Endpoint

GET /api/v1/providers/datasources/{id}/parse_status

Description

Returns the current parsing status for a specific data source, including information about the last parse operation and any errors that occurred.

API Reference

Path Parameters

Request Examples

curl -X GET "$BASE_URL/api/v1/providers/datasources/6961b032-3fd7-4baa-a230-146d1b70ec27/parse_status" \
  -H "authorization: Bearer $VEZA_TOKEN"

Response Examples

Standard Response:

{
  "value": {
    "datasource_id": "6961b032-3fd7-4baa-a230-146d1b70ec27",
    "status": "SUCCESS",
    "last_parsed_at": "2022-01-13T20:53:29Z",
    "parse_duration_seconds": 45,
    "entities_processed": 1250,
    "errors_count": 0,
    "warnings_count": 2
  }
}

The Veza management API enables internal tooling to automate administration of cloud providers and data sources. Each supported provider has endpoints to get, create, and modify the current configurations, which can be useful when integrating with environments spanning many provider accounts.

Notes

• A data plane ID is required when adding a custom provider. This value refers to the Insight Point used for discovery, or the GUID of the built-in data plane. To get all available IDs, navigate to Administration > Insight Point. Unless you have deployed an Insight Point within your environment, the only entry will be for the internal data plane.

• If a request is unsuccessful, an error message will provide additional details and troubleshooting steps.

Authentication

You can issue new API keys from Administration > API Keys > Add New API Key. Provide the key as the bearer auth token in the header of each request.

Users must have the admin role to add/modify provider configurations. Configurations can be viewed by users with the operator role.

Sample Integrations and Tools

Register Accounts - Use the management API to add multiple AWS accounts from CSV.

Veza Python Client - Simple Python class for making REST API calls to Veza.

Cloud Formation Stacks - Configure multiple AWS accounts for Veza discovery by enabling the required assume role operations and IAM permissions.

Open Authorization APIs

If your organization uses applications, data sources, or identity providers not natively supported by Veza, you may be able to add them to your data catalog using Open Authorization APIs. You will need to query the provider to retrieve entity and permissions metadata and push the payload to Veza for parsing in a template format.

Endpoints for administering custom resources (/providers/custom/*)are described in OAA Push API.

Endpoint

GET /api/v1/providers/datasources/{id}

Description

Returns status and configuration details for an individual data source by its ID.

API Reference

Path Parameters

Request Examples

curl -X GET "$BASE_URL/api/v1/providers/datasources/6961b032-3fd7-4baa-a230-146d1b70ec27" \
  -H "authorization: Bearer $VEZA_TOKEN"

Response Examples

Standard Response:

{
  "value": {
    "id": "6961b032-3fd7-4baa-a230-146d1b70ec27",
    "name": "AWS EC2 (527398259632)",
    "datasource_type": "EXTRACTOR",
    "agent_type": "AWS_EC2",
    "status": "SUCCESS",
    "provider_id": "cd0cf102-e86c-4599-9cbe-64d2c6b83236",
    "path": "AWS/ec2",
    "state": "ENABLED",
    "effective_state": "ENABLED",
    "datasource_config": null,
    "created_at": "2021-10-26T07:10:38Z",
    "updated_at": "2021-10-26T07:10:38Z",
    "synced_at": "2022-01-13T20:53:23Z",
    "parsed_at": "2022-01-13T20:53:29Z"
  }
}

Endpoint

Description

Pause discovery and extraction for a data source. This will cancel all pending extractions for the specified data source.

API Reference

Path Parameters

Request Examples

Response Examples

Standard Response:

Endpoint

GET /api/v1/providers/datasources/lifecycle_managers

Description

Lists all data sources that have enabled lifecycle management and their detailed capabilities. This endpoint shows which systems can be used as sources of identity information and as targets for access management operations in Veza Lifecycle Management.

Use this endpoint to:

• Discover which datasources support lifecycle management

• View the capabilities each datasource provides

• Get datasource IDs needed for other lifecycle management operations

• Identify available actions, syncable attributes, and grantable entitlements for each datasource

API Reference

Query Parameters

Request Examples

curl -X GET "$BASE_URL/api/v1/providers/datasources/lifecycle_managers" \
  -H "authorization: Bearer $VEZA_TOKEN"

curl -X GET "$BASE_URL/api/v1/providers/datasources/lifecycle_managers?page_size=10" \
  -H "authorization: Bearer $VEZA_TOKEN"

