Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Create an integration to manage access to an Elasticsearch instance
Elasticsearch is a distributed, RESTful search and analytics engine used to store, index, and analyze large volumes of data in real time. By integrating Elasticsearch with Apono, you can enable temporary access to Elasticsearch for developers, data engineers, and operations teams without compromising security.
This integration allows Apono to manage just-in-time access to your Elasticsearch indices by authenticating through a connector user with scoped privileges.
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click Elasticsearch. The Connect integration page appears.
Under Discovery, select one or more resources to connect to Apono.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (, , , ).
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Now that the integration is complete, you can add Elasticsearch to define the resources in an access flow. This allows requesters to access Elasticsearch indices securely based on your approval and provisioning rules.
Follow the guidance in these articles to define the resource using Elastic Cloud:
Click Next. The Secret Store section expands.
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Elasticsearch role
Create a role for the Apono connector with the following privileges.
Elasticsearch user
Create a user for the Apono connector and assign the role above
Elasticsearch endpoint
Unique URL for your Elasticsearch deployment
Learn how to access the Elasticsearch endpoint.
NOTE: For Elastic Cloud users, the endpoint can be found in the Deployments tab of your Elastic Cloud console.
Apono connector
On-prem connection serving as a bridge between a MySQL instance and Apono:
Learn how to update an existing , , , or connector.
Apono HTTP proxy
Authorization controls to manage Elasticsearch The default Elasticsearch capabilities do not include authorization controls and therefore neither does the API. When integrating with Apono using the HTTP Proxy, you will be able to manage access to Elasticsearch using Apono Access Flows.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
URL
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated
Learn more about the Credentials Rotation Policy.
User cleanup after access is revoked (in days)
Unique URL for your Elasticsearch deployment
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
{
"cluster": [ "monitor", "manage_security" ],
"indices": [
{
"names": [ "*" ],
"privileges": [ "monitor" ]
}
]
}Create an integration to manage access to a Redis Cloud instance
Redis Cloud is a fully managed, in-memory data store that functions as a database, cache, and message broker. With features such as data persistence, replication, and clustering, Redis Cloud provides high availability and fault tolerance, seamless scalability, and automated maintenance for optimal performance and reliability.
Through this integration, Apono helps you securely manage access to your Redis Cloud instance.
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click Redis Cloud (Redislabs). The Connect Integration page appears.
Under Discovery, select one or multiple resource types for Apono to discover in all instances of the environment.
Click Next. The Apono connector section expands.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (, , , ).
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Now that you have completed this integration, you can that grant permission to your Redis Cloud instance.
Create an integration to manage access to a Microsoft SQL Server database
Microsoft SQL Server is a reliable and secure relational database management system. It can be used as the main data store for various applications, websites, and products.
Microsoft enables developers to create cloud-hosted SQL Server databases.
Through this integration, Apono helps you securely manage access to your Microsoft SQL Server database.
Create an integration to manage access to a Vertica database
Vertica is a scalable and high-performance analytics database optimized for fast querying and analysis of large datasets. It delivers speed and flexibility for business intelligence and data warehousing applications.
Through this integration, Apono helps you securely manage access to your Vertica database and just-in-time (JIT) access to built-in and custom roles.
Create an integration to manage access to a RabbitMQ instance
Click Next. The Secret Store section expands.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Redis Cloud API
REST API for managing Redis Cloud programmatically Enable the Redis Cloud API for your account.
Redis API credentials
Credentials used to authenticate a Redis REST API request:
These credentials are required for creating the Apono Secret in the next row.
Apono Secret
Value generated with the credentials of the user you create Create your secret based on your Redis Cloud API account key and user key:
"api_key": <ACCOUNT_KEY>
"secret_key": <USER_KEY>
Apono does not store credentials. The Apono Connector uses the secret to communicate with services in your environment and separate the Apono web app from the environment for maximal security.
Apono Connector
On-prem connection serving as a bridge between a Redis Cloud instance and Apono:
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Apono Connector
On-prem connection serving as a bridge between a Microsoft SQL Server database instance and Apono:
Microsoft SQL Server Info
Information for the database instance to be integrated:
Hostname
Port number
You must create a user in your Microsoft SQL Server instance for the Apono connector.
Use the following steps to create a user and grant it permissions to your databases:
In your preferred client tool, create a new user. Use apono_connector or another name of your choosing for the username. Be sure to set a strong password for the user.
The password must be a minimum of 8 characters and include characters from at least three of these four categories:
Uppercase letters
Lowercase letters
Digits (0-9)
Symbols
Grant the following access to the user. These permissions allow Apono to view database names, modify login information, grant administrative-level access, manage server-level roles, and perform instance-level configuration tasks.
Using the credentials from step 1, create a secret for the database instance.
You can now integrate Microsoft SQL Server.
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the Catalog tab, click Microsoft SQL Server. The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (AWS, Azure, GCP, Kubernetes).
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Hostname
Click Next. The Secret Store section expands.
Associate the .
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.
