1 of 20

Integration APIs

Programmatic configuration of providers and data sources

The Veza management APIs enable internal tooling to automate administration of cloud providers and data sources. These APIs provide both unified and provider-specific endpoints to manage integrations:

Provider Management API: Unified endpoints for managing all provider types through a single interface
Provider-Specific APIs: Specialized endpoints for individual provider types with extended configuration options
: Management of individual data sources within providers

Each supported provider can be managed through either the unified Provider Management API or provider-specific endpoints, depending on your needs.

Notes

A data plane ID is required when adding a custom provider.
- This value refers to the used for discovery, or the GUID of the built-in data plane.
- To get all available IDs, navigate to Administration > Insight Point.

Authentication

You can issue new API keys from Administration > API Keys > . Provide the key as the bearer auth token in the header of each request.

Users must have the role to add/modify provider configurations. Configurations can be viewed by users with the operator role.

Sample Integrations and Tools

Please contact your support team for private repository access.

Register Accounts - Use the management API to add multiple AWS accounts from CSV.

Veza Python Client - Simple Python class for making REST API calls to Veza.

Cloud Formation Stacks - Configure multiple AWS accounts for Veza discovery by enabling the required assume role operations and IAM permissions.

Open Authorization APIs

If your organization uses applications, data sources, or identity providers not natively supported by Veza, you may be able to add them to your data catalog using . You will need to query the provider to retrieve entity and permissions metadata and push the payload to Veza for parsing in a template format.

Endpoints for administering custom resources (/providers/custom/*) are described in .

Enable/Disable Providers

API operations for enabling and disabling provider connections

The v1/providers API includes endpoints to enable or disable integrations by provider id. This allows you to temporarily pause data extraction and synchronization for specific providers when needed, without deleting the configuration.

The provider_id value should be obtained from the provider listing APIs (e.g., /api/v1/providers/aws for AWS providers)

Disable AWS Services using Provider Management APIs

Overview

This guide explains how to disable specific AWS services across multiple AWS integrations (providers) using the Veza API. Limiting AWS service extraction can reduce processing overhead, help teams focus on relevant services, or exclude analytics platforms like AWS_DATABRICKS that may not be deployed or required for visibility in Veza. This is particularly useful for organizations with many AWS accounts who need to disable unused services at scale.

In the JSON AWS provider configuration, the services array acts as an allow list that controls which AWS services Veza will discover and extract:

Empty array [] = All available AWS services are enabled for discovery
Populated array = Only the listed services are enabled; all others are disabled

To disable specific services, you must populate the array with only the services you want to monitor.

Before you start

Before you update AWS provider services, ensure:

You have API access credentials for your Veza instance (see for API key setup)
You have the VEZA_TOKEN environment variable configured
You have the VEZA_URL environment variable set to your instance (e.g., https://yourcompany.cookiecloud.ai)

Disable specific AWS services across providers

Step 1: Discover your current AWS providers

First, retrieve all AWS provider configurations to understand your current setup:

Understanding the response:

Providers with empty services: [] arrays have ALL services enabled
Providers with populated services arrays only extract the listed services
Note the id,

Example response structure:

Step 2: Identify target providers and services

Identify which providers to modify based on:
- Provider names that match your AWS accounts
- Account IDs that correspond to your AWS accounts

Step 3: Test with a single provider

Before updating all providers, test with one provider first:

Verify the change:

Check that the response shows your desired services array.

Step 4: Apply to multiple providers

Manual approach (recommended for small numbers)

Update each provider individually using their specific IDs:

Bulk approach (for many providers)

Create a script for bulk updates. Use with caution as this affects all AWS providers:

Step 5: Verify changes

After updating providers, verify the changes took effect:

Reversing changes

Re-enable all services

To return a provider to monitoring all services:

Modify service configuration

To change which services are monitored:

Available AWS services

The following AWS services can be included in the services array (25 total):

Storage services:

S3 - Simple Storage Service
DYNAMODB - DynamoDB NoSQL database

Database services:

RDS - General RDS service
RDS_POSTGRES - PostgreSQL databases
RDS_MYSQL - MySQL databases

Compute services:

