> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up a Microsoft AKS connector

> C1 provides identity governance for Azure Kubernetes Service (AKS). Integrate your AKS instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.

## Capabilities

| Resource      | Sync                                                          | Provision |
| :------------ | :------------------------------------------------------------ | :-------- |
| Accounts      | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Groups        | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Roles         | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Cluster roles | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Namespaces    | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |

## Gather AKS credentials

Configuring the connector requires you to pass in credentials generated in AKS. Gather these credentials before you move on.

<Warning>
  To create a Service Principal in AKS the user must have the following permissions:

  * Application.ReadWrite.All
  * Directory.ReadWrite.All

  Roles that grant these permissions include:

  * Azure AD Administrator
  * Application Administrator
  * Cloud Application Administrator

  To assign a role to the Service Principal, the user must have Azure resource-level permissions, typically at the subscription, resource group, or AKS resource level:

  * Microsoft.Authorization/roleAssignments/write permission
</Warning>

### Look up your Azure subscription ID and cluster resource group name

<Steps>
  <Step>
    In Azure, search for and navigate to your cluster's home page.
  </Step>

  <Step>
    On the **Overview** tab, locate the **Essentials** section.
  </Step>

  <Step>
    Make a note of the cluster's resource group name and subscription ID.
  </Step>
</Steps>

### Look up your tenant ID

<Steps>
  <Step>
    In the main search bar, click **Tenant properties**.
  </Step>

  <Step>
    Make a note of the tenant ID.
  </Step>
</Steps>

### Create a Service Principal

If desired, you can use an existing Service Principal. Follow these steps if you want to create a new one.

<Steps>
  <Step>
    In Entra admin center, navigate to **App registrations**.
  </Step>

  <Step>
    Click **+ New registration**.
  </Step>

  <Step>
    Give the application a name, such as "C1".
  </Step>

  <Step>
    Select the supported account type appropriate for your organization. For most internal automation, "Accounts in this organizational directory only (Single tenant)" is sufficient.
  </Step>

  <Step>
    You do not need to set a redirect URI.
  </Step>

  <Step>
    Click **Register**.
  </Step>

  <Step>
    The new app is created. Carefully copy and save the **Application (client) ID** and the **Directory (tenant) ID** shown on the application summary page.
  </Step>

  <Step>
    Next, we'll generate a client secret for this app. Click **Certificates & secrets**.
  </Step>

  <Step>
    Click **+ New client secret**.
  </Step>

  <Step>
    Give the client secret a description and set its expiration.
  </Step>

  <Step>
    Click **Add**.
  </Step>

  <Step>
    The client secret is generated. Carefully copy and save the **Secret Value**.
  </Step>
</Steps>

### Assign Azure RBAC permissions to the Service Principal

Next, grant this Service Principal the **Reader** role at the subscription level so it can discover and read all your AKS cluster information.

<Steps>
  <Step>
    In the Azure portal's search bar, type "Subscriptions" and select the relevant Azure subscription.
  </Step>

  <Step>
    In the left-hand menu of your Subscription, select **Access control (IAM)**.
  </Step>

  <Step>
    Click **+ Add** > **Add role assignment**.
  </Step>

  <Step>
    On the **Role** tab, search for and select the **Reader** role.
  </Step>

  <Step>
    Click **Next**.
  </Step>

  <Step>
    On the **Members** tab, ensure **User, group, or service principal** is selected for **Assign access to**.
  </Step>

  <Step>
    Click **+ Select members**.
  </Step>

  <Step>
    In the **Select members** pane, search for and select the name of your App Registration.
  </Step>

  <Step>
    Click **Select** at the bottom of the pane.
  </Step>

  <Step>
    Click **Review + assign** at the bottom.
  </Step>
</Steps>

Allow time for the new role to propagate. Azure role assignments can take several minutes (typically five to 15, sometimes up to 30) to fully propagate.

### Make sure your Service Principal has cluster access

The Service Principal must have access to the cluster in Azure and the proper permissions defined in the cluster.

<Steps>
  <Step>
    In Azure, navigate to the cluster's admin page and click **Access control (IAM)**.
  </Step>

  <Step>
    Locate **Role assignments** add a new assignment for your Service Principal. Commonly used roles are "Azure Kubernetes Service Cluster User Role" and "Azure Kubernetes Service Cluster Admin Role".
  </Step>
</Steps>

Be aware that propagation of this assignment may take some time (up to multiple hours) depending on the size and complexity of your cluster.

**Done.** Next, move on to the connector configuration instructions.

## Configure the AKS connector

<Warning>
  To complete this task, you'll need:

  * The **Connector Administrator** or **Super Administrator** role in C1
  * Access to the set of AKS credentials generated by following the instructions above
</Warning>

<Tabs>
  <Tab title="Cloud-hosted">
    **Follow these instructions to use a built-in, no-code connector hosted by C1.**

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **AKS** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new AKS connector:

        * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
        * Add the connector to a managed app (select from the list of existing managed apps)
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Enter the AKS credentials into the relevant fields.
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
      </Step>
    </Steps>

    **Done.** Your AKS connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    **Follow these instructions to use the AKS connector, hosted and run in your own environment.**

    When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.

    ### Resources

    [Contact C1's support team](mailto:support@c1.ai) to download the latest version of the connector.

    ### Step 1: Set up a new AKS connector

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new AKS connector:

        * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
        * Add the connector to a managed app (select from the list of existing managed apps)
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        In the **Settings** area of the page, click **Edit**.
      </Step>

      <Step>
        Click **Rotate** to generate a new Client ID and Secret.
        Carefully copy and save these credentials. We'll use them in Step 2.
      </Step>
    </Steps>

    ### Step 2: Create Kubernetes configuration files

    Create two Kubernetes manifest files for your AKS connector deployment:

    #### Secrets configuration

    ```yaml theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-aks-secrets.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: baton-aks-secrets
    type: Opaque
    stringData:
      # C1 credentials
      BATON_CLIENT_ID: <C1 client ID>
      BATON_CLIENT_SECRET: <C1 client secret>
      
      # AKS credentials
      BATON_SUBSCRIPTION_ID: <Azure subscription ID>
      BATON_RESOURCE_GROUP: <Resource group name of the cluster>
      BATON_CLUSTER_NAME: <Name of the cluster to sync>
      BATON_TENANT_ID: <The directory (tenant) ID where your service principal is registered>
      BATON_SP_CLIENT_ID: <The Application (client) ID of your service principal>
      BATON_SP_CLIENT_SECRET: <The client (Service Principal) secret>
    ```

    See the connector's README or run `--help` to see all available configuration flags and environment variables.

    #### Deployment configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-aks.yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: baton-aks
      labels:
        app: baton-aks
    spec:
      selector:
        matchLabels:
          app: baton-aks
      template:
        metadata:
          labels:
            app: baton-aks
            baton: true
            baton-app: aks
        spec:
          containers:
          - name: baton-aks
            image: ghcr.io/conductorone/baton-aks:latest
            imagePullPolicy: IfNotPresent
            env:
            - name: BATON_HOST_ID
              value: baton-aks
            envFrom:
            - secretRef:
                name: baton-aks-secrets
    ```

    ### Step 3: Deploy the connector

    <Steps>
      <Step>
        Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
      </Step>

      <Step>
        Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the AKS connector to. AKS data should be found on the **Entitlements** and **Accounts** tabs.
      </Step>
    </Steps>

    **Done.** Your AKS connector is now pulling access data into C1.
  </Tab>
</Tabs>