Now that you have completed this integration, you can create access flows that grant permission to your Microsoft SQL Server database.
Apono Connector
On-prem connection serving as a bridge between a Vertica database instance and Apono:
Vertica Information
Information for the database instance to be integrated:
Hostname
Port number
Database name
You must create a user in your Vertica database instance for the Apono connector and grant that user permissions to the database resources.
Follow these steps to create a user and grant it permissions:
In your preferred client tool, create a new user. Be sure to set a strong password for the user.
Grant the pseudosuperuser role to the user. This allows Apono to create or drop tables and manage user roles and permissions within the Vertica database.
Using the credentials from step 1, create a secret for the database instance.
You can now integrate your Vertica database.
You can also use the steps below to integrate with Apono using Terraform.
In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the Catalog tab, click Vertica Database. The Connect Integration page appears.
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (AWS, Azure, GCP, Kubernetes).
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Hostname
Click Next. The Secret Store section expands.
.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.
Now that you have completed this integration, you can create access flows that grant permission to your Vertica database.
RabbitMQ Admin Access
User account with admin permissions to create a new user
Follow these steps to create a dedicated user for Apono:
In the RabbitMQ Management portal, on the Admin tab, under Add a user, enter a Username such as apono_connector.
Set a strong Password. Be sure to save this password to create a secret later.
For Tags, click Admin to assign administrative privileges to the user.
Click Add user.
Copy the URL of the page without the path for use during the integration.
Create a with the credentials from steps 1-2.
Use the following key-value pair structure when generating the secret. Be sure to replace #PASSWORD with the actual value. If you used a different name for the user, replace apono_connector with the name you assigned to the user.
You can now integrate RabbitMQ.
You can also use the steps below to integrate with Apono using Terraform. In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the Catalog tab, click RabbitMQ. The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Integration Name
Unique, alphanumeric, user-friendly name used to identify the integration when constructing an access flow
Url
Click Next. The Secret Store section expands.
.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.
Now that you have completed this integration, you can create access flows that grant permission to your RabbitMQ instance.
Create an integration to manage access to Databricks resources
Apono enables you to automate and control access to Databricks by dynamically managing group memberships through just-in-time access flows. This ensures that data analysts, data scientists, and engineers receive only the temporary, task-based access they need to work with sensitive datasets.
With Apono’s Databricks integration, you can streamline access requests, approvals, and lifecycle management for Databricks groups:
Enable self-service access requests by controlling resource access through Databricks group memberships
Enforce zero standing privileges by automatically revoking expired access
Discover and manage permissions across Databricks groups
You can also use the steps below to integrate with Apono using Terraform.
In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click Databricks. The Connect Integration page appears.
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Now that you have completed this integration, you can that manage Databricks group memberships to control access to resources.
Streamline just-in-time access to Elastic Cloud resources via Apono
Elastic Cloud is a fully managed Elasticsearch service that allows organizations to deploy, search, and analyze data in real time. Integrating Elastic Cloud with Apono enables automated just-in-time access to Elastic Cloud resources based on request workflows and time-bound policies. This approach ensures secure access provisioning while enforcing least-privilege principles.
This guide explains how to integrate Elastic Cloud with Apono’s UI.
You can also use the steps below to integrate with Apono using Terraform.
In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click Elastic Cloud. The Connect Integration page appears.
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (, , , ).
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Now that the integration is complete, you can add Elastic Cloud to define the resources in an access flow. This allows requesters to access Elastic Cloud resources securely based on your approval and provisioning rules.
Follow the guidance in these articles to define the resource using Elastic Cloud:
Create an integration to manage access to an OpenSearch Integration instance.
OpenSearch is an open-source search and analytics suite, maintained by Amazon Web Services (AWS).
Through this integration, Apono helps you discover your OpenSearch Integration resources and securely manage access to the index and roles through your OpenSearch Integration instance.
CREATE LOGIN apono_connector WITH PASSWORD = 'password';GRANT VIEW ANY DATABASE TO apono_connector;
USE master GRANT ALTER ANY LOGIN TO apono_connector;
USE master GRANT CONTROL SERVER TO apono_connector;
USE master ALTER SERVER ROLE securityadmin ADD MEMBER apono_connector;
USE master ALTER SERVER ROLE serveradmin ADD MEMBER apono_connector;CREATE USER apono_connector IDENTIFIED BY 'password';GRANT pseudosuperuser TO apono_connector;
ALTER USER apono_connector DEFAULT ROLE pseudosuperuser;"username": "apono_connector",
"password": "#PASSWORD"Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
URL for the RabbitMQ Management Console, excluding the path
You may optionally include the protocol (https:// or http://).
Example: https://b-1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p.mq.us-east-1.amazonaws.com
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no resource owner is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Hostname of the Microsoft SQL Server instance to connect
Port
Port value for the instance By default, Apono sets this value to 1433.
Database Name
Name of the database By default, Apono sets this value to master.
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the Credentials Rotation Policy.
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about Periodic User Cleanup & Deletion.