Response Examples

{
  "values": [
    {
      "id": "549a4b5e-0328-4c87-a19d-ee8a2926d1aa",
      "name": "Workday Integration", 
      "provider_type": "WORKDAY",
      "external_id": "https://wd5-impl-services1.workday.com/veza_preview",
      "lifecycle_management_enabled": true,
      "supported_capabilities": [
        "IDENTITY_SOURCE",
        "ACCESS_TARGET"
      ]
    },
    {
      "id": "2b1c8d4e-5f2a-4b3c-9e7f-1d2e3f4a5b6c",
      "name": "Active Directory",
      "provider_type": "ACTIVE_DIRECTORY", 
      "external_id": "corp.example.com",
      "lifecycle_management_enabled": true,
      "supported_capabilities": [
        "ACCESS_TARGET"
      ]
    }
  ],
  "has_more": false,
  "next_page_token": ""
}

{
  "values": [
    {
      "id": "549a4b5e-0328-4c87-a19d-ee8a2926d1aa",
      "name": "SCIM Demo Server",
      "provider_type": "SCIM",
      "external_id": "https://scim.example.com",
      "lifecycle_management_enabled": true,
      "supported_capabilities": [
        "ACCESS_TARGET"
      ],
      "available_actions": [
        {
          "action_type": "MANAGE_RELATIONSHIPS",
          "description": "Add or remove user memberships in groups",
          "supported_entity_types": ["User", "Group"],
          "supported_relationship_types": ["MemberOf"]
        }
      ],
      "syncable_attributes": [
        {
          "entity_type": "User",
          "attributes": [
            {
              "name": "userName",
              "type": "string",
              "required": true,
              "description": "Primary identifier for the user"
            },
            {
              "name": "displayName", 
              "type": "string",
              "required": false,
              "description": "Display name for the user"
            },
            {
              "name": "emails",
              "type": "array",
              "required": false,
              "description": "Email addresses associated with the user"
            }
          ]
        },
        {
          "entity_type": "Group",
          "attributes": [
            {
              "name": "displayName",
              "type": "string", 
              "required": true,
              "description": "Display name for the group"
            }
          ]
        }
      ],
      "grantable_entitlements": [
        {
          "entity_type": "Group",
          "entitlement_type": "MemberOf",
          "description": "Grant membership in the specified group"
        }
      ]
    }
  ],
  "has_more": false,
  "next_page_token": ""
}

Response Fields

Basic Datasource Information

• id: Unique identifier for the datasource

• name: Human-readable name of the datasource

• provider_type: The type of integration (e.g., SCIM, WORKDAY, ACTIVE_DIRECTORY)

• external_id: External system identifier or endpoint URL

• lifecycle_management_enabled: Whether LCM is enabled for this datasource

Supported Capabilities

The supported_capabilities field indicates what operations each datasource can perform:

• IDENTITY_SOURCE: Can provide identity information for lifecycle management

• ACCESS_TARGET: Can receive and execute access management operations

Available Actions

The available_actions array details specific lifecycle management operations supported:

• action_type: Type of action (e.g., MANAGE_RELATIONSHIPS)

• description: Human-readable description of the action

• supported_entity_types: Entity types this action can work with (User, Group, etc.)

• supported_relationship_types: Relationship types this action can manage (MemberOf, etc.)

Syncable Attributes

The syncable_attributes array shows which entity attributes can be synchronized:

• entity_type: The type of entity (User, Group, etc.)

• attributes: Array of attribute definitions including:

  • name: Attribute name in the target system

  • type: Data type (string, array, boolean, etc.)

  • required: Whether the attribute is required

  • description: Purpose and usage of the attribute

Grantable Entitlements

The grantable_entitlements array shows what access can be granted through this datasource:

• entity_type: Type of entity that can grant access (typically Group)

• entitlement_type: Type of entitlement relationship (MemberOf, etc.)

• description: What access is granted through this entitlement

Endpoint

GET /api/v1/providers/datasources/lifecycle_managers:by_action_type

Description

Returns Lifecycle Management datasources filtered by their supported action types, entity types, and relationship types. This endpoint helps you find datasources that can perform specific lifecycle management operations.

API Reference

Query Parameters

Action Type Values

Request Examples

# Find datasources that support SYNC_IDENTITIES operations (action_type=1)
curl -X GET "$BASE_URL/api/v1/providers/datasources/lifecycle_managers:by_action_type?action_type=1" \
  -H "authorization: Bearer $VEZA_TOKEN"

# Find datasources that can manage User entities
curl -X GET "$BASE_URL/api/v1/providers/datasources/lifecycle_managers:by_action_type?entity_type=User" \
  -H "authorization: Bearer $VEZA_TOKEN"

# Find datasources that support SYNC_IDENTITIES operations on Users with MemberOf relationships
curl -X GET "$BASE_URL/api/v1/providers/datasources/lifecycle_managers:by_action_type?action_type=1&entity_type=User&relationship_type=MemberOf" \
  -H "authorization: Bearer $VEZA_TOKEN"

