# Getting Started The integrations API is a REST API that allows you to integrate your remote data platform with Immuta so that Immuta can manage and enforce access controls on your data. To configure an integration using the API, you must have the APPLICATION\_ADMIN Immuta permission. ## Authenticate with the API {% @mermaid/diagram content="graph LR A(Authenticate) --> B(Configure integration) --> C(Map users and create policies) --> D(Register metadata); style A fill:#2F6BA7,color:#fff style B fill:#fff style C fill:#fff style D fill:#fff" %} There are two methods for making an authenticated request to the integrations API. Select a tab below for instructions. {% tabs %} {% tab title="API key method" %} 1. Generate your API key on the **API Keys** tab on your profile page and save the API key somewhere secure. 2. You will pass this API key in the authorization header when you make a request, as illustrated in the example below: ```shell curl \ --request GET \ --header "Content-Type: application/json" \ --header "Authorization: 846e9e43c86a4ct1be14290d95127d13f" \ https://www.organization.immuta.com/integrations ``` {% endtab %} {% tab title="Bearer token method" %} 1. Generate your API key on the **API Keys** tab on your profile page and save the API key somewhere secure. 2. Save your API key in a .json file. ```json { "apikey": "846e9e43c86a4ct1be14290d95127d13f" } ``` 3. Make the following request to the `authentication` endpoint: ```shell curl \ --request POST \ --header "Content-Type: application/json" \ --data @example_payload.json \ https://www.organization.immuta.com/bim/apikey/authenticate ``` 4. You will receive a response that includes your bearer token. Pass that bearer token in the Authorization header when you make a request, as illustrated in the example below: ```shell curl \ --request GET \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ https://demo.immuta.com/integrations ``` {% endtab %} {% endtabs %} ## Configure your integration {% @mermaid/diagram content="graph LR A(Authenticate) --> B(Configure integration) --> C(Map users and create policies) --> D(Register metadata); style A fill:#fff style B fill:#2F6BA7,color:#fff style C fill:#fff style D fill:#fff click A "#authenticate-with-the-api" \_blank click B "#configure-your-integration" \_blank click C "#protect-your-data" \_blank click D "#register-metadata" \_blank" %} Use the `POST /integrations` endpoint to configure the integration so that Immuta can enforce access controls on tables registered as Immuta data sources. See a section below for a sample request and details about configuring your integration. ### Amazon S3 example {% hint style="info" %} **Private preview**: The Amazon S3 integration is available to select accounts. Reach out to your Immuta representative for details. {% endhint %} ```shell curl -X 'POST' \ 'https://www.organization.immuta.com/integrations' \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \ -d '{ "type": "Native S3", "autoBootstrap": false, "config": { "name": "S3 integration", "awsAccountId": "123456789", "awsRegion": "us-east-1", "awsLocationRole": "arn:aws:iam::123456789:role/access-grants-instance-role", "awsLocationPath": "s3://", "authenticationType": "accessKey", "awsAccessKeyId": "123456789", "awsSecretAccessKey": "123456789" } }' ``` 1. [Set up an Access Grants instance](https://documentation.immuta.com/2024.2/developer-guides/api-intro/how-to-guides/s3-api#set-up-s3-access-grants-instance). 2. Copy the request example. 3. Replace the values in the request with your Immuta URL and [API key or bearer token](#authenticate-with-the-api). 4. Change the `config` values to your own, where * **name** is the name for the integration that is unique across all Amazon S3 integrations configured in Immuta. * **awsAccountId** is the ID of your AWS account. * **awsRegion** is the account's AWS region (such as `us-east1`). * **awsLocationRole** is the AWS IAM role ARN assigned to the base access grants location. This is the role the AWS Access Grants service assumes to vend credentials to the grantee. * **awsLocationPath** is the base S3 location prefix that Immuta will use for this connection when registering S3 data sources. This path must be unique across all S3 integrations configured in Immuta. * **awsAccessKeyId** is the AWS access key ID of the AWS account configuring the integration. * **awsSecretAccessKey** is the AWS secret access key of the AWS account configuring the integration. For more configuration examples, see the [Configure an Amazon S3 integration guide](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/how-to-guides/s3-api). For information about the configuration payload, see the [Integration payload reference guide](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/reference-guides/payload). ### Azure Synapse Analytics example ```shell curl -X 'POST' \ 'https://www.organization.immuta.com/integrations' \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \ -d '{ "type": "Azure Synapse Analytics", "autoBootstrap": true, "config": { "host": "organization.azure.com", "schema": "immuta", "database": "sample_database", "username": "taylor@synapse.com", "password": "abc1234", "authenticationType": "userPassword" } }' ``` Replace the values in the request with your Immuta URL and [API key or bearer token](#authenticate-with-the-api), and change the `config` values to your own, where * **host** is the URL of your Azure Synapse Analytics account. * **schema** is the name of the Immuta-managed schema where all your secure views will be created and stored. * **database** is the name of an existing database where the Immuta system user will store all Immuta-generated schemas and views. * **username** and **password** are the username and password of the system account that can act on Azure Synapse Analytics objects and configure the integration. The example sets `autoBootstrap` to `true`, which grants Immuta one-time access to credentials to configure the resources in your Azure Synapse Analytics environment for you. If you set `autoBootstrap` to `false`, you must manually [run the bootstrap script](https://documentation.immuta.com/2024.2/developer-guides/api-intro/how-to-guides/synapse-api#manual-setup) in your Azure Synapse Analytics environment yourself before making the request. For more configuration examples, see the [Configure an Azure Synapse Analytics integration guide](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/how-to-guides/synapse-api). For information about the configuration payload, see the [Integration payload reference guide](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/reference-guides/payload). ### Databricks Unity Catalog example ```shell curl -X 'POST' \ 'https://www.organization.immuta.com/integrations' \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \ -d '{ "type": "Databricks", "autoBootstrap": true, "config": { "workspaceUrl": "www.example-workspace.cloud.databricks.com", "httpPath": "sql/protocolv1/o/0/0000-00000-abc123", "authenticationType": "token", "token": "REDACTED", "catalog": "immuta" } }' ``` Replace the values in the request with your Immuta URL and [API key or bearer token](#authenticate-with-the-api), and change the `config` values to your own, where * **workspaceUrl** is your Databricks workspace URL. * **httpPath** is the HTTP path of your Databricks cluster or SQL warehouse. * **token** is the Databricks personal access token. This is the access token for the Immuta system account user. * **catalog** is the name of the Databricks catalog Immuta will create to store internal entitlements and other user data specific to Immuta. This catalog will only be readable for the Immuta service principal and should not be granted to other users. The catalog name may only contain letters, numbers, and underscores and cannot start with a number. For more configuration examples, see the [Configure a Databricks Unity Catalog integration guide](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/how-to-guides/databricks-uc-api). For information about the configuration payload, see the [Integration payload reference guide](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/reference-guides/payload). ### Google BigQuery example {% hint style="info" %} **Private preview**: This integration is available to select accounts. Reach out to your Immuta representative for details. {% endhint %} ```shell curl -X 'POST' \ 'https://www.organization.immuta.com/integrations' \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \ -d '{ "type": "Google BigQuery", "autoBootstrap": false, "config": { "role": "immuta", "datasetSuffix": "_secureView", "dataset": "immuta", "location": "us-east1", "credential": "{\"type\":\"service_account\",\"project_id\":\"innate-conquest-123456\",\"private_key_id\":\"9163c12345690924f5dd218ff39\",\"private_key\":\"-----BEGIN PRIVATE KEY-----\nXXXXXXXro0s\n/yQlPQijowkccmrmWJyr93kdLnwJzBvLHCto/+W\ncvF2ygX9oM/dyUK//z//4nptMp+Ck//Yw3D4rIBwGu4DWiR1qRnf\nDoGyXfThPTQ==\n-----END PRIVATE KEY-----\n\",\"client_email\":\"service-account-id@innate-conquest-123456.iam.gserviceaccount.com\",\"client_id\":\"1166290***432952487857\",\"auth_uri\":\"https://accounts.google.com/o/oauth2/auth\",\"token_uri\":\"https://oauth2.googleapis.com/token\",\"auth_provider_x509_cert_url\":\"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\":\"https://www.googleapis.com/robot/v1/metadata/x509/service-account-id%40innate-conquest-123456.iam.gserviceaccount.com\",\"universe_domain\":\"googleapis.com\"}" } }' ``` 1. [Create a Google Cloud service account and role](https://documentation.immuta.com/2024.2/data-and-integrations/google-bigquery#google-cloud-service-account-and-role-used-by-immuta-to-connect-to-google-bigquery) by either using the Google Cloud console or the provided Immuta script. 