EC2 - Elastic Compute Cloud (virtual machines)
LAMBDA - Serverless functions
EKS - Elastic Kubernetes Service

Identity and security services:

AWS_IAM - Identity and Access Management
KMS - Key Management Service
SECRETS_MANAGER - AWS Secrets Manager

Management and governance:

ORGANIZATIONS - AWS Organizations
SYSTEMS_MANAGER - Operations management

Analytics platforms:

AWS_DATABRICKS - Databricks analytics platform

Important notes:

Service availability may vary by Veza version and configuration
Some services may require specific permissions or setup
When in doubt, check your Veza UI to see which services are available for your AWS providers

List Data Sources

Retrieve all data sources with optional filtering and pagination

Endpoint

Description

Returns the properties and status for all data sources. When filtering is applied, only data sources matching the filter will be returned.

Get Data Source

Retrieve status and details for an individual data source

Endpoint

Description

Returns status and configuration details for an individual data source by its ID.

API Reference

Path Parameters

Parameter

Returns the current synchronization status for a specific data source, including information about the last sync operation and any errors that occurred during data extraction.

API Reference

Path Parameters

Parameter

Type

Required?

Description

Request Examples

Response Examples

Standard Response:

Data Source Scheduling Configuration

Configure priority scheduling and extraction times for data sources

Overview

The Data Source Scheduling Configuration APIs allow administrators to configure advanced scheduling options for individual data sources, including:

Priority scheduling: Assign priorities (1-100) to ensure extraction jobs are processed ahead of standard data sources
Scheduled extraction times: Define specific times of day when extractions should occur (in 30-minute intervals)
Day-of-week scheduling: Restrict extractions to precise days of the week

These APIs are intended primarily for use with Veza Lifecycle Management to ensure critical data sources (such as HR systems) are refreshed at predictable times to support downstream automation workflows.

Supported Data Source Types: Scheduling configuration is designed for EXTRACTOR and DISCOVERER data source types only. Configuring scheduling for other data source types (such as PARSER) will not work as expected.

Examples

Source of Identity Scheduling

Configure HR system data sources to extract at specific times to ensure identity data is current before provisioning workflows execute:

Prevent Extraction During Business Hours

Schedule non-critical extractions only on weekends to reduce workload during business hours:

Endpoints

Method

Endpoint

Description

Create or Update Scheduling Configuration

Endpoint

Description

Creates or updates the scheduling configuration for a specific data source. If a configuration already exists for the data source, it will be updated with the new values; otherwise, a new configuration will be created.

Path Parameters

Parameter

Type

Required?

Description

Request Body

The request body contains the configuration fields directly (no wrapper object needed):

Field

Type

Required?

Description

Note: The datasource_id is specified in the URL path and should not be included in the request body.

Validation Rules

Priority: Must be between 1-100 (where 100 is the highest priority)
- When scheduled_extraction_times are configured, priority must be 100 to ensure jobs are processed closest to the configured times
- Priority 1-99 can be used without schedules for edge cases requiring a higher priority than standard periodic scheduling

Request Examples

Response Examples

Standard Response:

Error Response (Invalid Time Format):

Error Response (Limit Reached):

Get Scheduling Configuration

Endpoint

Description

Retrieves the scheduling configuration for a specific data source.

Path Parameters

Parameter

Type

Required?

Description

Request Examples

Response Examples

Standard Response:

Error Response (Not Found):

List Scheduling Configurations

Endpoint

Description

Returns all scheduling configurations across all data sources in your organization.

Query Parameters

Parameter

Type

Required?

Description

Request Examples

Response Examples

Standard Response:

Delete Scheduling Configuration

Endpoint

Description

Removes the scheduling configuration for a specific data source. The data source will revert to standard scheduling behavior.

Path Parameters

Parameter

Type

Required?

Description

Request Examples

Response Examples

Standard Response:

- Get data source IDs for configuration
- View data source details and status
- Automated identity lifecycle workflows

Custom Provider Configurations

ListCustomProviderInternalConfigurationDefinitions returns the internal configuration definitions for all custom OAA providers, including built-in Veza integrations that use OAA templates.

This endpoint is useful for understanding the configuration schema of custom integrations, including connector types, data source configurations, and supported settings.