Response Examples

Standard Response:

{
  "values": [
    {
      "id": "549a4b5e-0328-4c87-a19d-ee8a2926d1aa",
      "name": "Workday Integration",
      "provider_type": "WORKDAY",
      "external_id": "https://wd5-impl-services1.workday.com/veza_preview",
      "lifecycle_management_enabled": true,
      "supported_capabilities": [
        "IDENTITY_SOURCE",
        "ACCESS_TARGET"
      ]
    }
  ],
  "has_more": false,
  "next_page_token": ""
}

Endpoint

Description

Update the name for a given data source ID. This endpoint allows you to modify the display name of an existing data source.

API Reference

Path Parameters

Request Body

Request Examples

Response Examples

Standard Response:

Endpoint

GET /api/v1/providers/datasources/lifecycle_managers/{id}

Description

Returns detailed information for a specific lifecycle management datasource by its ID, including its supported capabilities, available actions, syncable attributes, and grantable entitlements.

API Reference

Path Parameters

Request Examples

curl -X GET "$BASE_URL/api/v1/providers/datasources/lifecycle_managers/549a4b5e-0328-4c87-a19d-ee8a2926d1aa" \
  -H "authorization: Bearer $VEZA_TOKEN"

Response Examples

{
  "value": {
    "id": "549a4b5e-0328-4c87-a19d-ee8a2926d1aa",
    "name": "Workday Integration",
    "provider_type": "WORKDAY",
    "external_id": "https://wd5-impl-services1.workday.com/veza_preview",
    "lifecycle_management_enabled": true,
    "supported_capabilities": [
      "IDENTITY_SOURCE",
      "ACCESS_TARGET"
    ]
  }
}

{
  "value": {
    "id": "549a4b5e-0328-4c87-a19d-ee8a2926d1aa",
    "name": "SCIM Demo Server",
    "provider_type": "SCIM",
    "external_id": "https://scim.example.com",
    "lifecycle_management_enabled": true,
    "supported_capabilities": [
      "ACCESS_TARGET"
    ],
    "available_actions": [
      {
        "action_type": "MANAGE_RELATIONSHIPS",
        "description": "Add or remove user memberships in groups",
        "supported_entity_types": ["User", "Group"],
        "supported_relationship_types": ["MemberOf"]
      }
    ],
    "syncable_attributes": [
      {
        "entity_type": "User",
        "attributes": [
          {
            "name": "userName",
            "type": "string",
            "required": true,
            "description": "Primary identifier for the user"
          },
          {
            "name": "displayName", 
            "type": "string",
            "required": false,
            "description": "Display name for the user"
          },
          {
            "name": "emails",
            "type": "array",
            "required": false,
            "description": "Email addresses associated with the user"
          }
        ]
      },
      {
        "entity_type": "Group",
        "attributes": [
          {
            "name": "displayName",
            "type": "string", 
            "required": true,
            "description": "Display name for the group"
          }
        ]
      }
    ],
    "grantable_entitlements": [
      {
        "entity_type": "Group",
        "entitlement_type": "MemberOf",
        "description": "Grant membership in the specified group"
      }
    ]
  }
}

For detailed information about the response fields, see the List Lifecycle Manager Datasources documentation.

Each cloud provider will have one or more associated data sources. Each represents a discrete instance of a service that Veza connects to for the discovery and extraction of authorization metadata.

The provider under /providers/aws/{id}, for example, may have an associated EC2 data source, represented as:

{
  "id": "6961b032-3fd7-4baa-a230-146d1b70ec27",
  "name": "AWS EC2 (527398259632)",
  "datasource_type": "EXTRACTOR",
  "agent_type": "AWS_EC2",
  "status": "SUCCESS",
  "provider_id": "cd0cf102-e86c-4599-9cbe-64d2c6b83236",
  "path": "AWS/ec2",
  "state": "ENABLED",
  "effective_state": "ENABLED",
  "datasource_config": null,
  "created_at": "2021-10-26T07:10:38Z",
  "updated_at": "2021-10-26T07:10:38Z",
  "synced_at": "2022-01-13T20:53:23Z",
  "parsed_at": "2022-01-13T20:53:29Z"
}

You can use the API to get or update data source records, or enable and disable individual data sources.

Available Endpoints

Core Data Source Operations

Lifecycle Management Operations

Status and Monitoring

Related APIs

For working with custom applications and Open Authorization API (OAA), see:

• Open Authorization API

• OAA Operations

Endpoint

Description

Returns the current synchronization status for a specific data source, including information about the last sync operation and any errors that occurred during data extraction.