2. Copy the request example. The example uses JSON format, but the request also accepts YAML. 3. Replace the **Immuta URL** and [**API key**](#authenticate-with-the-api) with your own. 4. Change the **config** values to your own, where * **role** is the Google Cloud role used to connect to Google BigQuery. * **datasetSuffix** is the suffix to postfix to the name of each dataset created to store secure views. This string must start with an underscore. * **dataset** is the name of the BigQuery dataset to provision inside of the project for Immuta metadata storage. * **location** is the dataset's location, which can be any valid GCP location (such as `us-east1`). * **credential** is the Google BigQuery service account JSON keyfile credential content. See the [Google documentation](https://developers.google.com/workspace/guides/create-credentials#create_credentials_for_a_service_account) for guidance on generating and downloading this keyfile. For more configuration examples, see the [Configure a Google BigQuery integration](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/how-to-guides/bigquery-api) guide. For information about the configuration payload, see the [Integration payload reference guide](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/reference-guides/payload). ### Redshift example ```shell curl -X 'POST' \ 'https://www.organization.immuta.com/integrations' \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \ -d '{ "type": "Redshift", "autoBootstrap": true, "config": { "host": "organization.aws.amazon.com", "database": "immuta", "initialDatabase": "REDSHIFT_SAMPLE_DATA", "authenticationType": "userPassword", "username": "taylor@redshift.com", "password": "abc1234" } }' ``` Replace the values in the request with your Immuta URL and [API key or bearer token](#authenticate-with-the-api), and change the `config` values to your own, where * **host** is the URL of your Redshift account. * **database** is the name of a new empty database that the Immuta system user will manage and store metadata in. * **initialDatabase** is the name of an existing database in Redshift that Immuta initially connects to and creates the Immuta-managed database. * **authenticationType** is the type of authentication to use when connecting to Redshift. * **username** and **password** are the credentials for the system account that can act on Redshift objects and configure the integration. The example sets `autoBootstrap` to `true`, which grants Immuta one-time access to credentials to configure the resources in your Redshift environment for you. If you set `autoBootstrap` to `false`, you must manually [run the bootstrap script](https://documentation.immuta.com/2024.2/developer-guides/api-intro/how-to-guides/redshift-api#manual-setup) in your Redshift environment yourself before making the request. For more configuration examples, see the [Configure a Redshift integration guide](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/how-to-guides/redshift-api). For information about the configuration payload, see the [Integration payload reference guide](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/reference-guides/payload). ### Snowflake example ```shell curl -X 'POST' \ 'https://www.organization.immuta.com/integrations' \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \ -d '{ "type": "Snowflake", "autoBootstrap": true, "config": { "host": "organization.us-east-1.snowflakecomputing.com", "warehouse": "SAMPLE_WAREHOUSE", "database": "SNOWFLAKE_SAMPLE_DATA", "authenticationType": "userPassword", "username": "taylor@snowflake.com", "password": "abc1234", "role": "ACCOUNTADMIN" } }' ``` Replace the values in the request with your **Immuta URL** and [**API key or bearer token**](#authenticate-with-the-api), and change the **config** values to your own, where * **host** is the URL of your Snowflake account. * **warehouse** is the default pool of Snowflake compute resources the Immuta system user will use to run queries and perform other Snowflake operations. * **database** is the name of a new empty database that the Immuta system user will manage and store metadata in. * **authenticationType** is the type of authentication to use when connecting to Snowflake. * **username** and **password** are the credentials for the system account that can act on Snowflake objects and configure the integration. The example sets `autoBootstrap` to `true`, which grants Immuta one-time access to credentials to configure the resources in your Snowflake environment for you. If you set `autoBootstrap` to `false`, you must manually [run the bootstrap script](https://documentation.immuta.com/2024.2/developer-guides/api-intro/how-to-guides/snowflake-api#manual-setup) in your Snowflake environment yourself before making the request. For more configuration examples, see the [Configure a Snowflake integration guide](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/how-to-guides/snowflake-api). For information about the configuration payload, see the [Integration payload reference guide](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/reference-guides/payload). ### Starburst (Trino) example 1. Replace the values in the request with your **Immuta URL** and [**API key or bearer token**](#authenticate-with-the-api). ```shell curl -X 'POST' \ 'https://www.organization.immuta.com/integrations' \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \ -d '{ "type": "Trino" }' ``` 2. Navigate to the Immuta **App Settings** page and click the **Integrations** tab. 3. Click your enabled **Starburst (Trino)** integration and copy the configuration snippet displayed. 