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no resource owner is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Hostname of the Vertica database instance to connect
Port
Port value for the instance By default, Apono sets this value to 5433.
Database Name
Name of the database
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the Credentials Rotation Policy.
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about Periodic User Cleanup & Deletion.
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no resource owner is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Account Id
Unique identifier for the Databricks account
Click Next. The Secret Store section expands.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Apono connector
On-prem connection serving as a bridge between a Databricks instance and Apono:
Learn how to update an existing , , , or connector.
Databricks account management URL
Accounts Management URL Example: https://aacounts.cloud.databricks.com
Databricks account ID
Unique identifier for the Databricks account Follow these steps:
In your account management console, click your profile icon.
Copy the Account ID under your email.
Service principal
Account for the Apono integration with admin privileges Follow these steps:
In your account management console, click your workspace > Manage account. A new page opens.
From the side navigation, click User management. The User management page opens.
On the Service principals tab, click Add service principal. The Add service principal popup window appears.
Enter the New service principal display name.
Click Add service principal. The principal is created and added to the list of principals.
Click the name of the principal.
On the Roles tab, click the Account Admin toggle to ON.
Grant principal access:
On the Permissions tab, click Grant accesss. The Grant access to others pop-up window appears.
From the User, Group or Service Principal dropdown menu, select the principal.
From the Permission dropdown menu, select
Databricks credentials
Client ID and secret used to securely authenticate the service principal Follow these steps:
On the Credentials & secrets tab of the service principal, click Generate secret. The Generate OAuth secret popup window opens.
Enter the Lifetime (days) duration of the secret.
Click Generate. The Generate OAuth secret popup window is replaced by the Generate secret popup window.
Copy the Secret and Client ID.
based on your secret and client ID key:
"client_id": "<DATABRICKS_CLIENT_ID>",
"client_secret": "<DATABRICKS_SECRET>"
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Databricks Accounts URL
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
Accounts Management URL
Example: https://aacounts.cloud.databricks.com
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Click Next. The Secret Store section expands.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Elastic Cloud API key
Unique key generated in Elastic Cloud to authenticate connection with Apono
Learn how to generate an API key with Elastic Cloud.
NOTE: For the key to authenticate an integration with Apono, you must provision it with the Organization owner role.
Elastic organization ID
Unique identifier for your Elastic Cloud organization
Apono connector
On-prem connection serving as a bridge between your Elastic Cloud instance and Apono:
Learn how to update an existing , , , or connector.
Apono secret
Value generated with the credentials of the user you create Create your secret based on your Elastic Cloud API account key and user key:
"api_key": <ELASTIC_API_KEY>
Apono does not store credentials. The Apono Connector uses the secret to communicate with services in your environment and separate the Apono web app from the environment for maximal security.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Organization ID
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
Unique identifier for your Elastic Cloud organization
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
MySQL Information
Information for the database instance to be integrated:
Hostname
Port
You must create a user in your MySQL instance for the Apono connector and grant that user permissions to your databases.
Follow these steps to create a user and grant it database permissions:
In your MySQL client tool, create a new user. Use apono_connector or another name of your choosing for the username. Be sure to set a strong password for the user.
Grant the following access to the user. These permissions allow the connector to list databases, manage users, update internal tables, monitor sessions, reload privileges, and handle connection-related operations.
If the Apono integration needs to manage MySQL users who have the SYSTEM_USER privilege, you must also grant SYSTEM_USER to the Apono connector user.
Without this permission, operations such as granting roles or modifying such users will fail with an Access denied error.
Grant the user only one of the following sets of permissions. The chosen set defines the highest level of permissions to provision with Apono. Click on each tab to reveal the SQL commands.
Allows Apono to read data from databases
Allows Apono to read and modify data
Allows Apono administrative-level access, including the ability to execute and drop tables
(MySQL 8.0+) Grant the user the authority to manage other roles. This enables Apono to create, alter, and drop roles. However, this role does not inherently grant specific database access permissions.
Create a secret with the credentials from step 1.
Use the following key-value pair structure when generating the secret. Be sure to replace #PASSWORD with the actual value. If you used a different name for the user, replace apono-connector with the name you assigned to the user.
You can also input the user credentials directly into the Apono UI during the integration process.
You can now integrate your MySQL database.
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the Catalog tab, click MySQL. The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.
Click Next. The Apono connector section appears.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (AWS, Azure, GCP, Kubernetes).
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Integration Name
Unique, alphanumeric, user-friendly name used to identify the integration when constructing an access flow
Hostname
Click Next. The Secret Store section expands.
.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.
Now that you have completed this integration, you can create access flows that grant permission to your MySQL database.
Apono Connector
On-prem connection serving as a bridge between a MySQL instance and Apono:
You must create a user in your MariaDB instance for the Apono connector and grant that user permissions to your databases.
Follow these steps to create a user and grant it permissions:
In your preferred client tool, create a new user. Use apono_connector or another name of your choosing for the username. Be sure to set a strong password for the user.
Grant the following access to the user. These permissions allow the connector to list databases, manage users, update internal tables, monitor sessions, reload privileges, and handle connection-related operations.
