> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up an Argo CD connector

> C1 provides identity governance for ArgoCD. Integrate your ArgoCD instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.

## Capabilities

| Resource | Sync                                                          | Provision                                                     |
| :------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Accounts | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Roles    | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |

The ArgoCD connector supports [automatic account provisioning](/product/admin/account-provisioning).

When a new account is created by C1, the account's password will be sent to a [vault](/product/admin/vaults).

This connector does not support account deprovisioning. You must deprovision accounts directly in ArgoCD.

## Gather ArgoCD credentials

Configuring the connector requires you to pass in credentials generated in ArgoCD. Gather these credentials before you move on.

### Create a Role with required permissions

The connector needs permissions to read and modify ArgoCD ConfigMaps. Create a Role that grants access to the following ConfigMaps:

* `argocd-rbac-cm`: Contains RBAC policies and role grants (needs read and write access)
* `argocd-cm`: Contains ArgoCD configuration including user accounts (needs write access for provisioning)

```yaml theme={"theme":{"light":"css-variables","dark":"css-variables"}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: baton-argo-cd
  namespace: argocd
rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "patch", "update"]
```

**Required Permissions Explained:**

* `get`: Read individual ConfigMaps (required to read `argocd-rbac-cm` and `argocd-cm`)
* `list`: List ConfigMaps in the namespace (required to discover and access the ConfigMaps)
* `patch`: Partially update ConfigMaps (used to modify RBAC policies and user accounts)
* `update`: Fully update ConfigMaps (used as an alternative to patch for modifying ConfigMaps)

Apply with:

```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
kubectl apply -f role.yaml
```

### Create a RoleBinding

Bind the Role to the ServiceAccount so the connector can use the permissions:

```yaml theme={"theme":{"light":"css-variables","dark":"css-variables"}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: baton-argo-cd
  namespace: argocd
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: baton-argo-cd
subjects:
  - kind: ServiceAccount
    name: baton-argo-cd
    namespace: argocd
```

Apply with:

```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
kubectl apply -f rolebinding.yaml
```

### Gather additional credentials

To set up the connector, you'll need:

<Steps>
  <Step>
    The username and password for your ArgoCD admin account, or for a dedicated service account you've set up.
    Make sure the account used to configure the connector has the relevant permissions:

    * To sync (read) users and roles: `get` and `list` permissions for users and roles
    * To provision (read-write) users and roles: `get` and `list` permissions for users and roles, plus `create` permission for users and `update` permission for user role assignments. The built-in `admin` role has these permissions, or you can create a custom role.
  </Step>

  <Step>
    Your ArgoCD API URL, which is the URL you use to access the ArgoCD UI.
  </Step>

  <Step>
    The `kubeconfig` path or file to connect to the cluster where ArgoCD is running.

    **The connector should be deployed in the same Kubernetes cluster as ArgoCD** (such as in the `argocd` namespace). This allows the connector to automatically use the in-cluster configuration from the pod's service account. No `kubeconfig` file is needed in this case. If one is provided, it will take precedence over in-cluster.

    Find [more information on setting up an in-cluster configuration](https://github.com/conductorone/baton-argo-cd/blob/main/docs/docs-info.md#kubernetes-deployment-in-cluster-configuration) in the connector repo.
  </Step>

  <Step>
    (Optional) If your ArgoCD instance uses a self-signed TLS certificate, you'll need one of the following:

    * **For testing/development**: Set `BATON_INSECURE_SKIP_VERIFY=true` to skip certificate verification.
    * **For production**: Obtain the CA certificate used to sign your ArgoCD server's TLS certificate and save it as a file. You'll pass its path as `BATON_CA_CERT_PATH`.
  </Step>
</Steps>

**Done.** Next, move on to the connector configuration instructions.

## Configure the ArgoCD connector

<Warning>
  **To complete this task, you'll need:**

  * The **Connector Administrator** or **Super Administrator** role in C1
  * Access to the set of ArgoCD credentials generated by following the instructions above
</Warning>

<Tabs>
  <Tab title="Cloud-hosted">
    **Follow these instructions to use a built-in, no-code connector hosted by C1.**

    This connector does not support cloud hosting.
  </Tab>

  <Tab title="Self-hosted">
    **Follow these instructions to use the ArgoCD connector, hosted and run in your own environment.**

    When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.

    ### Resources

    * [GitHub repository](https://github.com/conductorone/baton-argo-cd): Access the source code, report issues, or contribute to the project.

    ### Step 1: Set up a new ArgoCD connector

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new ArgoCD connector:

        * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
        * Add the connector to a managed app (select from the list of existing managed apps)
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        In the **Settings** area of the page, click **Edit**.
      </Step>

      <Step>
        Click **Rotate** to generate a new Client ID and Secret.
        Carefully copy and save these credentials. We'll use them in Step 2.
      </Step>
    </Steps>

    ### Step 2: Create Kubernetes configuration files

    Create two Kubernetes manifest files for your ArgoCD connector deployment:

    #### Secrets configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-argo-cd-secrets.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: baton-argo-cd-secrets
    type: Opaque
    stringData:
      # C1 credentials
      BATON_CLIENT_ID: <C1 client ID>
      BATON_CLIENT_SECRET: <C1 client secret>

      # ArgoCD specific credentials
      BATON_USERNAME: <ArgoCD account username>
      BATON_PASSWORD: <ArgoCD account password>
      BATON_API_URL: <ArgoCD tenant API URL>

      # Optional: Include if you want C1 to provision access using this connector
      BATON_PROVISIONING: true

      # Optional: TLS configuration for ArgoCD servers using self-signed certificates
      # Use BATON_INSECURE_SKIP_VERIFY for development only (insecure)
      BATON_INSECURE_SKIP_VERIFY: "true"
      # Use BATON_CA_CERT_PATH in production to verify with a custom CA certificate
      BATON_CA_CERT_PATH: <path to CA certificate file>
    ```

    See the connector's README or run `--help` to see all available configuration flags and environment variables.

    #### Deployment configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-argo-cd.yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: baton-argo-cd
      labels:
        app: baton-argo-cd
    spec:
      selector:
        matchLabels:
          app: baton-argo-cd
      template:
        metadata:
          labels:
            app: baton-argo-cd
            baton: true
            baton-app: argo-cd
        spec:
          containers:
          - name: baton-argo-cd
            image: ghcr.io/conductorone/baton-argo-cd:latest
            imagePullPolicy: IfNotPresent
            env:
            - name: BATON_HOST_ID
              value: baton-argo-cd
            envFrom:
            - secretRef:
                name: baton-argo-cd-secrets
    ```

    ### Step 3: Deploy the connector

    <Steps>
      <Step>
        Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
      </Step>

      <Step>
        Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the ArgoCD connector to. ArgoCD data should be found on the **Entitlements** and **Accounts** tabs.
      </Step>
    </Steps>

    **Done.** Your ArgoCD connector is now pulling access data into C1.
  </Tab>
</Tabs>