Sample request

curl -X GET "$BASE_URL/api/v1/providers/custom/configurations" \
  -H "authorization: Bearer $VEZA_TOKEN"

Disable AWS Services using Provider Management APIs

Overview

In the JSON AWS provider configuration, the services array acts as an allow list that controls which AWS services Veza will discover and extract:

Empty array [] = All available AWS services are enabled for discovery
Populated array = Only the listed services are enabled; all others are disabled

To disable specific services, you must populate the array with only the services you want to monitor.

Before you start

Before you update AWS provider services, ensure:

You have API access credentials for your Veza instance (see for API key setup)
You have the VEZA_TOKEN environment variable configured
You have the VEZA_URL environment variable set to your instance (e.g., https://yourcompany.cookiecloud.ai)

Disable specific AWS services across providers

Step 1: Discover your current AWS providers

First, retrieve all AWS provider configurations to understand your current setup:

Understanding the response:

Providers with empty services: [] arrays have ALL services enabled
Providers with populated services arrays only extract the listed services
Note the id,

Example response structure:

Step 2: Identify target providers and services

Identify which providers to modify based on:
- Provider names that match your AWS accounts
- Account IDs that correspond to your AWS accounts

Step 3: Test with a single provider

Before updating all providers, test with one provider first:

Verify the change:

Check that the response shows your desired services array.

Step 4: Apply to multiple providers

Manual approach (recommended for small numbers)

Update each provider individually using their specific IDs:

Bulk approach (for many providers)

Create a script for bulk updates. Use with caution as this affects all AWS providers:

Step 5: Verify changes

After updating providers, verify the changes took effect:

Reversing changes

Re-enable all services

To return a provider to monitoring all services:

Modify service configuration

To change which services are monitored:

Available AWS services

The following AWS services can be included in the services array (25 total):

Storage services:

S3 - Simple Storage Service
DYNAMODB - DynamoDB NoSQL database

Database services:

RDS - General RDS service
RDS_POSTGRES - PostgreSQL databases
RDS_MYSQL - MySQL databases

Compute services:

EC2 - Elastic Compute Cloud (virtual machines)
LAMBDA - Serverless functions
EKS - Elastic Kubernetes Service

Identity and security services:

AWS_IAM - Identity and Access Management
KMS - Key Management Service
SECRETS_MANAGER - AWS Secrets Manager

Management and governance:

ORGANIZATIONS - AWS Organizations
SYSTEMS_MANAGER - Operations management

Analytics platforms:

AWS_DATABRICKS - Databricks analytics platform

Important notes:

Service availability may vary by Veza version and configuration
Some services may require specific permissions or setup
When in doubt, check your Veza UI to see which services are available for your AWS providers

Data Source Scheduling Configuration

Configure priority scheduling and extraction times for data sources

Overview

The Data Source Scheduling Configuration APIs allow administrators to configure advanced scheduling options for individual data sources, including:

Priority scheduling: Assign priorities (1-100) to ensure extraction jobs are processed ahead of standard data sources
Scheduled extraction times: Define specific times of day when extractions should occur (in 30-minute intervals)
Day-of-week scheduling: Restrict extractions to precise days of the week

Examples

Source of Identity Scheduling

Configure HR system data sources to extract at specific times to ensure identity data is current before provisioning workflows execute:

Prevent Extraction During Business Hours

Schedule non-critical extractions only on weekends to reduce workload during business hours:

Endpoints

Method

Endpoint

Description

Create or Update Scheduling Configuration

Endpoint

Description

Path Parameters

Parameter

Type

Required?

Description

Request Body

The request body contains the configuration fields directly (no wrapper object needed):

Field

Type

Required?

Description

Note: The datasource_id is specified in the URL path and should not be included in the request body.

Validation Rules

Priority: Must be between 1-100 (where 100 is the highest priority)
- When scheduled_extraction_times are configured, priority must be 100 to ensure jobs are processed closest to the configured times
- Priority 1-99 can be used without schedules for edge cases requiring a higher priority than standard periodic scheduling

Request Examples

Response Examples

Standard Response:

Error Response (Invalid Time Format):

Error Response (Limit Reached):

Get Scheduling Configuration

Endpoint

Description

Retrieves the scheduling configuration for a specific data source.