Grant the user only one of the following sets of permissions. The chosen set defines the highest level of permissions to provision with Apono. Click on each tab to reveal the SQL commands.
Allows Apono to read data from databases
Allows Apono to read and modify data
Allows Apono administrative-level access, including the ability to execute and drop tables
Create a secret with the credentials from step 1.
Use the following key-value pair structure when generating the secret. Be sure to replace #PASSWORD with the actual value. If you used a different name for the user, replace apono-connector with the name you assigned to the user.
You can also input the user credentials directly into the Apono UI during the integration process.
You can now integrate your MariaDB database.
You can also use the steps below to integrate with Apono using Terraform.
In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the Catalog tab, click MariaDB. The Connect Integration page appears.
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (AWS, Azure, GCP, Kubernetes).
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Integration Name
Unique, alphanumeric, user-friendly name used to identify the integration when constructing an access flow
Hostname
Click Next. The Secret Store section expands.
.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.
Now that you have completed this integration, you can create access flows that grant permission to your MariaDB database.
Apono Connector
On-prem connection serving as a bridge between a MariaDB instance and Apono:
Apono Connector
On-prem connection serving as a bridge between an OpenSearch Integration instance and Apono:
OpenSearch Integration Account Access
OpenSearch Integration account with admin privileges
OpenSearch Integration
User for Appono’s connector (User/Password) with assigned roles -
You must create a user in your OpenSearch Integration instance for the Apono connector and grant that user role to your resources.
Follow these steps to create a service account for OpenSearch Integration in your Cloud Environment:
Create a user for Apono’s connector
Assign roles: AWS opensearch > security_manager, opensource > all_access To enable the roles: plugins.security.restapi.roles_enabled
Create a new role and provide the following permissions:
Follow these steps to complete the integration:
On the Catalog tab, click OpenSearch Integration. The Connect Integration page appears.
Under Discovery, choose Index or/and Role, and click Next. The Apono connector section expands.
From the dropdown menu, select a connector.
Click Next. The Integration Config page appears.
Define the Integration Config settings.
Integration Name
Unique, alphanumeric, user-friendly name used to identify the integration when constructing an access flow
Url
Enter the OpenSearch Url
Click Next. The Secret Store section expands.
Click Next. The 'Get more with Apono' section expands.
Define the Get more with Apono settings.
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated
Learn more about the .
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources
Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters.
To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found
Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource
Follow these steps to define one or several :
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.
Now that you have completed this integration, you can create access flows that grant permission to your OpenSearch Integration instance.
Create an integration to manage access to a MongoDB instance
The MongoDB integration helps you to securely discover and manage your MongoDB resources through Apono.
After integrating MongoDB with Apono, you'll be able to:
Automate resource discovery and mapping across your MongoDB infrastructure
Enable administrators to implement just-in-time, least-privilege access policies and securely manage permissions
Allow users to request temporary access to specific clusters, roles, databases, and collections
Review the following prerequisites and implementation steps to complete this integration.
You must create a MongoDB user for the Apono connector.
Follow these steps to create a user:
In your MongoDB instance, switch to the admin database.
Create a user (user) and password (pwd) for the Apono connector.
with the credentials from step 2.
Use the following key-value pair structure when generating the secret. Be sure to replace #PASSWORD with the actual value. If you used a different name for the user, replace apono-connector with the name you assigned to the user.
You can also input the user credentials directly into the Apono UI during the .
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click MongoDB. The Connect Integration page appears.
Under Discovery, select one or multiple resource types.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (, , , ).
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Now that you have completed this integration, you can that grant permission to your MongoDB instance.
GRANT SYSTEM_USER ON *.* TO 'apono_connector'@'%';GRANT SELECT ON *.* TO 'apono_connector'@'%';
GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';GRANT SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE ON *.* TO 'apono_connector'@'%';
GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';GRANT EXECUTE,DROP,SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE ON *.* TO 'apono_connector'@'%';
GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';CREATE USER 'apono_connector'@'%' IDENTIFIED BY 'password';GRANT SHOW DATABASES ON *.* TO 'apono_connector'@'%';
GRANT CREATE USER ON *.* TO 'apono_connector'@'%';
GRANT UPDATE ON mysql.* TO 'apono_connector'@'%';
GRANT PROCESS ON *.* TO 'apono_connector'@'%';
GRANT RELOAD ON *.* TO 'apono_connector'@'%';
GRANT CONNECTION ADMIN ON *.* TO 'apono_connector'@'%';GRANT ROLE_ADMIN on *.* to apono_connector;"username": "apono-connector",
"password": "#PASSWORD"GRANT SELECT ON *.* TO 'apono_connector'@'%';
GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';GRANT SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE ON *.* TO 'apono_connector'@'%';
GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';GRANT EXECUTE,DROP,SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE ON *.* TO 'apono_connector'@'%';
GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';CREATE USER 'apono_connector'@'%' IDENTIFIED BY 'password';GRANT SHOW DATABASES ON *.* TO 'apono_connector'@'%';
GRANT CREATE USER ON *.* TO 'apono_connector'@'%';
GRANT UPDATE ON mysql.* TO 'apono_connector'@'%';
GRANT PROCESS ON *.* TO 'apono_connector'@'%';
GRANT RELOAD ON *.* TO 'apono_connector'@'%';
GRANT CONNECTION ADMIN ON *.* TO 'apono_connector'@'%';"username": "apono-connector",
"password": "#PASSWORD""cluster:monitor/state"
"cluster:monitor/health"Click Save.