API Reference

Path Parameters

Request Examples

Response Examples

Standard Response:

The v1/providers API includes endpoints to enable or disable integrations by provider id. This allows you to temporarily pause data extraction and synchronization for specific providers when needed, without deleting the configuration.

The provider_id value should be obtained from the provider listing APIs (e.g., /api/v1/providers/aws for AWS providers)

Enable Provider

Activate a provider connection that was disabled.

Disable Provider

Deactivates a provider connection until it is-renabled, preserving the configured settings.

Endpoint

PUT /api/v1/providers/datasources/{id}:enable

Description

Resume monitoring and queue the data source for extraction. This will re-enable a previously disabled data source and schedule it for data collection.

API Reference

Path Parameters

Request Examples

curl -X PUT "$BASE_URL/api/v1/providers/datasources/6961b032-3fd7-4baa-a230-146d1b70ec27:enable" \
  -H "authorization: Bearer $VEZA_TOKEN"

Response Examples

Standard Response:

{}

Overview

This guide explains how to disable specific AWS services across multiple AWS integrations (providers) using the Veza API. Limiting AWS service extraction can reduce processing overhead, help teams focus on relevant services, or exclude analytics platforms like DATABRICKS that may not be deployed or required for visibility in Veza. This is particularly useful for organizations with many AWS accounts who need to disable unused services at scale.

In the JSON AWS provider configuration, the services array acts as an allow list that controls which AWS services Veza will discover and extract:

• Empty array [] = All available AWS services are enabled for discovery

• Populated array = Only the listed services are enabled; all others are disabled

To disable specific services, you must populate the array with only the services you want to monitor.

Before you start

Before you update AWS provider services, ensure:

• You have API access credentials for your Veza instance (see Authentication for API key setup)

• You have the VEZA_TOKEN environment variable configured

• You have the VEZA_URL environment variable set to your instance (e.g., https://yourcompany.cookiecloud.ai)

• You have appropriate permissions to modify provider configurations

• You understand that empty services arrays mean ALL services are enabled

Disable specific AWS services across providers

Step 1: Discover your current AWS providers

First, retrieve all AWS provider configurations to understand your current setup:

curl -H "Authorization: Bearer $VEZA_TOKEN" \
     "$VEZA_URL/api/v1/providers/aws"

Understanding the response:

• Providers with empty services: [] arrays have ALL services enabled

• Providers with populated services arrays only extract the listed services

• Note the id, name, and account_id fields for providers you want to modify

Example response structure:

{
  "values": [
    {
      "id": "12345678-1234-5678-9012-123456789012",
      "name": "Production AWS Account", 
      "account_id": "123456789012",
      "services": [],
      "state": "ENABLED"
    },
    {
      "id": "87654321-4321-8765-2109-876543210987",
      "name": "Development AWS Account",
      "account_id": "987654321098", 
      "services": ["S3", "RDS_POSTGRES", "LAMBDA"],
      "state": "ENABLED"
    }
  ]
}

Step 2: Identify target providers and services

1. Identify which providers to modify based on:

   • Provider names that match your AWS accounts

   • Account IDs that correspond to your AWS accounts

   • Current services configuration

2. Determine your desired services configuration:

   Option A: Disable DATABRICKS only

   Copy

   {
     "services": [
       "REDSHIFT", "REDSHIFT_CLUSTER", "S3", "RDS_POSTGRES", "RDS_MYSQL", 
       "RDS_ORACLE", "RDS", "DYNAMODB", "KMS", "EMR", "ORGANIZATIONS", 
       "EC2", "SSO", "COGNITO", "LAMBDA", "EKS", "SECRETS_MANAGER", 
       "ECR", "AWS_IAM"
     ]
   }

   Option B: Enable only specific services

   Copy

   {
     "services": [
       "S3", "RDS_POSTGRES", "LAMBDA", "EC2", "AWS_IAM"
     ]
   }

   Option C: Custom configuration

   • Review the available services list below

   • Create your own array with desired services

Step 3: Test with a single provider

Before updating all providers, test with one provider first:

# Replace with your actual provider ID and desired services
curl -X PATCH \
     -H "Authorization: Bearer $VEZA_TOKEN" \
     -H "Content-Type: application/json" \
     -d '{"services":["S3","RDS_POSTGRES","LAMBDA","EC2","AWS_IAM"]}' \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_HERE"

Verify the change:

curl -H "Authorization: Bearer $VEZA_TOKEN" \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_HERE"

Check that the response shows your desired services array.