Path Parameters

Parameter

Type

Required?

Description

Request Examples

Response Examples

Standard Response:

Error Response (Not Found):

List Scheduling Configurations

Endpoint

Description

Returns all scheduling configurations across all data sources in your organization.

Query Parameters

Parameter

Type

Required?

Description

Request Examples

Response Examples

Standard Response:

Delete Scheduling Configuration

Endpoint

Description

Removes the scheduling configuration for a specific data source. The data source will revert to standard scheduling behavior.

Path Parameters

Parameter

Type

Required?

Description

Request Examples

Response Examples

Standard Response:

- Get data source IDs for configuration
- View data source details and status
- Automated identity lifecycle workflows

Cloud Platforms and Data Providers

Operations for listing, adding, and modifying cloud provider configurations

You can manage Veza integrations using the management API and a Veza admin API key.

Use these operations to configure and manage cloud platform integrations including AWS, Azure, Google Cloud, Snowflake, SQL Server, and Trino providers. Each provider type has specific configuration requirements and optional parameters for controlling discovery scope.

Provider Types

Veza supports the following provider types:

AWS: Amazon Web Services accounts with support for IAM, S3, RDS, Redshift, and other services
Azure: Microsoft Azure tenants including Active Directory and SharePoint Online
Google Cloud: Google Cloud Platform projects and Google Workspace domains

For detailed integration guides, see the .

Authentication

You will need an API token with administrator permissions to manage provider configurations. See for details.

Common Provider Properties

All provider configurations share these common properties:

id (String): Unique identifier for the provider configuration
vendor_id (String): Provider-specific identifier (e.g., AWS account ID)
name (String): Display name for the provider

AWS Providers

AWS Provider Object Schema

AWS provider configurations include account credentials, regions, and service-specific settings:

AWS Configuration Fields

account_id (String): AWS account ID (12-digit number)
credentials_type (String): Authentication method - STATIC, EC2_INSTANCE_PROFILE, or ASSUME_CUSTOMER_ROLE

AWS Service Discovery Options

Available service values for the services array:

IAM: Identity and Access Management
S3: Simple Storage Service
RDS: Relational Database Service

AWS Resource Filtering

Use allow/deny lists to control which resources are discovered:

s3_bucket_allow_list: S3 bucket names to include (supports wildcards)
s3_bucket_deny_list: S3 bucket names to exclude
rds_database_allow_list: RDS database names to include

For detailed AWS setup instructions, see .

AWS API Operations

List AWS Providers

Create AWS Provider

Get AWS Provider

Update AWS Provider

Delete AWS Provider

Get AWS Trust Policy

Check AWS Policy

Azure Providers

Azure Provider Object Schema

Azure provider configurations include tenant authentication and service settings:

Azure Configuration Fields

tenant_id (String): Azure Active Directory tenant ID
client_id (String): Application (client) ID for service principal
client_secret (String): Client secret for authentication

For detailed Azure setup instructions, see .

Azure API Operations

List Azure Providers

Create Azure Provider

Get Azure Provider

Update Azure Provider

Delete Azure Provider

Google Cloud Providers

Google Cloud Provider Object Schema

Google Cloud provider configurations include service account credentials and project settings:

Google Cloud Configuration Fields

credentials_json (String): Service account key JSON
customer_id (String): Google Workspace customer ID
workspace_email (String): Workspace user email for service account impersonation

For detailed Google Cloud setup instructions, see .

Google Cloud API Operations

List Google Cloud Providers

Create Google Cloud Provider

Get Google Cloud Provider

Update Google Cloud Provider

Delete Google Cloud Provider

Snowflake Providers

Snowflake Provider Object Schema

Snowflake provider configurations include connection details and database filtering:

Snowflake Configuration Fields

account_locator (String): Snowflake account locator (e.g., "xy12345")
region (String): Cloud region for the Snowflake account
cloud (String): Cloud provider ("aws", "azure", or "gcp")

For detailed Snowflake setup instructions, see .