Minimum Required Version: 1.4.0 Learn how to update an existing AWS, Azure, GCP, or Kubernetes connector.
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Minimum Required Version: 1.3.0 Learn how to update an existing AWS, Azure, GCP, or Kubernetes connector.
Hostname of the MySQL database to connect
Port
Port value for the instance Default Value: 3306.
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the Credentials Rotation Policy.
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about Periodic User Cleanup & Deletion.
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no resource owner is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Minimum Required Version: 1.3.0 Learn how to update an existing AWS, Azure, GCP, or Kubernetes connector.
Hostname of the MariaDB instance to connect
Port
Port value for the instance By default, Apono sets this value to 3306.
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the Credentials Rotation Policy.
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about Periodic User Cleanup & Deletion.
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no resource owner is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Port
Network port the MongoDB instance is listening on for connections
By default, MongoDB uses port 27017.
Click Next. The Secret Store section expands.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Apono Connector
On-prem connection serving as a bridge between a MongoDB instance and Apono:
MongoDB Information
Information for the database instance to be integrated:
Hostname
Port
This information can be obtained from a connection string.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Hostname
Address of the MongoDB instance
Create an integration to manage access to a MongoDB Atlas instance
MongoDB Atlas is a fully managed and scalable cloud database service. It provides a flexible and secure platform for storing and managing data across various applications.
Developers can easily deploy, manage, and scale MongoDB databases in the cloud. Features like automated backups, global clusters, and real-time monitoring simplify database management.
Through this integration, Apono helps you discover and securely manage access to the resources in your MongoDB Atlas instance.
A project owner API key enables Apono to control Atlas user access across a or projects.
If you have a single MongoDB Atlas project, you can use a project owner API key to manage it through Apono.
Follow these steps to create a project owner API key:
At the Atlas CLI prompt, run the following command. Be sure to replace #PROJECT_ID with the project ID that contains the cluster you want to integrate.
Copy the public and private API key in the response.
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click MongoDB Atlas. The Connect Integration page appears.
Under Discovery, select one or multiple resource types.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (, , , ).
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Now that you have completed this integration, you can that grant permission to your MongoDB Atlas instance.
Please note: due to , only 100 custom roles can be created per tenant. This may cause access requests to fail if the limit is exceeded.
Create an integration to manage access your PostgreSQL databases
PostgreSQL databases are open-source relational database management systems emphasizing extensibility and SQL compliance.
Through this integration, Apono helps you securely manage access to your PostgreSQL instance.
To enable Apono to manage PostgreSQL user access, you must create a user and then configure the integration within the Apono UI.
You must create a user in your PostgreSQL instance for the Apono connector.
You must use the admin account and password to connect to your database.
Follow these steps to create a user and grant it permissions:
In your preferred client tool, create a new user. Use apono_connector for the username. Be sure to set a strong password for the user.
You must also grant the SUPERUSER role to the user in the database instance.
Using the credentials from step 1, for the database instance.
You can also input the user credentials directly into the Apono UI during the .
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click PostgreSQL. The Connect Integration page appears.
Under Discovery, select one or multiple resource types for Apono to discover in all instances of the environment.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (, , , ).
Click Next. The Integration Config section expands.
Define the Integration Config settings.
​
Now that you have completed this integration, you can that grant permission to your PostgreSQL instance.​
Create an integration to manage access to Oracle Database tables and custom roles
Oracle Database is a relational database management system (RDBMS) developed by Oracle Corporation. It enables organizations to store, manage, and retrieve data using Structured Query Language (SQL). The database includes features for ensuring data integrity, performing backup and recovery, controlling access, and tuning performance.
Oracle Database supports both on-premises and cloud-based deployments through Oracle Cloud Infrastructure.
Through this integration, Apono helps you securely manage just-in-time, just-enough access to your Oracle Database, tables and custom roles.
You must create a user in your Oracle Database instance for the Apono connector.
Use the following steps to create a user and grant it permissions to your databases:
In your preferred client tool, create a new user. Be sure to set a strong password for the user.
The password must be a minimum of 9 characters and satisfy the following minimum requirements:
2 lowercase letters
2 uppercase letter
Grant the user permission to connect to the Oracle Database.
Grant user management permissions.
Grant role management permissions.
Grant table management permissions.
Grant the user permissions to grant permissions to Oracle users.
Using the credentials from step 1, for the database instance.
You can also input the user credentials directly into the Apono UI during the .
You can now .
