> ## Documentation Index > Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt > Use this file to discover all available pages before exploring further. # Set up a Tailscale connector > C1 provides identity governance and just-in-time provisioning for Tailscale. Integrate your Tailscale instance with C1 to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access. **This is an updated and improved version of the Tailscale connector!** If you're setting up Tailscale with C1 for the first time, you're in the right place. ## Capabilities | Resource | Sync | Provision | | --------- | ------------------------------------------------------------- | ------------------------------------------------------------- | | Accounts | | | | Roles | | | | Devices | | | | Invites | | | | Groups | | | | ACL rules | | | | SSH rules | | | ## Gather Tailscale credentials Configuring the connector requires you to pass in credentials generated in Tailscale. Gather these credentials before you move on. A user with the **Admin** role in Tailscale must perform this task. Choose one of the following authentication methods: OAuth client credentials provide more granular control over permissions and are the recommended authentication method. Log into Tailscale as an Admin user and click **Settings**. Click **Trust Credentials**. Click **+ Credentials**. A modal opens to create new OAuth credentials. Enter a **Description** for these credentials (for example, "C1 connector"). Configure the scopes: * Click the dropdown next to **Scopes** and select **All - Read**. * If you want to enable provisioning with this connector, also enable **Write** for the following scopes: * Policy File * Users * Posture Attributes Click **Save**. The Client ID and Client Secret are displayed. Copy and save both the **Client ID** and **Client Secret**. Store them securely—you'll need both to set up the connector. Log into Tailscale as an Admin user and click **Settings**. Click **Keys**. Click **Generate API key**. A **Generated new key** window opens showing the full value of the newly created key. Copy and save the API key. **Done.** Next, move on to the connector configuration instructions. ## Configure the Tailscale connector To complete this task, you'll need: * The **Connector Administrator** or **Super Administrator** role in C1 * Access to the set of Tailscale credentials generated by following the instructions above **Follow these instructions to use a built-in, no-code connector hosted by C1.** In C1, navigate to **Integrations** > **Connectors** and click **Add connector**. Search for **Tailscale v2** and click **Add**. Choose how to set up the new Tailscale connector: * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1) * Add the connector to a managed app (select from the list of existing managed apps) * Create a new managed app Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed. If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process. Click **Next**. Find the **Settings** area of the page and click **Edit**. Select your authentication method: * **OAuth Client Credentials**: Enter the **Client ID** and **Client Secret** you generated in Tailscale. * **API Key**: Enter the **Tailscale API key** you generated. In the **Tailnet** field, enter the name of your Tailscale network. Find the name of your Tailnet in the top left corner of the Tailscale Admin Panel, next to the Tailscale logo. Click **Save**. The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing. **Done.** Your Tailscale connector is now pulling access data into C1. **Follow these instructions to use the Tailscale connector, hosted and run in your own environment.** When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests. ### Resources * [Official download center](https://dist.conductorone.com/ConductorOne/baton-tailscale): For stable binaries (Windows/Linux/macOS) and container images. ### Step 1: Set up a new Tailscale connector In C1, navigate to **Integrations** > **Connectors** > **Add connector**. Search for **Baton** and click **Add**. Choose how to set up the new Tailscale connector: * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1) * Add the connector to a managed app (select from the list of existing managed apps) * Create a new managed app Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed. If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process. Click **Next**. In the **Settings** area of the page, click **Edit**. Click **Rotate** to generate a new Client ID and Secret. Carefully copy and save these credentials. We'll use them in Step 2. ### Step 2: Create Kubernetes configuration files Create two Kubernetes manifest files for your Tailscale connector deployment: #### Secrets configuration Choose either OAuth client credentials or an API key for Tailscale authentication. **Option 1: OAuth client credentials** ```yaml theme={"theme":{"light":"css-variables","dark":"css-variables"}} # baton-tailscale-secrets.yaml apiVersion: v1 kind: Secret metadata: name: baton-tailscale-secrets type: Opaque stringData: # C1 credentials BATON_CLIENT_ID: BATON_CLIENT_SECRET: # Tailscale OAuth credentials BATON_AUTH_METHOD: oauth-client-credentials-flow-group BATON_TAILSCALE_CLIENT_ID: BATON_TAILSCALE_CLIENT_SECRET: BATON_TAILNET: # Optional: include if you want C1 to provision access using this connector BATON_PROVISIONING: true ``` **Option 2: API key** ```yaml theme={"theme":{"light":"css-variables","dark":"css-variables"}} # baton-tailscale-secrets.yaml apiVersion: v1 kind: Secret metadata: name: baton-tailscale-secrets type: Opaque stringData: # C1 credentials BATON_CLIENT_ID: BATON_CLIENT_SECRET: # Tailscale credentials BATON_API_KEY: BATON_TAILNET: ``` See the connector's README or run `--help` to see all available configuration flags and environment variables. #### Deployment configuration ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}} # baton-tailscale.yaml apiVersion: apps/v1 kind: Deployment metadata: name: baton-tailscale labels: app: baton-tailscale spec: selector: matchLabels: app: baton-tailscale template: metadata: labels: app: baton-tailscale baton: true baton-app: tailscale spec: containers: - name: baton-tailscale image: ghcr.io/conductorone/baton-tailscale:latest imagePullPolicy: IfNotPresent env: - name: BATON_HOST_ID value: baton-tailscale envFrom: - secretRef: name: baton-tailscale-secrets ``` ### Step 3: Deploy the connector Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files. Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Tailscale connector to. Tailscale data should be found on the **Entitlements** and **Accounts** tabs. **Done.** Your Tailscale connector is now pulling access data into C1.