> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up a Wiz connector
> C1 provides identity governance for Wiz. Integrate your Wiz instance with C1 to run user access reviews (UARs) and gain visibility into cloud security access.
**This connector is in beta.** This means it's undergoing ongoing testing and development while we gather feedback, validate functionality, and improve stability. Beta connectors are generally stable, but they may have limited feature support, incomplete error handling, or occasional issues.
We recommend closely monitoring workflows that use this connector and contacting our Support team with any issues or feedback.
**There are TWO Wiz connectors.** The instructions below set up the Wiz IAM connector, which syncs users, roles, and projects from Wiz so that you can review and manage access.
There is also a [Wiz Insights connector](https://www.conductorone.com/docs/baton/wiz-insights) that syncs security issues from Wiz as [external insights](https://www.conductorone.com/docs/product/admin/external-insights), surfacing identity risk scores alongside access decisions in C1.
## Capabilities
| Resource | Sync | Provision |
| :------- | :------------------------------------------------------------ | :-------- |
| Accounts | | |
| Projects | | |
| Roles | | |
## Gather Wiz credentials
To configure the Wiz connector, you need administrator permissions in Wiz to create a service account with API access.
Log in to your Wiz account and navigate to **Settings** > **Service Accounts**.
Create a new service account with the following scopes:
* `read:users` - Syncs user accounts and role assignments
* `read:projects` - Syncs project membership
Copy and save the **Client ID** and **Client Secret** securely.
Note your region-specific API endpoints:
* **API URL**: Your Wiz GraphQL API endpoint (e.g., `https://api.us17.app.wiz.io/graphql`)
* **Auth endpoint**: Your OAuth2 token endpoint (e.g., `https://auth.app.wiz.io/oauth/token`)
For more information, see [Wiz documentation on service accounts](https://docs.wiz.io/wiz-docs/docs/set-up-wiz-service-accounts).
## Configure the Wiz connector
Follow these instructions to use a built-in, no-code connector hosted by C1.
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
Search for **Wiz** and click **Add**.
Choose how to set up the new Wiz connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that are not yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
Find the **Settings** area of the page and click **Edit**.
Enter the required configuration:
* **Wiz API URL** (required): The Wiz GraphQL API endpoint for your region
* **Client ID** (required): OAuth2 client ID from your Wiz service account
* **Client Secret** (required): OAuth2 client secret from your Wiz service account
* **Auth Endpoint** (required): OAuth2 token endpoint for authentication
Click **Save**.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your Wiz connector is now pulling access data into C1.
Follow these instructions to use the [Wiz](https://github.com/conductorone/baton-wiz-win) connector, hosted and run in your own environment.
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
### Step 1: Set up a new Wiz connector
In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
Search for **Baton** and click **Add**.
Choose how to set up the new Wiz connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that are not yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
In the **Settings** area of the page, click **Edit**.
Click **Rotate** to generate a new Client ID and Secret.
Carefully copy and save these credentials. They are used in Step 2.
### Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your Wiz connector deployment:
#### Secrets configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-wiz-win-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-wiz-win-secrets
type: Opaque
stringData:
# C1 credentials
BATON_CLIENT_ID:
BATON_CLIENT_SECRET:
# Wiz credentials
BATON_WIZ_API_URL:
BATON_WIZ_CLIENT_ID:
BATON_WIZ_CLIENT_SECRET:
BATON_WIZ_AUTH_ENDPOINT:
```
See the connector's README or run `--help` to see all available configuration flags and environment variables.
#### Deployment configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-wiz-win.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-wiz-win
labels:
app: baton-wiz-win
spec:
selector:
matchLabels:
app: baton-wiz-win
template:
metadata:
labels:
app: baton-wiz-win
baton: true
baton-app: wiz-win
spec:
containers:
- name: baton-wiz-win
image: ghcr.io/conductorone/baton-wiz-win:latest
imagePullPolicy: IfNotPresent
env:
- name: BATON_HOST_ID
value: baton-wiz-win
envFrom:
- secretRef:
name: baton-wiz-win-secrets
```
### Step 3: Deploy the connector
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In C1, click **Applications**. On the **Managed apps** tab, locate and click the name of the application you added the Wiz connector to. Wiz data should be found on the **Entitlements** and **Accounts** tabs.
**Done.** Your Wiz connector is now pulling access data into C1.