snowflake

Register a new Snowflake provider for discovery.

To retrieve a valid insight point ID, navigate to Administration > Insight Point, and find the id of the one you will use for the connection to Snowflake.

* indicates a required field.

Request Body

Name
Type
Description

name*

string

A name for the Snowflake configuration

account_locator*

string

The Snowflake account locator (e.g.

xy12345)

region*

string

The AWS, GCP, or Azure region for the Snowflake account

cloud*

string

Cloud provider for the Snowflake account (valid values are

AWS, Azure, or GCP)

user*

string

The username of the local Snowflake user to be used for discovery (e.g.

veza_user)

password*

string

Password for the local user

role*

string

The role the local user will use to conduct queries, e.g.

cai_role

.

warehouse*

string

The default Snowflake

compute_wh, or the name of another warehouse Veza can use for extraction at runtime

data_plane_id*

string

GUID to use for discovery

{
  "value": {
    "id": "string",
    "vendor_id": "string",
    "name": "string",
    "type": "UNKNOWN_PROVIDER",
    "state": "STARTED",
    "data_plane_id": "string",
    "status": "PENDING",
    "account_locator": "string",
    "region": "string",
    "cloud": "string",
    "user": "string",
    "role": "string",
    "warehouse": "string"
  }
}

Get Snowflake Provider

GET {{vezaURL}}/api/v1/providers/snowflake/{id}

Retrieve an existing Snowflake configuration by ID.

* indicates a required field.

Path Parameters

Name
Type
Description

id*

string

The Snowflake provider ID

{
  "value": {
    "id": "string",
    "vendor_id": "string",
    "name": "string",
    "type": "UNKNOWN_PROVIDER",
    "state": "STARTED",
    "data_plane_id": "string",
    "status": "PENDING",
    "account_locator": "string",
    "region": "string",
    "cloud": "string",
    "user": "string",
    "role": "string",
    "warehouse": "string"
  }
}

Delete Snowflake Provider

DELETE {{vezaURL}}/api/v1/providers/snowflake/{id}

Delete a Snowflake provider configuration and its discovered entities.

* indicates a required field.

Path Parameters

Name
Type
Description

id*

string

The Snowflake provider ID

{}

Update Snowflake Provider

PATCH {{VezaURL}}/api/v1/providers/snowflake/{id}

Update an existing Snowflake provider configuration with new properties.

* indicates a required field.

Path Parameters

Name
Type
Description

{id}*

string

The Snowflake provider ID

Query Parameters

Name
Type
Description

update_mask.paths

array[string]

The set of field mask paths

{
  "id": "string",
  "account_locator": "string",
  "region": "string",
  "cloud": "string",
  "user": "string",
  "password": "string",
  "role": "string",
  "warehouse": "string"
}

providers/sqlserver

Each SQL server configuration contains the following properties, which can be obtained with a GET request to providers/sqlserver.

{
  "id": "90112ed7-47e7-48e6-9f05-c02d19d7f137",
  "vendor_id": "mssql.us-east-2.rds.amazonaws.com",
  "name": "sql_rds_dev",
  "type": "SQL_SERVER",
  "state": "ENABLED",
  "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
  "status": "SUCCESS",
  "host": "mssql.us-east-2.rds.amazonaws.com",
  "port": 1433,
  "username": "admin"
  "database_allow_list": [
    "string"
  ],
  "database_deny_list": [
    "string"
  ],
  "schema_allow_list": [
    "string"
  ],
  "schema_deny_list": [
    "string"
  ]
}

To register a new SQL server for discovery, use:

PUT <VezaUrl>/api/v1/providers/sqlserver \
-d \
{
  "name": "string",
  "host": "string",
  "port": 0,
  "username": "string",
  "password": "string",
  "data_plane_id": "string"
}

List SQL Server configurations

GET baseurl/api/v1/providers/sqlserver

*

indicates a required field.

Create a new SQL Server configuration

POST baseurl/api/v1/providers/sqlserver

*

indicates a required field.

Get SQL Server configurations

GET baseurl/api/v1/providers/sqlserver/{id}

*

indicates a required field.

Delete SQL Server configuration

DELETE baseurl/api/v1/providers/sqlserver/{id}

*

indicates a required field.

Patch SQL Server configuration

PATCH baseurl/api/v1/providers/sqlserver/{id}

*

indicates a required field.

providers/trino

Veza gathers metadata for Trino both by connecting as a local user and by reading the Trino access control file, which must be made available to Veza as an S3 object. Each Trino provider configuration has the structure:

{
  "name": "trinoProviderName",
  "host": "trinoHostUrl",
  "port": 0,
  "username": "string",
  "password": "string",
  "data_plane_id": "string",
  "aws_s3_object_config": {
    "access_key": "string",
    "secret_key": "string",
    "region": "string",
    "bucket": "string",
    "object": "string",
    "credentials_type": "STATIC|EC2_INSTANCE_PROFILE|ASSUME_CUSTOMER_ROLE",
    "assume_role_name": "string",
    "assume_role_external_id": "string",
    "account_id": "string"
  },
  "ssl_certificate": "string"
}

List Trino Providers

GET {{vezaURL}}/api/v1/providers/trino

Get the configuration and status for all current Trino providers.

