> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up a Treasure AI connector

> C1 provides identity governance and just-in-time provisioning for Treasure AI. Integrate your Treasure AI instance with C1 to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access.

## Capabilities

The Treasure AI connector syncs the following resources from **Treasure AI CDP** (REST API v3):

| Resource      | Sync                                                          | Provision                                                                  |
| :------------ | :------------------------------------------------------------ | :------------------------------------------------------------------------- |
| Users         | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | Delete <Icon icon="square-check" iconType="solid" color="#c937ae" />       |
| Roles         | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-xmark" iconType="solid" color="#999999" />              |
| Policies      | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | Grant/Revoke <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Policy Groups | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | Grant/Revoke <Icon icon="square-check" iconType="solid" color="#c937ae" /> |

* **Users**: All Treasure AI users with email, name, and admin status. Delete user supported.
* **Roles**: Account roles derived from the `administrator` field (Admin or User). Read-only — roles are determined when a user is created in the Treasure AI Console and cannot be granted or revoked via the API. Role membership is not tracked as grants in the sync bundle.
* **Policies**: Access control policies defining fine-grained permissions on databases, workflows, segments, etc. Only available when PBAC (Policy-Based Access Control) is enabled.
* **Policy Groups**: Delegated access groups that associate users and policies. Only available when PBAC is enabled.

### PBAC configuration

Policies and Policy Groups require the PBAC paid add-on. These resources are opt-in and can be enabled from the C1 connector settings. Without opt-in, only Users and Roles are synced.

**Required permissions by resource type:**

| Resource      | Requirements                                    |
| :------------ | :---------------------------------------------- |
| Users         | Master API Key                                  |
| Roles         | Master API Key                                  |
| Policies      | Master API Key + PBAC paid add-on               |
| Policy Groups | Master API Key + PBAC + Delegated Admin feature |

<Note>
  Grant and revoke operations for Policy Groups replace the entire member list for a group. The connector reads current membership before writing to preserve existing members not involved in the operation.
</Note>

## Gather Treasure AI credentials

<Warning>
  To configure the Treasure AI connector, you need a **Master API key** from a
  user with sufficient permissions to read access control data.
</Warning>

<Steps>
  <Step>
    Log in to the [Treasure AI Console](https://console.treasuredata.com).
  </Step>

  <Step>
    Navigate to **My Settings** > **API Keys**.
  </Step>

  <Step>
    Copy your **Master API key**.

    For production use, we recommend creating a dedicated service user (for example, `c1-service@your-domain.com`) with read-only access to:

    * Access control APIs (users, policies, policy groups, permissions)
    * User and account metadata

    Generate a Master API key for that service user.
  </Step>

  <Step>
    Determine your **region endpoint**:

    | Region       | Base URL                            |
    | :----------- | :---------------------------------- |
    | US (default) | `https://api.treasuredata.com`      |
    | EU           | `https://api.eu01.treasuredata.com` |
    | Japan        | `https://api.treasuredata.co.jp`    |
    | Korea        | `https://api.ap02.treasuredata.com` |
  </Step>

  <Step>
    If your account has IP allowlisting enabled, add C1's egress IP range(s) to the allowlist for the service user.
  </Step>
</Steps>

## Configure the Treasure AI connector

<Tabs>
  <Tab title="Cloud-hosted">
    Follow these instructions to use a built-in, no-code connector hosted by C1.

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Treasure AI** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Treasure AI connector:

        * Add the connector to a currently unmanaged app
        * Add the connector to a managed app
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Enter the required configuration:

        * **API Key**: Your Treasure AI Master API key (TD1 scheme).
        * **Base URL** (optional): API base URL for your region. Defaults to `https://api.treasuredata.com` (US). Set to `https://api.eu01.treasuredata.com` for EU, `https://api.treasuredata.co.jp` for Japan, or `https://api.ap02.treasuredata.com` for Korea.
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
      </Step>
    </Steps>

    **Done.** Your Treasure AI connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    Follow these instructions to use the [Treasure AI](https://github.com/conductorone/baton-treasure-data) connector, hosted and run in your own environment.

    When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals.

    ### Step 1: Set up a new Treasure AI connector

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Treasure AI connector:

        * Add the connector to a currently unmanaged app
        * Add the connector to a managed app
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        In the **Settings** area of the page, click **Edit**.
      </Step>

      <Step>
        Click **Rotate** to generate a new Client ID and Secret.

        Carefully copy and save these credentials.
      </Step>
    </Steps>

    ### Step 2: Create Kubernetes configuration files

    Create two Kubernetes manifest files for your Treasure AI connector deployment:

    #### Secrets configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-treasure-data-secrets.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: baton-treasure-data-secrets
    type: Opaque
    stringData:
      # C1 credentials
      BATON_CLIENT_ID: <C1 client ID>
      BATON_CLIENT_SECRET: <C1 client secret>

      # Treasure AI credentials
      BATON_TREASURE_DATA_API_KEY: <Treasure AI Master API key>
      BATON_TREASURE_DATA_BASE_URL: <API base URL, for example https://api.treasuredata.com>

      # Optional: include if you want C1 to provision access using this connector
      BATON_PROVISIONING: true

      # Optional: restrict which resource types are synced.
      # Use this if your account has PBAC but not Delegated Admin
      # (to exclude Policy Groups). Example: user,role,policy
      # BATON_SYNC_RESOURCE_TYPES: user,role,policy
    ```

    #### Deployment configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-treasure-data.yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: baton-treasure-data
      labels:
        app: baton-treasure-data
    spec:
      selector:
        matchLabels:
          app: baton-treasure-data
      template:
        metadata:
          labels:
            app: baton-treasure-data
            baton: "true"
            baton-app: treasure-data
        spec:
          containers:
          - name: baton-treasure-data
            image: public.ecr.aws/conductorone/baton-treasure-data:latest
            imagePullPolicy: IfNotPresent
            env:
            - name: BATON_HOST_ID
              value: baton-treasure-data
            envFrom:
            - secretRef:
                name: baton-treasure-data-secrets
    ```

    ### Step 3: Deploy the connector

    <Steps>
      <Step>
        Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
      </Step>

      <Step>
        Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Treasure AI connector to. Treasure AI data should be found on the **Entitlements** and **Accounts** tabs.
      </Step>
    </Steps>

    **Done.** Your Treasure AI connector is now pulling access data into C1.
  </Tab>
</Tabs>

***

<Tip>
  All versions of this connector are available at
  [dist.conductorone.com](https://dist.conductorone.com/ConductorOne/baton-treasure-data).
</Tip>