Step 4: Apply to multiple providers

Manual approach (recommended for small numbers)

Update each provider individually using their specific IDs:

# Example for multiple providers - replace with your actual IDs and services
DESIRED_SERVICES='["S3","RDS_POSTGRES","DYNAMODB","LAMBDA","EC2","AWS_IAM"]'

# Provider 1
curl -X PATCH \
     -H "Authorization: Bearer $VEZA_TOKEN" \
     -H "Content-Type: application/json" \
     -d "{\"services\":$DESIRED_SERVICES}" \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_1"

# Provider 2  
curl -X PATCH \
     -H "Authorization: Bearer $VEZA_TOKEN" \
     -H "Content-Type: application/json" \
     -d "{\"services\":$DESIRED_SERVICES}" \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_2"

Bulk approach (for many providers)

Create a script for bulk updates. Use with caution as this affects all AWS providers:

#!/bin/bash

# Configuration - CUSTOMIZE THESE VALUES
VEZA_URL="https://yourcompany.cookiecloud.ai"
DESIRED_SERVICES='["S3","RDS_POSTGRES","DYNAMODB","LAMBDA","EC2","AWS_IAM"]'

echo "Starting bulk AWS provider services update..."
echo "Target services: $DESIRED_SERVICES"
echo ""

# Get all AWS provider IDs
provider_ids=$(curl -s -H "Authorization: Bearer $VEZA_TOKEN" \
                    "$VEZA_URL/api/v1/providers/aws" | \
               jq -r '.values[].id')

if [ -z "$provider_ids" ]; then
    echo "Error: No AWS providers found or API call failed"
    exit 1
fi

# Count providers
provider_count=$(echo "$provider_ids" | wc -l)
echo "Found $provider_count AWS providers to update"
echo ""

# Add confirmation prompt
read -p "Continue with bulk update? (y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
    echo "Update cancelled"
    exit 0
fi

# Update each provider
echo "$provider_ids" | while read provider_id; do
    if [ -n "$provider_id" ]; then
        echo "Updating provider: $provider_id"
        
        response=$(curl -s -w "\nHTTP_STATUS:%{http_code}" -X PATCH \
                        -H "Authorization: Bearer $VEZA_TOKEN" \
                        -H "Content-Type: application/json" \
                        -d "{\"services\":$DESIRED_SERVICES}" \
                        "$VEZA_URL/api/v1/providers/aws/$provider_id")
        
        http_status=$(echo "$response" | grep "HTTP_STATUS" | cut -d: -f2)
        
        if [ "$http_status" = "200" ]; then
            echo "✓ Successfully updated provider $provider_id"
        else
            echo "✗ Failed to update provider $provider_id (HTTP $http_status)"
            echo "Response: $(echo "$response" | grep -v "HTTP_STATUS")"
        fi
        echo ""
    fi
done

echo "Bulk update completed"

Step 5: Verify changes

After updating providers, verify the changes took effect:

# Check all providers
curl -H "Authorization: Bearer $VEZA_TOKEN" \
     "$VEZA_URL/api/v1/providers/aws" | \
jq '.values[] | {id: .id, name: .name, services: .services}'

# Check specific provider
curl -H "Authorization: Bearer $VEZA_TOKEN" \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID" | \
jq '{id: .id, name: .name, services: .services}'

Reversing changes

Re-enable all services

To return a provider to monitoring all services:

curl -X PATCH \
     -H "Authorization: Bearer $VEZA_TOKEN" \
     -H "Content-Type: application/json" \
     -d '{"services":[]}' \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID"

Modify service configuration

To change which services are monitored:

# Example: Enable different set of services
NEW_SERVICES='["S3","LAMBDA","DYNAMODB","EC2"]'

curl -X PATCH \
     -H "Authorization: Bearer $VEZA_TOKEN" \
     -H "Content-Type: application/json" \
     -d "{\"services\":$NEW_SERVICES}" \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID"

Available AWS services

The following AWS services can be included in the services array:

• S3 - Simple Storage Service

• RDS_POSTGRES - PostgreSQL databases

• RDS_MYSQL - MySQL databases

• RDS_ORACLE - Oracle databases

• RDS - General RDS service

• DYNAMODB - DynamoDB NoSQL database

• REDSHIFT - Redshift data warehouse

• REDSHIFT_CLUSTER - Redshift cluster management

• EC2 - Elastic Compute Cloud (virtual machines)

• LAMBDA - Serverless functions

• EKS - Elastic Kubernetes Service

• ECR - Elastic Container Registry

• EMR - Elastic MapReduce (big data)

• AWS_IAM - Identity and Access Management

• KMS - Key Management Service

• SECRETS_MANAGER - AWS Secrets Manager

• COGNITO - User authentication service

• SSO - AWS Single Sign-On

• ORGANIZATIONS - AWS Organizations

• DATABRICKS - Analytics platform

Important notes:

• Service availability may vary by Veza version and configuration

• Some services may require specific permissions or setup

• When in doubt, check your Veza UI to see which services are available for your AWS providers

See also

• API Reference - AWS Providers

• AWS Provider Configuration Guide

Endpoint

Description

Returns the properties and status for all data sources. When filtering is applied, only data sources matching the filter will be returned.