* indicates a required field.

{
  "values": [
    {
      "id": "string",
      "vendor_id": "string",
      "name": "string",
      "type": "UNKNOWN_PROVIDER",
      "state": "STARTED",
      "data_plane_id": "string",
      "status": "PENDING",
      "host": "string",
      "port": 0,
      "username": "string",
      "aws_s3_object_config": {
        "access_key": "string",
        "region": "string",
        "bucket": "string",
        "object": "string",
        "credentials_type": "STATIC",
        "assume_role_name": "string",
        "account_id": "string"
      },
      "ssl_certificate": "string"
    }
  ]
}

Create Trino Provider

POST {{vezaURL}}/api/v1/providers/trino

Add a Trino provider by providing the host, local user credentials, and a path and authentication method for the Trino access control file stored in AWS S3.

* indicates a required field.

Request Body

Name
Type
Description

id*

string

Name for the provider

host*

string

The address of the Trino Coordinator

port*

int

The port to use for the connection

username*

string

Trino local username

password*

string

Trino local user password

data_plane_id*

string

Insight Point ID

aws_s3_object_config*

object

contains path and authorization details for file system access control S3 object

ssl_certificate

string

Upload the

configured for the Trino coordinator

{
  "value": {
    "id": "string",
    "vendor_id": "string",
    "name": "string",
    "type": "UNKNOWN_PROVIDER",
    "state": "STARTED",
    "data_plane_id": "string",
    "status": "PENDING",
    "host": "string",
    "port": 0,
    "username": "string",
    "aws_s3_object_config": {
      "access_key": "string",
      "region": "string",
      "bucket": "string",
      "object": "string",
      "credentials_type": "STATIC",
      "assume_role_name": "string",
      "account_id": "string"
    },
    "ssl_certificate": "string"
  }
}

Get Trino Provider

GET {{vezaURL}}/api/v1/providers/trino/{id}

Retrieve an existing Trino provider configuration by ID.

* indicates a required field.

Path Parameters

Name
Type
Description

id*

string

The Trino provider ID

{
  "value": {
    "id": "string",
    "vendor_id": "string",
    "name": "string",
    "type": "UNKNOWN_PROVIDER",
    "state": "STARTED",
    "data_plane_id": "string",
    "status": "PENDING",
    "host": "string",
    "port": 0,
    "username": "string",
    "aws_s3_object_config": {
      "access_key": "string",
      "region": "string",
      "bucket": "string",
      "object": "string",
      "credentials_type": "STATIC",
      "assume_role_name": "string",
      "account_id": "string"
    },
    "ssl_certificate": "string"
  }
}

Delete Trino Provider

DELETE {{vezaURL}}/api/v1/providers/trino/{id}

Delete a Trino provider and its discovered entities.

* indicates a required field.

Path Parameters

Name
Type
Description

id

string

The Trino provider ID

{}

Update Trino Provider

PATCH {{VezaURL}}/api/v1/providers/trino/{id}

Update an existing Trino configuration with new properties.

* indicates a required field.

Path Parameters

Name
Type
Description

{id}*

string

The Trino provider ID

Query Parameters

Name
Type
Description

update_mask.paths

array[string]

The set of field mask paths

{
  "value": {
    "id": "string",
    "vendor_id": "string",
    "name": "string",
    "type": "UNKNOWN_PROVIDER",
    "state": "STARTED",
    "data_plane_id": "string",
    "status": "PENDING",
    "host": "string",
    "port": 0,
    "username": "string",
    "aws_s3_object_config": {
      "access_key": "string",
      "region": "string",
      "bucket": "string",
      "object": "string",
      "credentials_type": "STATIC",
      "assume_role_name": "string",
      "account_id": "string"
    },
    "ssl_certificate": "string"
  }
}

Configures a new AWS account for discovery and extraction. See for additional details on the required fields.

A configuration can optionally set on the data sources and services to parse.

For a given external ID, returns the IAM policy that should be to the role assumed for resource discovery.

An Azure configuration includes connection details and credentials, and may contain an optional auth certificate for connecting to . A configuration can allow or deny individual datasources, or only include specific services .

See the for more details on integrating Veza with your Azure tenant, Active Directory, and SharePoint.

For more information about connecting to Google Cloud, see the .

See for more information about integrating Snowflake warehouses with Veza.

For more information about connecting to SQL server, see the .

The default credentials_type "STATIC" uses an access key and secret ID to read the Trino access control file in S3. If connecting to AWS using a role, change the type to assume_customer_role and provide .

See for more information about integrating your Trino resources with Veza.

🌐
Adding AWS Providers to Veza
limits
AWS provider configuration
SharePoint Online
Connecting to Azure
configuration guide
Connecting to Snowflake
configuration guide
the role name, external ID, and AWS account ID
Connecting to Trino
API key
Provider Enable/Disable APIs
Amazon Web Services
Cloud Platforms and Data Providers
providers/aws
Get and Check trust Policies
providers/azure
providers/google_cloud
providers/snowflake
providers/sqlserver
providers/trino
External ID
Tenant ID
service account key
service account key
Insight Point
TLS certificate
applied in AWS