# Getting Started The integrations API is a REST API that allows you to integrate your remote data platform with Immuta so that Immuta can manage and enforce access controls on your data. To configure an integration using the API, you must have the `APPLICATION_ADMIN` Immuta permission. ## Configure your integration {% @mermaid/diagram content="graph LR B(Connect data platform) --> C(Protect data) --> D(Register metadata); style B fill:#2F6BA7,color:#fff style C fill:#fff style D fill:#fff" %} Use the `POST /integrations` endpoint to configure the integration so that Immuta can enforce access controls on tables registered as Immuta data sources. See a section below for a sample request and details about configuring your integration. ### Amazon Redshift Spectrum example ```bash curl -X 'POST' \ 'https://www.organization.immuta.com/integrations/scripts/create' \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \ -d '{ "type": "Redshift", "autoBootstrap": false, "config": { "host": "organization.aws.amazon.com", "database": "immuta", "impersonation": { "enabled": false }, "authenticationType": "userPassword", "username": "taylor@redshift.com", "password": "abc1234" } }' ``` Replace the values in the request with your Immuta URL and [API key or bearer token](#authenticate-with-the-api), and change the `config` values to your own, where * **host** is the URL of your Redshift account. * **database** is the name of the [existing or new database](https://documentation.immuta.com/saas/developer-guides/api-intro/how-to-guides/configure-an-amazon-redshift-spectrum-integration#setup-the-immuta-database) that the Immuta system user will manage and store metadata in. * **authenticationType** is the type of authentication to use when connecting to Redshift. * **username** and **password** are the credentials for the system account that can act on Redshift objects and configure the integration. You must manually [run the bootstrap script](https://documentation.immuta.com/saas/developer-guides/api-intro/how-to-guides/configure-an-amazon-redshift-spectrum-integration#manual-setup) returned in the response in your Redshift environment yourself before completing the configuration. See the [Configure an Amazon Redshift Spectrum integration guide](https://documentation.immuta.com/saas/developer-guides/api-intro/integrations-api/how-to-guides/configure-an-amazon-redshift-spectrum-integration) for instructions on completing the setup or for more examples. For information about the configuration payload, see the [Integration payload reference guide](https://documentation.immuta.com/saas/developer-guides/api-intro/integrations-api/reference-guides/integration-configuration-payload). ### Amazon S3 example {% hint style="info" %} **Private preview**: This integration is available to select accounts. Contact your Immuta representative for details. {% endhint %} ```bash curl -X 'POST' \ 'https://www.organization.immuta.com/integrations' \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \ -d '{ "type": "Native S3", "autoBootstrap": false, "config": { "name": "S3 integration", "awsAccountId": "123456789", "awsRegion": "us-east-1", "awsLocationRole": "arn:aws:iam::123456789:role/access-grants-instance-role", "awsLocationPath": "s3://", "authenticationType": "accessKey", "awsAccessKeyId": "123456789", "awsSecretAccessKey": "123456789" } }' ``` 1. [Set up an Access Grants instance and IAM roles](https://documentation.immuta.com/saas/developer-guides/api-intro/how-to-guides/s3-api#set-up-s3-access-grants-instance-and-iam-roles). 2. Copy the request example. 3. Replace the values in the request with your Immuta URL and [API key or bearer token](#authenticate-with-the-api). 4. Change the `config` values to your own, where * **name** is the name for the integration that is unique across all Amazon S3 integrations configured in Immuta. * **awsAccountId** is the ID of your AWS account. * **awsRegion** is the account's AWS region (such as `us-east-1`). * **awsLocationRole** is the AWS IAM role ARN assigned to the base access grants location. This is the role the AWS Access Grants service assumes to vend credentials to the grantee. * **awsLocationPath** is the base S3 location prefix that Immuta will use for this connection when registering S3 data sources. This path must be unique across all S3 integrations configured in Immuta. * **awsAccessKeyId** is the AWS access key ID of the AWS account configuring the integration. * **awsSecretAccessKey** is the AWS secret access