API operations for enabling and disabling provider connections
The v1/providers API includes endpoints to enable or disable integrations by provider id. This allows you to temporarily pause data extraction and synchronization for specific providers when needed, without deleting the configuration.
The provider_id value should be obtained from the provider listing APIs (e.g., /api/v1/providers/aws for AWS providers)
Activate a provider connection that was disabled.
Deactivates a provider connection until it is-renabled, preserving the configured settings.
Detailed integration status and progress info for running jobs.
GET
List Parse Job Status
api/v1/providers/datasources/{id}/parse_status
GET
List Sync Job Status
api/v1/providers/datasources/{id}/sync_status
Returns the most recent job type, state, status, and progress for a Veza datasource.
sync jobs are connections to the integration to extract identity and authorization metadata
parse jobs compile the extracted metadata into graph entities and relationships
States can be:
PENDING
IN_PROGRESS
COMPLETED
Status can be:
OK
CANCELED
DEADLINE_EXCEEDED
NOT_FOUND
PERMISSION_DENIED
UNAUTHENTICATED
UNAVAILABLE
INTERNAL
FAILED_PRECONDITION
Data sources time out after a heartbeat hasn’t been received or changed in a period of time (typically 24 hours).
Parse jobs have the PARSE type.
Sync jobs types can be:
DISCOVERY
EXTRACTION
The job_status response will contain stats with detailed timestamps and progress on the active step, including the current_count of discovered or parsed objects. A total_count is shown for completed steps.
Use to get overall integration state and a summary of last sync and parse time.
Operations for listing, adding, and modifying cloud provider configurations
providers/awsYou can use the methods described below to view, create, modify, and delete AWS providers:
GET {{vezaURL}}/api/v1/providers/aws
Returns information about each registered AWS account, including the status and id.
* indicates a required field.
POST {{vezaURL}}/api/v1/providers/aws
* indicates a required field.
name*
string
Name for the AWS account in Veza
account_id*
string
AWS account ID
regions*
array
Any valid AWS region (deprecated)
data_plane_id*
string
Insight Point ID to use for discovery
credentials_type*
string
Authorization method, one of
STATIC
,
EC2_INSTANCE_PROFILE
ASSUME_CUSTOMER_ROLE
access_key_id
string
For static (user) credentials, provide the user access key id
secret_key
string
For static (user) credentials, provide the secret key
assume_role_name
string
For assume role credentials, the role name
assume_role_external_id
string
For assume role credentials, the role's trusted external ID
db_user*
string
Name of the local database user for RDS/Redshift extraction
services*
array
If not empty (default), only the listed services will be enabled. Valid values include:
Redshift: REDSHIFT
Redshift Cluster: REDSHIFT_CLUSTER
S3: S3
RDS PostgreSQL: RDS_POSTGRES
RDS MySQL: RDS_MYSQL
RDS Oracle: RDS_ORACLE
RDS: RDS
DynamoDB: DYNAMODB
KMS: KMS
EMR: EMR
Organizations: ORGANIZATIONS
EC2: EC2
Identity Center: SSO
Cognito: COGNITO
Lambda: LAMBDA
Secrets Manager: SECRETS_MANAGER
ECR: ECR
EKS: EKS
Databricks: AWS_DATABRICKS
KMS: KMS
EMR: EMR
Organizations: ORGANIZATIONS
EC2: EC2
Identity Center: SSO
Cognito: COGNITO
Lambda: LAMBDA
Secrets Manager: SECRETS_MANAGER
ECR: ECR
EKS: EKS
Databricks: AWS_DATABRICKS
redshift_database_allow_list
array
string list of Redshift DB ARNs to explicitly allow
redshift_database_deny_list
array
List of Redshift DB ARNs to ignore
rds_database_allow_list
array
List of RDS DB names to explicitly allow
rds_database_deny_list
array
List of RDS DB names to ignore
s3_bucket_allow_list
array
String list of S3 bucket names to allow
s3_bucket_deny_list
array
List of S3 bucket names to ignore
GET {{vezaURL}}/api/v1/providers/aws/{id}
Returns configuration and status for the specified AWS provider.
* indicates a required field.
id*
string
The AWS provider configuration id
DELETE {{vezaURL}}/api/v1/providers/aws/{id}
Note that deleting the provider will remove all entities under the AWS account from Veza.