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click Oracle Database. The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (, , , ).
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Now that you have completed this integration, you can that grant permission to your Oracle Database resources.
use admin;db.createUser({
user: "apono-connector",
pwd: "password",
roles: [
{
"role" : "clusterMonitor",
"db" : "admin"
},
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "readWriteAnyDatabase",
"db" : "admin"
},
{
"role" : "clusterManager",
"db" : "admin"
}
]
});"username": "apono-connector",
"password": "#PASSWORD"Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
#PUBLIC_KEY and #PRIVATE_KEY with actual values.You can also input the user credentials directly into the Apono UI during the integration process.
You can now integrate MongoDB Atlas.
If you have multiple MongoDB Atlas projects, you can use a single project owner API key to manage them all through Apono.
Follow these steps to create and associate a project owner API key:
At the Atlas CLI prompt, run the following command. Be sure to replace #PROJECT_ID with the project ID that contains the cluster you want to integrate.
atlas projects apiKeys create --desc cli-created --projectId "#PROJECT_ID" --role GROUP_OWNERCopy the public and private API key in the response.
List all your Atlas projects and their IDs.
For each additional project ID, assign the public API key. Be sure to replace #API_KEY_ID with your public API key from step 2 and #PROJECT_ID with the project ID of the additional project to associate with the API key.
with the credentials from step 2. Use the following key-value pair structure when generating the secret. Be sure to replace #PUBLIC_KEY and #PRIVATE_KEY with actual values.
You can also input the user credentials directly into the Apono UI during the .
You can now .
Cluster Name
Name for a database cluster in MongoDB Atlas, serving as an identifier within a project
Cluster Type
Configuration of a MongoDB Atlas cluster
Private Endpoint Id
(Optional) Unique identifier for a private endpoint in MongoDB Atlas
Click Next. The Secret Store section expands.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Credential rotation period (in days)
(Optional) Number of days after which the database credentials must be rotated
Learn more about the .
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Apono Connector
On-prem connection serving as a bridge between a MongoDB Atlas instance and Apono:
Atlas CLI
Command-line interface used to manage Atlas resources
MongoDB Atlas Information
Information for the database instance to be integrated:
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Project Id
atlas projects apiKeys create --desc cli-created --projectId "#PROJECT_ID" --role GROUP_OWNERUnique identifier assigned to each project within MongoDB Atlas
"public_key": "#PUBLIC_KEY",
"private_key": "#PRIVATE_KEY"Port
Port value for the instance
By default, Apono sets this value to 5432.
Database Name
Name of the database to integrate
By default, Apono sets this value to postgre.
SSL Mode
(Optional) Mode of Secure Sockets Layer (SSL) encryption used to secure the connection with the SQL database server
require: An SSL-encrypted connection must be used.
allow: An SSL-encrypted or unencrypted connection is used. If an SSL encrypted connection is unavailable, the unencrypted connection is used.
disable: An unencrypted connection is used.
Click Next. The Secret Store section expands.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Apono Connector
On-prem connection serving as a bridge between your PostgreSQL databases and Apono:
Minimum Required Version: 1.3.0 Use the following steps to update an existing connector:
PostgreSQL Info
Information for the database instance to be integrated:
Hostname
Port number
Database Name
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Hostname
Hostname of the PostgreSQL database instance to connect
2 numbers (0-9)
2 special characters
Cannot have 3 consecutive identical characters
Have 4 different characters than the previous password
Cannot contain, repeat, or reverse the user name
Port
Port value for the instance By default, Apono sets this value to 1521.
Service Name
Name of the service By default, Apono sets this value to ORCL.
Click Next. The Secret Store section expands.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Apono Connector
On-prem connection serving as a bridge between an Oracle Database instance and Apono:
Oracle Database Information
Information for the database instance to be integrated:
Hostname
Port number
Admin access to Oracle
The Admin must be able to create users and manage roles in Oracle
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Hostname
Hostname of the Oracle Database instance to connect
Create an integration to manage access to a Snowflake instance
Snowflake is a fully managed, cloud-based data platform that functions as a data warehouse, data lake, and data sharing solution. With features such as automatic scaling, secure data sharing, and robust data integration, Snowflake offers high performance and flexibility, ensuring seamless data management and analytics.
Through this integration, Apono helps you securely manage access to your Snowflake instance.