4. Follow the steps in the configure the Immuta system access control plugin in [Starburst](https://documentation.immuta.com/2024.2/data-and-integrations/starburst-trino/how-to-guides/configure#starburst-cluster-configuration) or [Trino](https://documentation.immuta.com/2024.2/data-and-integrations/starburst-trino/how-to-guides/configure#trino-cluster-configuration) section to add the configuration in the appropriate `immuta-access-control.properties` file to finish configuring your cluster. ## Protect your data {% @mermaid/diagram content="graph LR A(Authenticate) --> B(Configure integration) --> C(Map users and create policies) --> D(Register metadata); style A fill:#fff style B fill:#fff style C fill:#2F6BA7,color:#fff style D fill:#fff" %} Map usernames and create policies before you register your metadata to ensure that policies are enforced on tables and views immediately. 1. [Map usernames](https://documentation.immuta.com/2024.2/people/immuta-users/how-to-guides/external-user-mapping) to Immuta to ensure Immuta properly enforces policies and audits user queries. 2. Build global policies in Immuta to enforce access controls: * [Create policies via the API](https://documentation.immuta.com/2024.2/developer-guides/api-intro/immuta-v1-api/manage-data-access/policy) * [Create subscription policies in the UI](https://documentation.immuta.com/2024.2/secure-your-data/authoring-policies-in-secure/section-contents/how-to-guides/subscription-policy-tutorial) * [Create data policies in the UI](https://documentation.immuta.com/2024.2/secure-your-data/authoring-policies-in-secure/data-policies/how-to-guides/data-policy-tutorial) ## Register metadata {% @mermaid/diagram content="graph LR A(Authenticate) --> B(Configure integration) --> C(Map users and create policies) --> D(Register metadata); style A fill:#fff style B fill:#fff style C fill:#fff style D fill:#2F6BA7,color:#fff" %} Register your metadata using the API or Immuta UI: * API how-to guides * [Azure Synapse Analytics](https://documentation.immuta.com/2024.2/developer-guides/api-intro/immuta-v1-api/connect-your-data/asa) * [Databricks](https://documentation.immuta.com/2024.2/developer-guides/api-intro/immuta-v1-api/connect-your-data/databricks) * [Redshift](https://documentation.immuta.com/2024.2/developer-guides/api-intro/immuta-v1-api/connect-your-data/redshift) * [Snowflake](https://documentation.immuta.com/2024.2/developer-guides/api-intro/immuta-v1-api/connect-your-data/snowflake) * [Starburst (Trino)](https://documentation.immuta.com/2024.2/developer-guides/api-intro/immuta-v1-api/connect-your-data/trino) * UI how-to guide: [Create a data source](https://documentation.immuta.com/2024.2/data-and-integrations/registering-metadata/register-data-sources/query-backed-tutorial) ## Additional resources ### How-to guides See the following how-to guides for configuration examples and steps for creating, managing, or disabling your integration: * [Amazon S3 integration API reference](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/how-to-guides/s3-api) * [Azure Synapse Analytics integration API reference](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/how-to-guides/synapse-api) * [Databricks Unity Catalog integration API reference](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/how-to-guides/databricks-uc-api) * [Redshift integration API reference](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/how-to-guides/redshift-api) * [Snowflake integration API reference](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/how-to-guides/snowflake-api) * [Starburst (Trino) integration API reference](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/how-to-guides/trino-api) ### Reference guides See the following reference guides for information about the integrations API endpoints, payloads, and responses: * [Integrations API endpoints](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/reference-guides/integrations-api) * [Integrations API payloads](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/reference-guides/payload) * [Integrations API response schema](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/reference-guides/response-schema) * [HTTP status codes and error messages](https://documentation.immuta.com/2024.2/developer-guides/api-intro/integrations-api/reference-guides/status-codes)