Data sources represent discrete instances of services that Veza connects to for discovery and extraction of authorization metadata. Each cloud provider may have one or more associated data sources.

API Reference

Query Parameters

Request Examples

Response Examples

Standard Response:

You can manage Veza integrations using the management API and a Veza admin API key.

Use these operations to configure and manage cloud platform integrations including AWS, Azure, Google Cloud, Snowflake, SQL Server, and Trino providers. Each provider type has specific configuration requirements and optional parameters for controlling discovery scope.

Provider Types

Veza supports the following provider types:

• AWS: Amazon Web Services accounts with support for IAM, S3, RDS, Redshift, and other services

• Azure: Microsoft Azure tenants including Active Directory and SharePoint Online

• Google Cloud: Google Cloud Platform projects and Google Workspace domains

• Snowflake: Snowflake data warehouses and databases

• SQL Server: Microsoft SQL Server instances

• Trino: Trino clusters with file-based access control

For detailed integration guides, see the Integrations documentation.

Authentication

You will need an API token with administrator permissions to manage provider configurations. See API Authentication for details.

Common Provider Properties

All provider configurations share these common properties:

• id (String): Unique identifier for the provider configuration

• vendor_id (String): Provider-specific identifier (e.g., AWS account ID)

• name (String): Display name for the provider

• type (String): Provider type (AWS, AZURE, GOOGLE_CLOUD, etc.)

• state (String): Current state (ENABLED, DISABLED)

• data_plane_id (String): Insight Point ID used for discovery

• status (String): Last discovery status (SUCCESS, PENDING, ERROR)

AWS Providers

AWS Provider Object Schema

AWS provider configurations include account credentials, regions, and service-specific settings:

{
  "id": "883dd869-8762-4187-8767-1c387de14b4b",
  "vendor_id": "123456789010",
  "name": "AWS-Production",
  "type": "AWS",
  "state": "ENABLED",
  "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
  "status": "SUCCESS",
  "account_id": "123456789010",
  "credentials_type": "ASSUME_CUSTOMER_ROLE",
  "access_key_id": "AKIA6FRNZGGIOEBZ6BEA",
  "assume_role_name": "VezaDiscoveryRole",
  "assume_role_external_id": "veza-external-id",
  "regions": [
    "us-east-1",
    "us-west-2",
    "eu-west-1"
  ],
  "db_user": "veza_user",
  "services": [
    "IAM",
    "S3",
    "RDS",
    "REDSHIFT"
  ],
  "s3_bucket_allow_list": ["prod-data-*"],
  "s3_bucket_deny_list": ["temp-*", "test-*"],
  "rds_database_allow_list": ["production"],
  "rds_database_deny_list": ["temp"]
}

AWS Configuration Fields

• account_id (String): AWS account ID (12-digit number)

• credentials_type (String): Authentication method - STATIC, EC2_INSTANCE_PROFILE, or ASSUME_CUSTOMER_ROLE

• access_key_id (String): Access key ID for static credentials

• secret_key (String): Secret access key for static credentials

• assume_role_name (String): IAM role name for assume role authentication

• assume_role_external_id (String): External ID for assume role authentication

• regions (Array): List of AWS regions to discover

• db_user (String): Database username for RDS/Redshift connections

• services (Array): Specific AWS services to discover (empty array = all services)

AWS Service Discovery Options

Available service values for the services array:

• IAM: Identity and Access Management

• S3: Simple Storage Service

• RDS: Relational Database Service

• REDSHIFT: Redshift data warehouses

• EC2: Elastic Compute Cloud

• LAMBDA: Lambda functions

• EKS: Elastic Kubernetes Service

• COGNITO: Cognito user pools

• SECRETS_MANAGER: Secrets Manager

• KMS: Key Management Service

• DYNAMODB: DynamoDB tables

AWS Resource Filtering

Use allow/deny lists to control which resources are discovered:

• s3_bucket_allow_list: S3 bucket names to include (supports wildcards)

• s3_bucket_deny_list: S3 bucket names to exclude

• rds_database_allow_list: RDS database names to include

• rds_database_deny_list: RDS database names to exclude

• redshift_database_allow_list: Redshift database ARNs to include

• redshift_database_deny_list: Redshift database ARNs to exclude

For detailed AWS setup instructions, see Amazon Web Services Integration.