* indicates a required field.
id
string
ID of the AWS account to remove
PATCH {{VezaUrl}}/api/v1/providers/aws/{id}
Update an
. You can provide field mask paths to only update specific properties.
* indicates a required field.
id
string
The AWS provider ID
update_mask.paths
array[string]
The set of field mask paths
account_id
string
credentials type
enum
access_key_id
string
secret_key
string
assume_role_name
string
assume_role_external_id
string
regions
array
db_user
string
services
array
data_plane_id*
string
Two additional requests provide details about the AWS IAM policies for the integration:
GET {{vezaURL}}/api/v1/providers/aws:trustpolicy?assume_role_external_id={{string}}
When adding AWS accounts using the ASSUME_CUSTOMER_ROLE credentials type, use this request to generate the required trust policy (in addition to the required AWS permissions obtained with Check Policy).
* indicates a required field.
assume_role_external_id
string
to include in the policy
GET {{vezaURL}}/api/v1/providers/aws/{{id}}:checkpolicy
Validates the current policy granting Veza AWS IAM permissions, and returns whether an update is required.
* indicates a required field.
id*
string
AWS account id
providers/azureGET {{vezaURL}}/api/v1/providers/azure
Get the configuration and status for all configured Azure tenants
* indicates a required field.
POST {{vezaURL}} /api/v1/providers/azure
Register a new Azure tenant for discovery.
* indicates a required field.
name*
string
Name to display for the Azure tenant
tenant_id*
string
The Azure
client_id*
string
Client ID used to connect
client_secret*
string
The Client Secret
data_plane_id*
string
ID of the Insight Point used to connect (if applicable)
auth_certificate
string
Certificate for app-only SharePoint access
auth_certificate_password
string
Certificate password (if applicable)
services
array
string list of services to enable (e.g.
SQLSERVER
,
SHAREPOINT
,
AZUREVM
)
gather_personal_sites
boolean
Whether to gather personal SharePoint sites
gather_guest_users
boolean
Whether to parse identity metadata for Azure AD Guest users
gather_disabled_users
boolean
Whether to include disabled users
domains
array
Comma-separated list of domains to discover, ignoring any others
sql_server_database_allow_list
array
List of SQL DB names to allow
sql_server_database_deny_list
array
List of SQL DB names to deny
sql_server_schema_allow_list
array
List of SQL schema names to allow
sql_server_schema_deny_list
array
List of SQL schema names to deny
GET {{vezaURL}}/api/v1/providers/azure/{id}
Return an existing provider configuration by ID.
* indicates a required field.
id*
string
The Azure provider configuration ID
DELETE {{vezaURL}}/api/v1/providers/azure/{id}
Delete the provider configuration and its discovered entities.
* indicates a required field.
id*
string
The Azure provider configuration ID
PATCH {{vezaURL}}/api/v1/providers/azure/{id}
Update an existing provider configuration with new properties.
* indicates a required field.
{id}*
string
The Azure provider configuration ID
update_mask.paths
array[string]
the set of field mask paths
tenant_id
string
client_id
string
client_secret
string
auth_certificate
string
auth_certificate_password
string
providers/google_cloudEach Google Cloud provider configuration has the following properties, which can be obtained with a GET request to the providers/google_cloud endpoint:
To register a new Google Cloud and Workspace for discovery, use:
GET baseurl/api/v1/providers/google_cloud
*
indicates a required field.
name*
string
Friendly name for the Google Cloud connection
credentials_json*
string
JSON
data_plane_id*
string
Insight Point to use to connect
workspace_email*
string
Email of the GCP workspace user to assume
customer_id*
string
Google Workspace customer ID
project_allow_list
array
List of names of any projects to allow for discovery
project_deny_list
array
List of names of any projects to ignore
domain_allow_list
array
List of names of domains to explicitly allow
domain_deny_list
array
List of domains to ignore
services
array
If specified, only the listed services will be discovered (e.g.
KEYMANAGEMENT
,
IAM
,
STORAGE
,
WORKSPACE
,
COMPUTE
.)
dataset_allow_list
array
List of BigQuery dataset names to allow
dataset_deny_list
array
List of BigQuery dataset names to ignore during parsing.