key of the AWS account configuring the integration. ### Azure Synapse Analytics example ```bash curl -X 'POST' \ 'https://www.organization.immuta.com/integrations' \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \ -d '{ "type": "Azure Synapse Analytics", "autoBootstrap": true, "config": { "host": "organization.azure.com", "schema": "immuta", "database": "sample_database", "username": "taylor@synapse.com", "password": "abc1234", "authenticationType": "userPassword" } }' ``` Replace the values in the request with your Immuta URL and [API key or bearer token](#authenticate-with-the-api), and change the `config` values to your own, where * **host** is the URL of your Azure Synapse Analytics account. * **schema** is the name of the Immuta-managed schema where all your secure views will be created and stored. * **database** is the name of an existing database where the Immuta system user will store all Immuta-generated schemas and views. * **username** and **password** are the username and password of the system account that can act on Azure Synapse Analytics objects and configure the integration. The example sets `autoBootstrap` to `true`, which grants Immuta one-time access to credentials to configure the resources in your Azure Synapse Analytics environment for you. If you set `autoBootstrap` to `false`, you must manually [run the bootstrap script](https://documentation.immuta.com/saas/developer-guides/api-intro/how-to-guides/synapse-api#manual-setup) in your Azure Synapse Analytics environment yourself before making the request. For more configuration examples, see the [Configure an Azure Synapse Analytics integration guide](https://documentation.immuta.com/saas/developer-guides/api-intro/integrations-api/how-to-guides/synapse-api). For information about the configuration payload, see the [Integration payload reference guide](https://documentation.immuta.com/saas/developer-guides/api-intro/integrations-api/reference-guides/integration-configuration-payload). ### Google BigQuery example {% hint style="info" %} **Private preview**: This integration is available to all accounts. {% endhint %} ```bash curl -X 'POST' \ 'https://www.organization.immuta.com/integrations' \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \ -d '{ "type": "Google BigQuery", "autoBootstrap": false, "config": { "role": "immuta", "datasetSuffix": "_secureView", "dataset": "immuta", "location": "us-east-1", "credential": "{\"type\":\"service_account\",\"project_id\":\"innate-conquest-123456\",\"private_key_id\":\"9163c12345690924f5dd218ff39\",\"private_key\":\"-----BEGIN PRIVATE KEY-----\nXXXXXXXro0s\n/yQlPQijowkccmrmWJyr93kdLnwJzBvLHCto/+W\ncvF2ygX9oM/dyUK//z//4nptMp+Ck//Yw3D4rIBwGu4DWiR1qRnf\nDoGyXfThPTQ==\n-----END PRIVATE KEY-----\n\",\"client_email\":\"service-account-id@innate-conquest-123456.iam.gserviceaccount.com\",\"client_id\":\"1166290***432952487857\",\"auth_uri\":\"https://accounts.google.com/o/oauth2/auth\",\"token_uri\":\"https://oauth2.googleapis.com/token\",\"auth_provider_x509_cert_url\":\"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\":\"https://www.googleapis.com/robot/v1/metadata/x509/service-account-id%40innate-conquest-123456.iam.gserviceaccount.com\",\"universe_domain\":\"googleapis.com\"}" } }' ``` 1. [Create a Google Cloud service account and role](https://documentation.immuta.com/saas/configuration/integrations/google-bigquery#google-cloud-service-account-and-role-used-by-immuta-to-connect-to-google-bigquery) by either using the Google Cloud console or the provided Immuta script. 2. Copy the request example. The example uses JSON format, but the request also accepts YAML. 3. Replace the **Immuta URL** and [**API key**](#authenticate-with-the-api) with your own. 4. Change the **config** values to your own, where * **role** is the Google Cloud role used to connect to Google BigQuery. * **datasetSuffix** is the suffix to postfix to the name of each dataset created to store secure views. This string must start with an underscore. * **dataset** is the name of the BigQuery dataset to provision inside of the project for Immuta metadata storage. * **location** is the dataset's location, which can be any valid GCP location (such as `us-east-1`). * **credential** is the Google BigQuery service account JSON keyfile credential content. See the [Google documentation](https://developers.google.com/workspace/guides/create-credentials#create_credentials_for_a_service_account) for guidance on generating and downloading this keyfile. For more