CREATE USER apono_connector WITH ENCRYPTED PASSWORD 'password';
ALTER USER apono_connector WITH SUPERUSER; CREATE USER apono_connector IDENTIFIED BY password;
ALTER USER apono_connector DEFAULT TABLESPACE users;
ALTER USER apono_connector TEMPORARY TABLESPACE temp;
ALTER USER apono_connector QUOTA UNLIMITED ON users;GRANT CREATE SESSION TO apono_connector;
GRANT CONNECT, RESOURCE TO apono_connector;GRANT CREATE USER TO apono_connector;
GRANT ALTER USER TO apono_connector;
GRANT DROP USER TO apono_connector;
GRANT ALTER SYSTEM TO apono_connector;
GRANT SELECT_CATALOG_ROLE TO apono_connector;GRANT GRANT ANY ROLE TO apono_connector;
GRANT CREATE ROLE TO apono_connector;
GRANT DROP ANY ROLE TO apono_connector;GRANT GRANT ANY OBJECT PRIVILEGE TO apono_connector;GRANT GRANT ANY PRIVILEGE TO apono_connector; prefer: An SSL encrypted connection is attempted. If the encrypted connection is unavailable, the unencrypted connection is used.
verify-ca: An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass.
verify-full: An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass. Additionally, the server hostname is checked against the certificate's names.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
atlas projects listatlas projects apiKeys assign #API_KEY_ID --role GROUP_OWNER --projectId #PROJECT_ID"public_key": "#PUBLIC_KEY",
"private_key": "#PRIVATE_KEY"Apono Connector
On-prem connection serving as a bridge between a Snowflake instance and Apono:
OpenSSL
OpenSSL command-line tool installed on your local machine
is an open-source toolkit for implementing Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
Snowflake account
Snowflake account with administrative access
Snowflake Hostname
Unique identifier of the Snowflake instance to connect You can use either format:
<organization_name>-<account_name> ()
<organization_name>-<account_name>.privatelink (if using a )
NOTE: If your Snowflake hostname uses <account_locator>.<cloud_region_id> (), you must switch to one of the accepted formats above.
Multi-Factor Authentication (MFA)
MFA for the Snowflake account
Admins must enable MFA for the Snowflake account due to Snowflake’s recent deprecation of non-MFA authentication.
Follow these steps to enable MFA:
In the Snowflake UI, go to Settings > Authentication.
Click Add new authentication method.
Register your chosen authentication method (for example, Passkey or Authenticator).
Public / Private Key Pair
Key-pair authentication and rotation for Snowflake using public and private keys
Learn how to below.
For additional information, visit .
Follow these steps to generate a public-private key pair for authentication between the Apono connector and your Snowflake instance:
In your terminal, run the following command to create a private key.
When prompted, enter a passphrase for the private key.
Save this passphrase securely. You will need it later when configuring the Apono integration.
In your terminal, run the following command to create a public key.
When prompted, enter the passphrase you created in step 2.
Your key pair files are now ready for use during authentication.
Private key
rsa_key.p8
Public key
rsa_key.pub
You will assign the public key to your connector user in Snowflake and add the private key (and its passphrase, if applicable) to your Apono Secret.
You must create a user in your Snowflake instance for the Apono connector and grant that user permissions to your instance.
Follow these steps to create a user for the Apono connector:
Create a new role called APONOADMIN.
Grant the following access to the role. These permissions allow the connector to create users and roles, manage role grants, and monitor account activity, such as running SHOW commands or viewing users, roles, and sessions.
Create a user for the Apono connector. Use APONO_CONNECTOR or another name of your choosing for the username. Be sure to set a strong password for the user.
In your Snowflake worksheet, assign the public key to the connector user by copying the key content from your rsa_key.pub file (excluding the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines). Be sure to replace {PUBLIC_KEY} with your actual key value.
Assign the APONOADMIN role to the user.
(Optional) Set the default role for the user.
Create a secret with the credentials from step 3 and your public-private key pair.
Use the following structure when generating the secret. Be sure to replace #PRIVATE_KEY and #PASSPHRASE with actual values copied from your rsa_key.p8 file (excluding the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines). If you used a different name for the user, replace APONO_CONNECTOR with the name you assigned to the user.
You can also input the credentials directly into the Apono UI during the integration process (step 8).
You can now integrate your Snowflake instance.
Admins must enable MFA for a Snowflake account due to Snowflake’s recent deprecation of non-MFA authentication.
Once MFA is enabled in Snowflake, it cannot be disabled. Password-based authentication will no longer work after MFA is activated.
Follow these steps to enable MFA:
In the Snowflake UI, click Settings > Authentication.
Click Add new authentication method.
Follow the prompts to register your chosen authentication method (for example, Passkey or Authenticator).
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the Catalog tab, click Snowflake. The Connect Integration page appears.
Under Discovery, select one or multiple resource types for Apono to discover in all instances of the environment.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (AWS, Azure, GCP, Kubernetes).
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Hostname
Click Next. The Secret Store section expands.
.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
User cleanup after access is revoked (in days)
Click Confirm.
Now that you have completed this integration, you can create access flows that grant permission to your Snowflake instance.
Create an integration to manage access to a MongoDB Atlas Portal instance and its resources
Apono’s MongoDB Atlas integration enables you to securely manage just-in-time (JIT) access to your Atlas Organizations and Projects. You can connect Apono to a single cluster or discover multiple clusters.
With the single-cluster integration, Apono connects directly to one MongoDB Atlas cluster and discovers all of its resources for streamlined access management.
You must create an API key with the Organization User role for the Apono connector.
Follow these steps to create the API key:
In the Atlas CLI, create the API key. The following command will return the public and private API keys in the response.