Snowflake API Operations

List Snowflake Providers

Create Snowflake Provider

Get Snowflake Provider

Update Snowflake Provider

Delete Snowflake Provider

SQL Server Providers

SQL Server Provider Object Schema

SQL Server provider configurations include connection details and database filtering:

SQL Server Configuration Fields

host (String): SQL Server hostname or IP address
port (Integer): Port number (typically 1433)
username (String): SQL Server username

For detailed SQL Server setup instructions, see .

SQL Server API Operations

List SQL Server Providers

Create SQL Server Provider

Get SQL Server Provider

Update SQL Server Provider

Delete SQL Server Provider

Trino Providers

Trino Provider Object Schema

Trino provider configurations include cluster connection details and S3 access control file settings:

Trino Configuration Fields

host (String): Trino coordinator hostname
port (Integer): Trino coordinator port (typically 8080 or 8443)
username (String): Trino username

S3 Object Configuration

The aws_s3_object_config object contains:

access_key (String): AWS access key ID
secret_key (String): AWS secret access key
region (String): S3 bucket region

For detailed Trino setup instructions, see .

Trino API Operations

List Trino Providers

Create Trino Provider

Get Trino Provider

Update Trino Provider

Delete Trino Provider

Error Handling

All provider API operations return standard HTTP status codes:

200 OK: Request successful
400 Bad Request: Invalid request parameters or payload
401 Unauthorized: Invalid or missing API token

Error responses include a descriptive message and error code:

Best Practices

When managing provider configurations:

Use descriptive names that identify the environment and purpose
Implement least privilege by configuring only necessary services and resources
Use allow lists rather than deny lists when possible for better security

Identity Providers

API endpoints for configuring Okta and OneLogin

You can manage Veza Identity Provider integrations using the management API and a Veza admin API key.

AzureAD and Google Workspace identities are discovered by adding the associated Google Cloud account or Azure tenant as a cloud provider.

`providers/activedirectory`

See the configuration guide for the prerequisite steps to integrate with Veza. An AD configuration has the following parameters:

List Active Directory Providers

The response will include all existing configurations, in the format:

Create Active Directory Provider

Get Active Directory Provider

Delete Active Directory Provider

Update Active Directory Provider

`providers/okta`

An Okta configuration includes connection information and credentials, as well as any limits on apps and domains to extract:

See the integration guide for more details on retrieving an Okta API token and registering your domain with Veza.

List Okta Providers

List Okta Providers

GET {{vezaURL}}/api/v1/providers/okta

Get the configuration and status for all configured Okta integrations.

* indicates a required field.

Create Okta Provider

Create Okta Provider

POST {{vezaURL}}/api/v1/providers/okta

Submit a new Okta provider configuration.

* indicates a required field.

Request Body

Name

Type

Description

Get Okta Provider

Get Okta Provider

GET {{vezaURL}}/api/v1/providers/okta/{id}

Get an individual Okta provider configuration.

* indicates a required field.

Path Parameters

Name

Type

Description

Delete Okta Provider

Delete Okta Provider

DELETE {{vezaURL}}/api/v1/providers/okta/{id}

Delete an Okta provider, removing all associated entities from Veza.

* indicates a required field.

Path Parameters

Name

GET {{vezaURL}}/api/v1/providers/onelogin

Gets all configured OneLogin providers.

* indicates a required field.

Create OneLogin Provider

Create OneLogin Provider

POST {{vezaURL}}/api/v1/providers/onelogin

PATCH {{VezaURL}}/api/v1/providers/onelogin/{id}

Update a OneLogin provider configuration. You can provide field mask paths to only update specific fields.

* indicates a required field.

Path Parameters

Name

Type

Description

Query Parameters

Name

Type

Description

Request Body

Name

Type

Description

Responses

200

application/json

Paginated list of custom (OAA) providers.

next_page_tokenstringOptional

Token to retrieve the next page of results. Empty when no more pages exist.

has_morebooleanOptional

If true, additional pages of results are available.

default

Default error response

The pagination token to retrieve the next page of results.

