This is a guest post from my friends at ConductorOne which I think you will love.
Baton, by ConductorOne, is an open source toolkit to extract, normalize, and interact with identity data from any app with a standardized and extensible data model.
Using the Baton CLI and SDKs, you’ll be able to audit infrastructure access on-demand, run diffs, and extract access data. This can be used for automating user access reviews, exports into SIEMs, real-time visibility, etc.
Baton is comprised of three components:
- The Baton CLI: a command line interface that provides a set of commands to extract, compare, and explore identity, resource, and permission data in an app.
- The Baton SDK: a toolkit that makes building a connector for any application seamless. These connectors generate data that the CLI consumes and/or they can connect directly to ConductorOne.
- Baton connectors: these pre-built and supported integrations work with common SaaS and IaaS apps to sync identity and permission data.
The goal for Baton is to enable you to easily gain unified visibility into all identity, resource, and permission data in an application and to create workflows that manage identity and access.
What is Baton by ConductorOne?
ConductorOne is an identity security platform that allows you to orchestrate user access in your org’s environment through least privilege controls.
We believe that identity and permission data should be easily accessible; after building these connectors for more than two years, we open sourced Baton as an answer to the accessibility problem.
Let’s take a look at the Baton architecture.
Baton connectors can integrate with any permission store to export user and permission data and to orchestrate access changes back.
Because connectors can be natively written in any language, they are also not restricted to simply using APIs to integrate.
They can manage identity and access using screen scraping or direct database calls.
Furthermore, because connectors are standalone artifacts, they can be hosted anywhere: in our SaaS, in your private cloud, or on-prem alongside your app.
How Baton Helps with Access Auditing
As CTO Paul Querna outlines in his Baton announcement, here are a few Baton use cases we’re excited about:
- Find all AWS IAM users with a specific IAM role
- Audit GitHub repo admins
- Find users in apps that aren’t in your IdP
- Detect differences or changes in permissions in GitHub or AWS
- Export GitHub permissions into a CSV for loading into a user access review
- Discover all access for a user or an account across all SaaS and IaaS apps
How to Use Baton
To get started using Baton, you can use one of our open source Baton connectors built using the Baton SDK in concert with the Baton CLI to view a snapshot of access privilege at a given moment and to run a diff of access privilege between Baton connector syncs.
Create a Connector For Your App With the SDK
The Baton SDK can be implemented to support any application or technology.
Using the Baton SDK any developer can create a Baton connector that can extract, normalize, and interact with identity and access privilege information via the Baton CLI.
The SDK can be implemented to support back office portals, homegrown apps, legacy on-prem systems, and other SaaS tools.
This quick tutorial for exporting access data from GitHub to shows you how it works:
Get started using Baton at github.com/conductorone/baton or learn more in our documentation.
We welcome contributions, and ideas, no matter how small – our goal is to make identity and permissions sprawl less painful for everyone.
Baton is licensed under the Apache 2.0, an OSI-approved Open Source License, because we want to enable widespread contributions and a broad community who cares about security outcomes to participate.
See CONTRIBUTING.md on Github for more details.
It doesn’t stop there! Check our ConductorOne’s docs for practical examples of Baton in action:
- Export GitHub access updates to a CSV file
- Get Splunk alerts when a new Github admin is added
- Set up a daily check for GitHub user rights updates
- Diff access rights from two GitHub orgs