POST baseurl/api/v1/providers/google_cloud
Add a Google Cloud Platform configuration
* indicates a required field.
name*
string
Friendly name for the Google Cloud connection
credentials_json*
string
JSON
data_plane_id*
string
Insight Point to use to connect
workspace_email*
string
Email of the GCP workspace user to assume
customer_id*
string
Google Workspace customer ID
project_allow_list
array
List of names of any projects to allow for discovery
project_deny_list
array
List of names of any projects to ignore
domain_allow_list
array
List of names of domains to explicitly allow
domain_deny_list
array
List of domains to ignore
services
array
If specified, only the listed services will be discovered (such as
KEYMANAGEMENT
,
IAM
,
STORAGE
,
WORKSPACE
,
COMPUTE
.)
dataset_allow_list
array
List of BigQuery dataset names to allow
dataset_deny_list
array
List of BigQuery dataset names to ignore during parsing.
GET baseurl/api/v1/providers/google_cloud/{id}
*
indicates a required field.
DELETE baseurl/api/v1/providers/google_cloud{id}
*
indicates a required field.
PATCH baseurl/api/v1/providers/google_cloud
*
indicates a required field.
providers/snowflakeA Snowflake configuration has the following parameters:
GET {{vezaURL}}/api/v1/providers/snowflake
Get the configuration and status for all configured Snowflake providers.
* indicates a required field.
POST {{vezaURL}}/api/v1/providers/snowflake
Register a new Snowflake provider for discovery.
To retrieve a valid insight point ID, navigate to Administration > Insight Point, and find the id of the one you will use for the connection to Snowflake.
* indicates a required field.
name*
string
A name for the Snowflake configuration
account_locator*
string
The Snowflake account locator (e.g.
xy12345)
region*
string
The AWS, GCP, or Azure region for the Snowflake account
cloud*
string
Cloud provider for the Snowflake account (valid values are
AWS, Azure, or GCP)
user*
string
The username of the local Snowflake user to be used for discovery (e.g.
veza_user)
password*
string
Password for the local user
role*
string
The role the local user will use to conduct queries, e.g.
cai_role
.
warehouse*
string
The default Snowflake
compute_wh, or the name of another warehouse Veza can use for extraction at runtime
data_plane_id*
string
GUID to use for discovery
GET {{vezaURL}}/api/v1/providers/snowflake/{id}
Retrieve an existing Snowflake configuration by ID.
* indicates a required field.
id*
string
The Snowflake provider ID
DELETE {{vezaURL}}/api/v1/providers/snowflake/{id}
Delete a Snowflake provider configuration and its discovered entities.
* indicates a required field.
id*
string
The Snowflake provider ID
PATCH {{VezaURL}}/api/v1/providers/snowflake/{id}
Update an existing Snowflake provider configuration with new properties.
* indicates a required field.
{id}*
string
The Snowflake provider ID
update_mask.paths
array[string]
The set of field mask paths
providers/sqlserverEach SQL server configuration contains the following properties, which can be obtained with a GET request to providers/sqlserver.
To register a new SQL server for discovery, use:
GET baseurl/api/v1/providers/sqlserver
*
indicates a required field.
POST baseurl/api/v1/providers/sqlserver
*
indicates a required field.
GET baseurl/api/v1/providers/sqlserver/{id}
*
indicates a required field.
DELETE baseurl/api/v1/providers/sqlserver/{id}
*
indicates a required field.
PATCH baseurl/api/v1/providers/sqlserver/{id}
*
indicates a required field.
providers/trinoVeza gathers metadata for Trino both by connecting as a local user and by reading the Trino access control file, which must be made available to Veza as an S3 object. Each Trino provider configuration has the structure:
GET {{vezaURL}}/api/v1/providers/trino
Get the configuration and status for all current Trino providers.
* indicates a required field.
POST {{vezaURL}}/api/v1/providers/trino
Add a Trino provider by providing the host, local user credentials, and a path and authentication method for the Trino access control file stored in AWS S3.
* indicates a required field.
id*
string
Name for the provider
host*
string
The address of the Trino Coordinator
port*
int
The port to use for the connection
username*
string
Trino local username
password*
string
Trino local user password
data_plane_id*
string
Insight Point ID
aws_s3_object_config*
object
contains path and authorization details for file system access control S3 object
ssl_certificate
string
Upload the
configured for the Trino coordinator
GET {{vezaURL}}/api/v1/providers/trino/{id}
Retrieve an existing Trino provider configuration by ID.
