> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up a Jira Cloud connector

> C1 provides identity governance for Jira Cloud. Integrate your Jira Cloud instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.

## Capabilities

| Resource         | Sync                                                          | Provision                                                     |
| :--------------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Accounts         | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Groups           | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Projects         | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Project roles    | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Managed accounts | <Icon icon="circle-info" />                                   |                                                               |
| Managed groups   | <Icon icon="circle-info" />                                   |                                                               |

The Jira Cloud connector supports [automatic account provisioning](/product/admin/account-provisioning).

This connector does not support account deprovisioning. You must deprovision accounts directly in Jira.

<Icon icon="circle-info" /> This connector can be configured to sync app accounts from the Jira API and managed accounts and managed groups from Atlassian.

This connector can also be configured to automatically create and update Jira tickets to track manual provisioning assignments. Go to [Configure Jira Cloud as an external ticketing provider](/product/admin/external-ticketing#configure-jira-cloud-as-an-external-ticketing-provider) to learn more.

## Known limitations

* User email is not currently synchronized
* Only lists the first 1,000 users of a project

## Gather Jira Cloud credentials

Configuring the connector requires you to pass in credentials generated in Jira Cloud. Gather these credentials before you move on.

<Warning>
  **Important**

  The Jira Cloud user account used to generate these credentials must have the following permissions:

  * View users, groups, and projects
  * View project roles
  * Manage group memberships (required if you are using the connector for provisioning)
  * Manage project role memberships (required if you are using the connector for provisioning)
  * Create issues (required if you are using the connector as an external ticketing provider)
</Warning>

### Create an API token

You can set up the connector using either a classic (unscoped) or a scoped token.

<Steps>
  <Step>
    Log into your Jira account with Administrator access.
  </Step>

  <Step>
    Navigate to [https://id.atlassian.com/manage-profile/security/api-tokens](https://id.atlassian.com/manage-profile/security/api-tokens).
  </Step>

  <Step>
    Click **Create API token**.
  </Step>

  <Step>
    Give your token a label, such as **C1**, and click **Create**.
  </Step>

  <Step>
    Carefully copy and save the newly generated API token.
  </Step>
</Steps>

### Additional credentials

To set up the connector, you'll also need:

* If using a classic token, your Jira Cloud URL in `https://your-domain.atlassian.net` format

* If using a scoped token, your cloud ID, which can be found at `https://<your-domain>.atlassian.net/_edge/tenant_info`

* The email address for your Jira Cloud account

### Optional: Create an Atlassian organization API key

If you want to set up the Jira Cloud connector to sync managed accounts and managed groups from Atlassian, you'll need to generate an Atlassian API token and look up your [Atlassian organization ID](https://confluence.atlassian.com/cloudkb/retrieve-my-atlassian-cloud-organization-s-id-1207189876.html).

<Steps>
  <Step>
    Log into [your Atlassian account](https://id.atlassian.com/manage-profile/security/api-tokens) and select your organization, if relevant.
  </Step>

  <Step>
    Navigate to **Settings** > **API keys**.
  </Step>

  <Step>
    Click **Create API key**.
  </Step>

  <Step>
    Select **API key without scopes**, then click **Create API key**.
  </Step>

  <Step>
    Review the key info and click **Create**. The new organization API key is generated.
  </Step>

  <Step>
    Carefully copy and save the **API key** and the **organization ID**.
  </Step>
</Steps>

**Done.** Next, move on to the connector configuration instructions.

## Configure the Jira Cloud connector

<Warning>
  **To complete this task, you'll need:**

  * The **Connector Administrator** or **Super Administrator** role in C1
  * Access to the set of Jira Cloud credentials generated by following the instructions above
</Warning>

<Tabs>
  <Tab title="Cloud-hosted">
    **Follow these instructions to use a built-in, no-code connector hosted by C1.**

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Jira Cloud** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Jira Cloud connector:

        * Add the connector to a currently unmanaged app
        * Add the connector to a managed app
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Enter your Jira Cloud domain into the **Jira site domain** field:

        * If using a classic API token without scopes, use the format `<YOUR DOMAIN>.atlassian.net`.
        * If using a token with scopes, use the format `https://api.atlassian.com/ex/jira/<cloud-id>`.
      </Step>

      <Step>
        Enter the email address for your Jira Cloud account in the **Your Jira email address** field.
      </Step>

      <Step>
        Paste the Jira API token into the **API token** field.
      </Step>

      <Step>
        **Optional.** Click to **Enable external ticket processing**.
      </Step>

      <Step>
        Click **Save**.
      </Step>
    </Steps>

    **Done.** Your Jira Cloud connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    **Follow these instructions to use the Jira connector, hosted and run in your own environment.**

    When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.

    ### Resources

    * [Official download center](https://dist.conductorone.com/ConductorOne/baton-jira): For stable binaries (Windows/Linux/macOS) and container images.

    * [GitHub repository](https://github.com/conductorone/baton-jira): Access the source code, report issues, or contribute to the project.

    ### Step 1: Set up a new Jira Cloud connector

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Jira Cloud connector:

        * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
        * Add the connector to a managed app (select from the list of existing managed apps)
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        In the **Settings** area of the page, click **Edit**.
      </Step>

      <Step>
        Click **Rotate** to generate a new Client ID and Secret.
        Carefully copy and save these credentials. We'll use them in Step 2.
      </Step>
    </Steps>

    ### Step 2: Create Kubernetes configuration files

    Create two Kubernetes manifest files for your Jira Cloud connector deployment:

    #### Secrets configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-jira-secrets.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: baton-jira-secrets
    type: Opaque
    stringData:
      # C1 credentials
      BATON_CLIENT_ID: <C1 client ID>
      BATON_CLIENT_SECRET: <C1 client secret>
      
      # Jira Cloud credentials
      BATON_JIRA_URL: <Jira Cloud tenant URL in https://domain.atlassian.net format (unscoped token) or https://api.atlassian.com/ex/jira/<cloud-id> format (scoped token)>
      BATON_JIRA_API_TOKEN: <Jira Cloud API token>
      BATON_JIRA_EMAIL: <Email address associated with your Jira Cloud account>

      # Optional: include if you want C1 to provision access using this connector
      BATON_PROVISIONING: true

      # Optional: include if you want C1 to skip syncing customer users
      BATON_SKIP_CUSTOMER_USER: true

      # Optional: include if you want C1 to skip syncing project participants
      BATON_SKIP_PROJECT_PARTICIPANTS: true

      # Optional: include if you want C1 to sync managed accounts and managed groups from Atlassian 
      BATON_ATLASSIAN_API_TOKEN: <Atlassian API token>
      BATON_ATLASSIAN_ORGID: <Atlassian organization ID>
    ```

    See the connector's README or run `--help` to see all available configuration flags and environment variables.

    #### Deployment configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-jira.yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: baton-jira
      labels:
        app: baton-jira
    spec:
      selector:
        matchLabels:
          app: baton-jira
      template:
        metadata:
          labels:
            app: baton-jira
            baton: true
            baton-app: jira
        spec:
          containers:
          - name: baton-jira
            image: ghcr.io/conductorone/baton-jira:latest
            imagePullPolicy: IfNotPresent
            env:
            - name: BATON_HOST_ID
              value: baton-jira
            envFrom:
            - secretRef:
                name: baton-jira-secrets
    ```

    ### Step 3: Deploy the connector

    <Steps>
      <Step>
        Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
      </Step>

      <Step>
        Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Jira Cloud connector to. Jira Cloud data should be found on the **Entitlements** and **Accounts** tabs.
      </Step>
    </Steps>

    **Done.** Your Jira Cloud connector is now pulling access data into C1.
  </Tab>
</Tabs>