Be sure to replace <ORGANIZATION_ID> with the organization ID of the MongoDB Atlas UI to integrate.
Using the keys from the previous step, for the MongoDB Atlas UI instance.
You can now .
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click Mongo Atlas Portal. The Connect Integration page appears.
Under Discovery, click one or both resource types to sync with Apono.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (, , , ).
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Now that you have completed this integration, you can that grant permission to your MongoDB Atlas UI Organizations and Projects.
Apono provides enhanced integration capabilities with MongoDB Atlas Portal, permitting the discovery and management of multiple clusters simultaneously.
To discover multiple clusters in an Organization, Apono creates a Sub Integration for every discovered cluster, with its own Databases, Documents, and Roles.
Deep discovery has the following limitations:
Deep discovery currently supports only AWS and Azure secret stores.
All Apono connectors must have proper network access to their MongoDB Atlas clusters.
You must create an API key with the Organization Owner role for the Apono connector.
Follow these steps to create the API key:
In the Atlas CLI, create the API key. The following command will return the public and private API keys in the response.
Be sure to replace <ORGANIZATION_ID> with the organization ID of the MongoDB Atlas UI to integrate.
Using the keys from the previous step, for the MongoDB Atlas UI instance.
Only AWS Secret Store and Azure Vault are supported for this integration at this time.
You can also use the steps below to integrate with Apono using Terraform.
In step 12, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click Mongo Atlas Portal integration. The Connect Integration page appears.
Under Discovery, click one or both resource types to sync with Apono.
Select one or several sub integrations:
Under
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (, , , ).
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Follow these steps to tag the cluster:
In your MongoDB Atlas cluster, navigate to the Clusters or Overview page to .
For clusters in different networks or VPCs, tag each cluster with the Apono connector ID:
Enter apono-connector-id for the Key.
Each network or VPC hosting cluster must have a unique Apono connector.
Tag each cluster for the type of Apono connection.
Now that you have completed this integration, you can that grant permission to your MongoDB Atlas UI Organizations and Projects.
openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key.p8openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pubCREATE ROLE APONOADMIN;GRANT CREATE USER ON ACCOUNT TO ROLE APONOADMIN;
GRANT CREATE ROLE ON ACCOUNT TO ROLE APONOADMIN;
GRANT MANAGE GRANTS ON ACCOUNT TO ROLE APONOADMIN;
GRANT MONITOR ON ACCOUNT TO ROLE APONOADMIN;CREATE USER APONO_CONNECTOR PASSWORD = 'password';ALTER USER APONO_CONNECTOR SET RSA_PUBLIC_KEY='{PUBLIC_KEY}';GRANT ROLE APONOADMIN TO USER APONO_CONNECTOR;ALTER USER APONO_CONNECTOR SET DEFAULT_ROLE = APONOADMIN;"username": "APONO_CONNECTOR",
"private_key": "#PRIVATE_KEY"
"passphrase": "#PASSPHRASE"Hostname of the Snowflake instance to connect
Auth Type
(Optional) Authorization type for the Snowflake user
User / Password: Apono-created local user credentials
SSO Auth: Synced user credentials from IdP integration with Snowflake
Role
(Optional) User role associated with the Snowflake instance
Default: ACCOUNTADMIN
SSO Portal URL
(Optional) URL for the SSO portal connected to your Snowflake instance
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about Periodic User Cleanup & Deletion.
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no resource owner is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Next. The Secret Store section expands.
Associate the secret or credentials from step 2 of the previous section.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
(Optional) Select one or more additional sub integrations.
Click Next. The Secret Store section expands.
Associate the secret or credentials from step 2 in the previous section
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Click Confirm to complete the setup.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Enter the private endpoint ID for the Value.
Apono Connector
On-prem connection serving as a bridge between a MongoDB Atlas instance and Apono:
Atlas Command Line Interface (Atlas CLI)
Command line interface for provisioning and managing Atlas database deployments from the terminal
MongoDB Atlas Info
Information for the MongoDB Atlas UI resources to be integrated:
Cluster name
Organization ID
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Organization ID
MongoDB Atlas Account
MongoDB Atlas account with organization-level access
Apono Connector
On-prem connection serving as a bridge between a MongoDB Atlas instance and Apono:
Atlas Command Line Interface (Atlas CLI)
Command line interface for provisioning and managing Atlas database deployments from the terminal
MongoDB Atlas Info
Information for the MongoDB Atlas UI resources to be integrated:
Cluster name
Organization ID
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Organization ID
ID of the organization of the MongoDB Atlas UI instance to connect
ID of the organization of the MongoDB Atlas UI instance to connect
atlas organizations apiKeys create --role ORG_OWNER --desc apono_connector --orgId <ORGANIZATION_ID>"public_key": "#PUBLIC_KEY"
"private_key": "#PRIVATE_KEY"atlas organizations apiKeys create --role ORG_OWNER --desc apono_connector --orgId <ORGANIZATION_ID>"public_key": "#PUBLIC_KEY"
"private_key": "#PRIVATE_KEY"Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