* indicates a required field.
id*
string
The Trino provider ID
DELETE {{vezaURL}}/api/v1/providers/trino/{id}
Delete a Trino provider and its discovered entities.
* indicates a required field.
id
string
The Trino provider ID
PATCH {{VezaURL}}/api/v1/providers/trino/{id}
Update an existing Trino configuration with new properties.
* indicates a required field.
{id}*
string
The Trino provider ID
update_mask.paths
array[string]
The set of field mask paths
API endpoints for configuring Okta and OneLogin
providers/activedirectoryThe response will include all existing configurations, in the format:
providers/oktaAn Okta configuration includes connection information and credentials, as well as any limits on apps and domains to extract:
GET {{vezaURL}}/api/v1/providers/okta
Get the configuration and status for all configured Okta integrations.
* indicates a required field.
POST {{vezaURL}}/api/v1/providers/okta
Submit a new Okta provider configuration.
* indicates a required field.
GET {{vezaURL}}/api/v1/providers/okta/{id}
Get an individual Okta provider configuration.
* indicates a required field.
DELETE {{vezaURL}}/api/v1/providers/okta/{id}
Delete an Okta provider, removing all associated entities from Veza.
* indicates a required field.
PATCH {{vezaURL}}/api/v1/providers/okta/{id}
Update an existing provider configuration with new properties.
* indicates a required field.
providers/oneloginA OneLogin configuration includes the domain, region, and credentials to use for the connection:
GET {{vezaURL}}/api/v1/providers/onelogin
Gets all configured OneLogin providers.
* indicates a required field.
POST {{vezaURL}}/api/v1/providers/onelogin
Submit a new OneLogin provider configuration. See
for more information about enabling Veza access to OneLogin metadata.
* indicates a required field.
GET {{vezaURL}}/api/v1/providers/onelogin/{id}
Return the status and configuration for a single OneLogin provider configuration.
* indicates a required field.
DELETE {{vezaURL}}/api/v1/providers/onelogin/{id}
Delete a OneLogin configuration and its discovered entities.
* indicates a required field.
PATCH {{VezaURL}}/api/v1/providers/onelogin/{id}
Update a OneLogin provider configuration. You can provide field mask paths to only update specific fields.
* indicates a required field.
You can manage Veza integrations using the management API and a Veza admin .
See for detailed instructions on authorizing Veza for AWS account discovery. Each account has the properties:
Configures a new AWS account for discovery and extraction. See for additional details on the required fields.
A configuration can optionally set on the data sources and services to parse.
For a given external ID, returns the IAM policy that should be to the role assumed for resource discovery.
An Azure configuration includes connection details and credentials, and may contain an optional auth certificate for connecting to . A configuration can allow or deny individual datasources, or only include specific services .
See the for more details on integrating Veza with your Azure tenant, Active Directory, and SharePoint.
For more information about connecting to Google Cloud, see the .
See for more information about integrating Snowflake warehouses with Veza.
For more information about connecting to SQL server, see the .
The default credentials_type "STATIC" uses an access key and secret ID to read the Trino access control file in S3. If connecting to AWS using a role, change the type to assume_customer_role and provide .
See for more information about integrating your Trino resources with Veza.
You can manage Veza Identity Provider integrations using the management API and a Veza admin .
AzureAD and Google Workspace identities are discovered by adding the associated Google Cloud account or Azure tenant as a .
See the configuration guide for the prerequisite steps to integrate with Veza. An AD configuration has the following parameters:
See the integration guide for more details on retrieving an Okta API token and registering your domain with Veza.
