Set up a VGS connector

Capabilities

Resource	Sync	Provision
Users
Invitations		**
Organizations		*
Vaults
Service Accounts

*Organization provisioning supports updating a user’s role (user or admin). Revoking a user’s organization membership entitlement is not supported via Revoke — to remove a user from an organization, use Delete Resource (CAPABILITY_RESOURCE_DELETE) instead. **Account provisioning uses an invite-based flow. Invitations expire after 7 days. The VGS connector supports automatic account provisioning and deprovisioning for vault access.

Gather VGS credentials

Configuring the connector requires a VGS service account and your organization ID. Gather these before moving on.

A user with admin access to your VGS organization must perform this task.

Find your Organization ID

Sign into the VGS Dashboard.

Navigate to Organization Settings.

Copy and save the Organization ID (format: ACxxxxxxxxxxxxxxxxxxxxxxxx).

Create a service account

Dashboard (UI)
CLI

Sign into the VGS Dashboard with an admin user.

In the top-left corner, click your organization name and select Manage.

Under Organization Settings, select the Service Accounts tab.

Click Create New.

Enter a name for the service account, such as c1integration.

Select all vaults.

Add the required scopes:For syncing only:

organizations:read
vaults:read
organization-users:read

To also enable provisioning add:

organization-users:write

Click Create. Carefully copy and save the Client ID and Client Secret that are displayed. These credentials are shown only once.

Follow the VGS CLI getting started guide to install the CLI first.

Authenticate with the VGS CLI:

vgs login

Create a service account manifest. Save it as c1-service-account.yaml:For syncing only:

name: c1integration
scopes:
  - organizations:read
  - vaults:read
  - organization-users:read

To also enable provisioning (granting/revoking vault access and updating org roles), add:

name: c1integration
scopes:
  - organizations:read
  - vaults:read
  - organization-users:read
  - organization-users:write

Apply the manifest to your organization:

vgs apply service-account -O <YOUR_ORG_ID> -f c1-service-account.yaml

The CLI outputs the service account credentials. Carefully copy and save the Client ID and Client Secret. These are shown only once.

Service accounts have an email in the format clientId@vgs.dev. These accounts appear in vault member lists but are automatically excluded from synced user resources in C1.

That’s it! Next, move on to the connector configuration instructions.

Configure the VGS connector

To complete this task, you’ll need:

The Connector Administrator or Super Administrator role in C1
The service account Client ID and Client Secret from the steps above
Your VGS Organization ID

Cloud-hosted
Self-hosted

Follow these instructions to use a built-in, no-code connector hosted by C1.

In C1, navigate to Integrations > Connectors and click Add connector.

Search for VGS and click Add.

Choose how to set up the new VGS connector:

Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app

Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.

Click Next.

Find the Settings area of the page and click Edit.

Enter your service account credentials and organization ID:

Service Account Client ID: the client ID from the service account you created
Service Account Client Secret: the client secret from the service account you created
Organization ID: your VGS organization ID

Click Save.

The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your VGS connector is now pulling access data into C1.

Follow these instructions to use the VGS connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.

Resources

Official download center: For stable binaries (Windows/Linux/macOS) and container images.
GitHub repository: Access the source code, report issues, or contribute to the project.

Step 1: Set up a new VGS connector

In C1, navigate to Integrations > Connectors > Add connector.

Search for Baton and click Add.

Choose how to set up the new VGS connector:

Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app

Click Next.

In the Settings area of the page, click Edit.

Click Rotate to generate a new Client ID and Secret.Carefully copy and save these credentials. We’ll use them in Step 2.

Step 2: Create Kubernetes configuration files

Create two Kubernetes manifest files for your VGS connector deployment:

Secrets configuration

# baton-vgs-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: baton-vgs-secrets
type: Opaque
stringData:
  # C1 credentials
  BATON_CLIENT_ID: <C1 client ID>
  BATON_CLIENT_SECRET: <C1 client secret>

  # VGS service account credentials
  BATON_SERVICE_ACCOUNT_CLIENT_ID: <VGS service account client ID>
  BATON_SERVICE_ACCOUNT_CLIENT_SECRET: <VGS service account client secret>
  BATON_ORGANIZATION_ID: <VGS organization ID>

  # Optional: include if you want C1 to provision access using this connector
  # Requires organization-users:write scope on the service account
  BATON_PROVISIONING: "true"

See the connector’s README or run --help to see all available configuration flags and environment variables.

Deployment configuration

# baton-vgs.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: baton-vgs
  labels:
    app: baton-vgs
spec:
  selector:
    matchLabels:
      app: baton-vgs
  template:
    metadata:
      labels:
        app: baton-vgs
        baton: true
        baton-app: vgs
    spec:
      containers:
      - name: baton-vgs
        image: ghcr.io/conductorone/baton-vgs:latest
        imagePullPolicy: IfNotPresent
        env:
        - name: BATON_HOST_ID
          value: baton-vgs
        envFrom:
        - secretRef:
            name: baton-vgs-secrets

Step 3: Deploy the connector

Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.

Check that the connector data uploaded correctly. In C1, click Apps. On the Managed apps tab, locate and click the name of the application you added the VGS connector to. VGS data should be found on the Entitlements and Accounts tabs.

That’s it! Your VGS connector is now pulling access data into C1.

​Capabilities

​Gather VGS credentials

​Find your Organization ID

​Create a service account

​Configure the VGS connector

​Resources

​Step 1: Set up a new VGS connector

​Step 2: Create Kubernetes configuration files

​Secrets configuration

​Deployment configuration

​Step 3: Deploy the connector

Capabilities

Gather VGS credentials

Find your Organization ID

Create a service account

Configure the VGS connector

Resources

Step 1: Set up a new VGS connector

Step 2: Create Kubernetes configuration files

Secrets configuration

Deployment configuration

Step 3: Deploy the connector