C1 provides identity governance and just-in-time provisioning for Snyk. Integrate your Snyk Enterprise instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.
C1 currently only integrates with Snyk Enterprise. C1 can only integrate with Snyk editions that include API access. You cannot use this connector successfully with the Free or Team editions of Snyk.
Configuring the connector requires you to pass in credentials generated in Snyk. Gather these credentials before you move on.
A user with access to a service or user account in Snyk with Group Admin permissions on the Group you’re integrating must perform this task.If you want to provision invitations using C1, the account used to generate the API token must also have the org.read, org.user.read, and org.user.invite permissions.
The Connector Administrator or Super Administrator role in C1
Access to the set of Snyk credentials generated by following the instructions above
Cloud-hosted
Self-hosted
Follow these instructions to use a built-in, no-code connector hosted by C1.
1
In C1, navigate to Integrations > Connectors and click Add connector.
2
Search for Snyk and click Add.
3
Choose how to set up the new Snyk connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
Find the Settings area of the page and click Edit.
7
Paste the API key into the API key field.
8
Paste the Group ID into the Group ID field.
9
Optional. If you want C1 to only sync access data from specific Snyk organizations, enter the organization names in the Org IDs field.If you leave this field blank, C1 will sync data from all organizations.
10
Optional. The connector uses api.snyk.io (region SNYK-US-01) by default. If your Snyk instance is hosted in any other region, please specify your hostname in the Hostname field.
11
Optional. If you want the connector to sync and provision Snyk invitations, check Enable invitations.This feature requires the org.read, org.user.read, and org.user.invite permissions on the account used to generate the API key entered above.
12
Click Save.
13
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
That’s it! Your Snyk connector is now pulling access data into C1.
Follow these instructions to use the Snyk connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
In C1, navigate to Integrations > Connectors > Add connector.
2
Search for Baton and click Add.
3
Choose how to set up the new Snyk connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
In the Settings area of the page, click Edit.
7
Click Rotate to generate a new Client ID and Secret.Carefully copy and save these credentials. We’ll use them in Step 2.
# baton-snyk-secrets.yamlapiVersion: v1kind: Secretmetadata: name: baton-snyk-secretstype: OpaquestringData: # C1 credentials BATON_CLIENT_ID: <C1 client ID> BATON_CLIENT_SECRET: <C1 client secret> # Snyk credentials BATON_API_TOKEN: <Snyk API token> BATON_GROUP_ID: <Snyk group ID> BATON_ORG_IDS: <Limit syncing to only the specified Snyk organizations (optional)> # Optional: include if you want C1 to provision access using this connector BATON_PROVISIONING: true # Optional: include if your Snyk instance is hosted in a region other than SNYK-US-01 BATON_SNYK_HOST_NAME: <Snyk region hostname (defaults to "api.snyk.io")> # Optional: include if you want to sync and provision invitations BATON_ENABLE_INVITATIONS: true
See the connector’s README or run --help to see all available configuration flags and environment variables.
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
2
Check that the connector data uploaded correctly. In C1, click Apps. On the Managed apps tab, locate and click the name of the application you added the Snyk connector to. Snyk data should be found on the Entitlements and Accounts tabs.
That’s it! Your Snyk connector is now pulling access data into C1.