See for steps to generate credentials for Veza-OneLogin API access.
name*
string
Name for the Okta Provider
domain*
string
Okta domain
region*
string
The Okta region
us
data_plane_id
string
Provide if connecting via an Insight Point
token*
string
Okta API token
gather_all_applications
boolean
Whether to extract all apps or only selected
domain_allow_list
string list
Domains to explicitly allow
domain_deny_list
string list
Domains to exclude from discovery
app_allow_list
string list
Apps to explicitly allow
app_deny_list
string list
Apps to exclude from discovery
id*
string
The Okta provider configuration ID
id
string
ID of the configuration to delete
{id}*
string
The Okta provider configuration ID
update_mask.paths
array[string]
the set of field mask paths
domain
string
region
string
token
string
name*
string
The name to show in Veza
domain*
string
Your company's OneLogin domain
region*
string
The region of the Onelogin instance, e.g.
us
client_id*
string
Client ID for the OneLogin key pair
client_secret*
string
Client Secret for the OneLogin ID pair
data_plane_id
string
Insight Point ID to use for the connection
id*
string
OneLogin provider ID
id*
string
The OneLogin configuration to delete
{id}*
string
ID of the OneLogin configuration to update
update_mask.paths
array[string]
The set of field mask paths
name*
string
domain*
string
region*
string
client_id*
string
client_secret*
string
data_plane_id
string
Programmatic configuration of providers and data sources
A data plane ID is required when adding a custom provider. This value refers to the Insight Point used for discovery, or the GUID of the built-in data plane. To get all available IDs, navigate to Administration > Insight Point. Unless you have deployed an Insight Point within your environment, the only entry will be for the internal data plane.
If a request is unsuccessful, an error message will provide additional details and troubleshooting steps.
Register Accounts - Use the management API to add multiple AWS accounts from CSV.
Veza Python Client - Simple Python class for making REST API calls to Veza.
Cloud Formation Stacks - Configure multiple AWS accounts for Veza discovery by enabling the required assume role operations and IAM permissions.
Operations for disabling, enabling, and renaming individual data sources
Each cloud provider will have one or more associated data sources. Each represents a discrete instance of a service that Veza connects to for the discovery and extraction of authorization metadata.
The provider under /providers/aws/{id}, for example, may have an associated EC2 data source, represented as:
You can use the API to get or update data source records, or enable and disable individual data sources.
Disabling a data source will cancel all pending extractions.
GET {{VezaUrl}}/api/v1/providers/datasources
Returns the properties and status for all data sources. When filtering is applied, only data sources matching the filter will be returned.
For example: ?filter=datasource_type+eq+"discoverer"&order_by=state
Veza expects spaces in URLS encoded as + (?custom_template+eq+"idp"&order_by=state). Note that some libraries and clients will encode spaces as %2B by default, which will cause errors unless you override this behavior.
* indicates a required field.
filter
string
When present, only returns data sources matching the filter string. Available options:
name
,
agent_type
,
status
,
state
,
name
,
provider_id
,
data_provider_id
,
datasource_type
order_by
string
Sort results by
name
,
agent_type
,
status
,
state
,
name
,
provider_id
,
data_provider_id
, or
datasource_type
.
page_size
int
The maximum number of results to return. Fewer results may be returned even when more pages exist.
page_token
string
The token specifying the specific page of results to retrieve.
GET {{VezaUrl}}/api/v1/providers/datasources/{id}
Returns status for an individual data source.
* indicates a required field.
id*
string
The data source ID
PUT {{VezaUrl}}/api/v1/providers/datasources/{id}
Update the name for a given data source ID.
* indicates a required field.
id*
string
The data source ID
name
string
New name for the data source
PUT {{VezaUrl}}/api/v1/providers/datasources/{id}:disable
Pause discovery and extraction for a data source.
* indicates a required field.
id*
string
The data source ID
PUT {{VezaUrl}}/api/v1/providers/datasources/{id}:enable
Resume monitoring and queue the data source for extraction.
* indicates a required field.
id
string
The data source ID
providers/customThe Veza management API enables internal tooling to automate administration of cloud providers and data sources. Each supported provider has endpoints to get, create, and modify the current , which can be useful when integrating with environments spanning many provider accounts.
You can issue new API keys from Administration > API Keys > . Provide the key as the bearer auth token in the header of each request.
Users must have the role to add/modify provider configurations. Configurations can be viewed by users with the operator role.
If your organization uses applications, data sources, or identity providers not natively supported by Veza, you may be able to add them to your data catalog using . You will need to query the provider to retrieve entity and permissions metadata and push the payload to Veza for parsing in a template format.
Endpoints for administering custom resources (/providers/custom/*)are described .
See and [OAA Operations](.../../oaa/rest-api/operations.md.