AWS API Operations

List AWS Providers

Create AWS Provider

Get AWS Provider

Update AWS Provider

Delete AWS Provider

Get AWS Trust Policy

Check AWS Policy

Azure Providers

Azure Provider Object Schema

Azure provider configurations include tenant authentication and service settings:

{
  "id": "fa04e92f-6e0d-4285-ba58-86a20c6941ff",
  "vendor_id": "contoso.onmicrosoft.com",
  "name": "Azure-Production",
  "type": "AZURE",
  "state": "ENABLED",
  "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
  "status": "SUCCESS",
  "tenant_id": "12345678-1234-1234-1234-123456789012",
  "client_id": "87654321-4321-4321-4321-210987654321",
  "services": [
    "AZUREAD",
    "SHAREPOINT",
    "SQLSERVER"
  ],
  "gather_guest_users": true,
  "gather_disabled_users": false,
  "gather_personal_sites": true,
  "domains": ["contoso.com"],
  "sql_server_database_allow_list": ["production"],
  "sql_server_database_deny_list": ["temp"]
}

Azure Configuration Fields

• tenant_id (String): Azure Active Directory tenant ID

• client_id (String): Application (client) ID for service principal

• client_secret (String): Client secret for authentication

• auth_certificate (String): Certificate for SharePoint app-only access

• auth_certificate_password (String): Certificate password

• services (Array): Azure services to discover

• gather_guest_users (Boolean): Include guest users in discovery

• gather_disabled_users (Boolean): Include disabled users

• gather_personal_sites (Boolean): Include personal SharePoint sites

• domains (Array): Specific domains to discover

For detailed Azure setup instructions, see Azure Integration.

Azure API Operations

List Azure Providers

Create Azure Provider

Get Azure Provider

Update Azure Provider

Delete Azure Provider

Google Cloud Providers

Google Cloud Provider Object Schema

Google Cloud provider configurations include service account credentials and project settings:

{
  "id": "fa04e92f-6e0d-4285-ba58-86a20c6941ff",
  "vendor_id": "gcp-project-id",
  "name": "GCP-Production",
  "type": "GOOGLE_CLOUD",
  "state": "ENABLED",
  "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
  "status": "SUCCESS",
  "customer_id": "C01234567",
  "workspace_email": "[email protected]",
  "project_allow_list": ["prod-project-1", "prod-project-2"],
  "project_deny_list": ["test-*"],
  "domain_allow_list": ["company.com"],
  "domain_deny_list": [],
  "services": [
    "IAM",
    "STORAGE",
    "COMPUTE",
    "WORKSPACE",
    "BIGQUERY"
  ],
  "dataset_allow_list": ["analytics", "reporting"],
  "dataset_deny_list": ["temp_*"]
}

Google Cloud Configuration Fields

• credentials_json (String): Service account key JSON

• customer_id (String): Google Workspace customer ID

• workspace_email (String): Workspace user email for service account impersonation

• project_allow_list (Array): GCP project names to include

• project_deny_list (Array): GCP project names to exclude

• domain_allow_list (Array): Workspace domains to include

• domain_deny_list (Array): Workspace domains to exclude

• dataset_allow_list (Array): BigQuery dataset names to include

• dataset_deny_list (Array): BigQuery dataset names to exclude

For detailed Google Cloud setup instructions, see Google Cloud Integration.

Google Cloud API Operations

List Google Cloud Providers

Create Google Cloud Provider

Get Google Cloud Provider

Update Google Cloud Provider

Delete Google Cloud Provider

Snowflake Providers

Snowflake Provider Object Schema

Snowflake provider configurations include connection details and database filtering:

{
  "id": "fa04e92f-6e0d-4285-ba58-86a20c6941ff",
  "vendor_id": "xy12345.us-east-1",
  "name": "Snowflake-Production",
  "type": "SNOWFLAKE",
  "state": "ENABLED",
  "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
  "status": "SUCCESS",
  "account_locator": "xy12345",
  "region": "us-east-1",
  "cloud": "aws",
  "user": "veza_user",
  "role": "VEZA_ROLE",
  "warehouse": "COMPUTE_WH",
  "database_allow_list": ["PROD_DB", "ANALYTICS_DB"],
  "database_deny_list": ["TEMP_DB", "TEST_DB"]
}

Snowflake Configuration Fields

• account_locator (String): Snowflake account locator (e.g., "xy12345")

• region (String): Cloud region for the Snowflake account

• cloud (String): Cloud provider ("aws", "azure", or "gcp")

• user (String): Snowflake username for authentication

• password (String): Password for the Snowflake user

• role (String): Snowflake role to use for queries

• warehouse (String): Default warehouse for compute

• database_allow_list (Array): Database names to include

• database_deny_list (Array): Database names to exclude

For detailed Snowflake setup instructions, see Snowflake Integration.