If true, more results are available.

requires_updatebooleanOptional

aws_account_idstringOptional

current_policystringOptional

required_policystringOptional

required_actionsstring[]Optional

overprivileged_actionsstring[]Optional

idstringOptional

vendor_idstringOptional

namestringOptional

typeinteger · enumOptional

stateinteger · enumOptional

data_plane_idstringOptional

statusinteger · enumOptional

team_idstringOptional

rbac_idstringOptional

hoststringOptional

portinteger · int32Optional

usernamestringOptional

database_allow_liststring[]Optional

database_deny_liststring[]Optional

schema_allow_liststring[]Optional

schema_deny_liststring[]Optional

gather_system_databasesbooleanOptional

instance_namestringOptional

use_tls_connectorbooleanOptional

Integration APIs

hashtagNotes

hashtagAuthentication

hashtagSample Integrations and Tools

hashtagOpen Authorization APIs

Enable/Disable Providers

hashtag

Disable AWS Services using Provider Management APIs

hashtagOverview

hashtagBefore you start

hashtagDisable specific AWS services across providers

hashtagStep 1: Discover your current AWS providers

hashtagStep 2: Identify target providers and services

hashtagStep 3: Test with a single provider

hashtagStep 4: Apply to multiple providers

hashtagManual approach (recommended for small numbers)

hashtagBulk approach (for many providers)

hashtagStep 5: Verify changes

hashtagReversing changes

hashtagRe-enable all services

hashtagModify service configuration

hashtagAvailable AWS services

hashtagSee also

List Data Sources

hashtagEndpoint

hashtagDescription

Get Data Source

hashtagEndpoint

hashtagDescription

hashtagAPI Reference

hashtagPath Parameters

hashtagRequest Examples

hashtagResponse Examples

Update Data Source

hashtagEndpoint

hashtagDescription

Enable Data Source

hashtagEndpoint

hashtagDescription

Get Lifecycle Manager Datasource

hashtagEndpoint

hashtagDescription

Get Parse Status

hashtagEndpoint

hashtagDescription

Get Sync Status

hashtagEndpoint

hashtagDescription

hashtagAPI Reference

hashtagPath Parameters

hashtagRequest Examples

hashtagResponse Examples

Data Source Scheduling Configuration

hashtagOverview

hashtagExamples

hashtagSource of Identity Scheduling

hashtagPrevent Extraction During Business Hours

hashtagEndpoints

hashtagCreate or Update Scheduling Configuration

hashtagEndpoint

hashtagDescription

hashtagPath Parameters

hashtagRequest Body

hashtagValidation Rules

hashtagRequest Examples

hashtagResponse Examples

hashtagGet Scheduling Configuration

hashtagEndpoint

hashtagDescription

hashtagPath Parameters

hashtagRequest Examples

hashtagResponse Examples

hashtagList Scheduling Configurations

hashtagEndpoint

hashtagDescription

hashtagQuery Parameters

hashtagRequest Examples

hashtagResponse Examples

hashtagDelete Scheduling Configuration

hashtagEndpoint

Notes

Authentication

Sample Integrations and Tools

Open Authorization APIs

Overview

Before you start

Disable specific AWS services across providers

Step 1: Discover your current AWS providers

Step 2: Identify target providers and services

Step 3: Test with a single provider

Step 4: Apply to multiple providers

Manual approach (recommended for small numbers)

Bulk approach (for many providers)

Step 5: Verify changes

Reversing changes

Re-enable all services

Modify service configuration

Available AWS services

See also

Endpoint

Description

Endpoint

Description

API Reference

Path Parameters

Request Examples

Response Examples

Endpoint

Description

Endpoint

Description

Endpoint

Description

Endpoint

Description

Endpoint

Description

API Reference

Path Parameters

Request Examples

Response Examples

Overview

Examples

Source of Identity Scheduling

Prevent Extraction During Business Hours

Endpoints

Create or Update Scheduling Configuration

Endpoint

Description

Path Parameters

Request Body

Validation Rules

Request Examples

Response Examples

Get Scheduling Configuration

Endpoint

Description

Path Parameters

Request Examples

Response Examples

List Scheduling Configurations

Endpoint

Description

Query Parameters

Request Examples

Response Examples

Delete Scheduling Configuration

Endpoint

Description

Path Parameters

Request Examples

Response Examples

Related APIs

Sample request

Overview

Before you start

Disable specific AWS services across providers

Step 1: Discover your current AWS providers

Step 2: Identify target providers and services

Step 3: Test with a single provider