Snowflake API Operations

List Snowflake Providers

Create Snowflake Provider

Get Snowflake Provider

Update Snowflake Provider

Delete Snowflake Provider

SQL Server Providers

SQL Server Provider Object Schema

SQL Server provider configurations include connection details and database filtering:

{
  "id": "90112ed7-47e7-48e6-9f05-c02d19d7f137",
  "vendor_id": "sqlserver.company.com",
  "name": "SQL-Production",
  "type": "SQL_SERVER",
  "state": "ENABLED",
  "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
  "status": "SUCCESS",
  "host": "sqlserver.company.com",
  "port": 1433,
  "username": "veza_user",
  "database_allow_list": ["ProductionDB", "AnalyticsDB"],
  "database_deny_list": ["TempDB", "TestDB"],
  "schema_allow_list": ["dbo", "analytics"],
  "schema_deny_list": ["temp"]
}

SQL Server Configuration Fields

• host (String): SQL Server hostname or IP address

• port (Integer): Port number (typically 1433)

• username (String): SQL Server username

• password (String): Password for authentication

• database_allow_list (Array): Database names to include

• database_deny_list (Array): Database names to exclude

• schema_allow_list (Array): Schema names to include

• schema_deny_list (Array): Schema names to exclude

For detailed SQL Server setup instructions, see SQL Server Integration.

SQL Server API Operations

List SQL Server Providers

Create SQL Server Provider

Get SQL Server Provider

Update SQL Server Provider

Delete SQL Server Provider

Trino Providers

Trino Provider Object Schema

Trino provider configurations include cluster connection details and S3 access control file settings:

{
  "id": "fa04e92f-6e0d-4285-ba58-86a20c6941ff",
  "vendor_id": "trino.company.com",
  "name": "Trino-Production",
  "type": "TRINO",
  "state": "ENABLED",
  "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
  "status": "SUCCESS",
  "host": "trino.company.com",
  "port": 8080,
  "username": "veza_user",
  "aws_s3_object_config": {
    "access_key": "AKIA...",
    "region": "us-east-1",
    "bucket": "trino-config",
    "object": "access-control.properties",
    "credentials_type": "STATIC",
    "assume_role_name": "",
    "account_id": ""
  },
  "ssl_certificate": "-----BEGIN CERTIFICATE-----\n..."
}

Trino Configuration Fields

• host (String): Trino coordinator hostname

• port (Integer): Trino coordinator port (typically 8080 or 8443)

• username (String): Trino username

• password (String): Password for authentication

• aws_s3_object_config (Object): S3 configuration for access control file

• ssl_certificate (String): TLS certificate for secure connections

S3 Object Configuration

The aws_s3_object_config object contains:

• access_key (String): AWS access key ID

• secret_key (String): AWS secret access key

• region (String): S3 bucket region

• bucket (String): S3 bucket name

• object (String): Path to access control file

• credentials_type (String): Authentication method

• assume_role_name (String): IAM role name (for assume role)

• assume_role_external_id (String): External ID for assume role

• account_id (String): AWS account ID

For detailed Trino setup instructions, see Trino Integration.

Trino API Operations

List Trino Providers

Create Trino Provider

Get Trino Provider

Update Trino Provider

Delete Trino Provider

Error Handling

All provider API operations return standard HTTP status codes:

• 200 OK: Request successful

• 400 Bad Request: Invalid request parameters or payload

• 401 Unauthorized: Invalid or missing API token

• 403 Forbidden: Insufficient permissions

• 404 Not Found: Provider configuration not found

• 409 Conflict: Provider configuration already exists

• 500 Internal Server Error: Server error

Error responses include a descriptive message and error code:

{
  "error": {
    "code": "INVALID_CREDENTIALS",
    "message": "The provided credentials are invalid or expired",
    "details": "AWS STS AssumeRole failed with error: Access denied"
  }
}

Best Practices

When managing provider configurations:

1. Use descriptive names that identify the environment and purpose

2. Implement least privilege by configuring only necessary services and resources

3. Use allow lists rather than deny lists when possible for better security

4. Test configurations in development environments before production

5. Monitor discovery status regularly to ensure successful data collection

6. Rotate credentials according to your organization's security policies

7. Use assume role authentication for AWS providers when possible

8. Configure resource filtering to limit discovery scope and improve performance

Related Documentation

• Provider Enable/Disable APIs

• API Authentication

• Integration Guides

• Insight Points