configuration examples, see the [Configure a Google BigQuery integration](https://documentation.immuta.com/saas/developer-guides/api-intro/integrations-api/how-to-guides/bigquery-api) guide. For information about the configuration payload, see the [Integration payload reference guide](https://documentation.immuta.com/saas/developer-guides/api-intro/integrations-api/reference-guides/integration-configuration-payload). ### Snowflake example ```bash curl -X 'POST' \ 'https://www.organization.immuta.com/integrations' \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \ -d '{ "type": "Snowflake", "autoBootstrap": true, "config": { "host": "organization.us-east-1.snowflakecomputing.com", "warehouse": "SAMPLE_WAREHOUSE", "database": "SNOWFLAKE_SAMPLE_DATA", "authenticationType": "userPassword", "username": "taylor@snowflake.com", "password": "abc1234", "role": "ACCOUNTADMIN" } }' ``` Replace the values in the request with your **Immuta URL** and [**API key or bearer token**](#authenticate-with-the-api), and change the **config** values to your own, where * **host** is the URL of your Snowflake account. * **warehouse** is the default pool of Snowflake compute resources the Immuta system user will use to run queries and perform other Snowflake operations. * **database** is the name of a new empty database that the Immuta system user will manage and store metadata in. * **authenticationType** is the type of authentication to use when connecting to Snowflake. * **username** and **password** are credentials of a Snowflake account attached to a role with [these privileges](https://documentation.immuta.com/saas/developer-guides/api-intro/how-to-guides/snowflake-api#requirements). These credentials are not stored; they are used by Immuta to configure the integration. * **role** is a Snowflake role that has been granted [these privileges](https://documentation.immuta.com/saas/developer-guides/api-intro/how-to-guides/snowflake-api#requirements). The example sets `autoBootstrap` to `true`, which grants Immuta one-time access to credentials to configure the resources in your Snowflake environment for you. If you set `autoBootstrap` to `false`, you must manually [run the bootstrap script](https://documentation.immuta.com/saas/developer-guides/api-intro/how-to-guides/snowflake-api#manual-setup) in your Snowflake environment yourself before making the request. For more configuration examples, see the [Configure a Snowflake integration guide](https://documentation.immuta.com/saas/developer-guides/api-intro/integrations-api/how-to-guides/snowflake-api). For information about the configuration payload, see the [Integration payload reference guide](https://documentation.immuta.com/saas/developer-guides/api-intro/integrations-api/reference-guides/integration-configuration-payload). ### Starburst (Trino) example 1. Replace the values in the request with your **Immuta URL** and [**API key or bearer token**](#authenticate-with-the-api). ```bash curl -X 'POST' \ 'https://www.organization.immuta.com/integrations' \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \ -d '{ "type": "Trino" }' ``` 2. Navigate to the Immuta :gear: **App Settings** page and click the **Integrations** tab. 3. Click your enabled **Starburst (Trino)** integration and copy the configuration snippet displayed. 4. Follow the steps in the configure the Immuta system access control plugin in [Starburst](https://documentation.immuta.com/saas/configuration/integrations/starburst-trino/how-to-guides/configure#id-2-configure-the-immuta-system-access-control-plugin-in-starburst) or [Trino](https://documentation.immuta.com/saas/configuration/integrations/starburst-trino/how-to-guides/configure#id-2-configure-the-immuta-system-access-control-plugin-in-trino) section to add the configuration in the appropriate `immuta-access-control.properties` file to finish configuring your cluster. ## Protect your data {% @mermaid/diagram content="graph LR B(Connect data platform) --> C(Protect data) --> D(Register metadata); style B fill:#fff style C fill:#2F6BA7,color:#fff style D fill:#fff" %} Map usernames and create policies before you register your metadata to ensure that policies are enforced on tables and views immediately. 1. [Map usernames](https://documentation.immuta.com/saas/configuration/people/users-index/how-to-guides/external-user-mapping) to Immuta to ensure Immuta properly enforces policies and audits user queries. 2. Build global policies in Immuta to enforce access controls: * [Create policies via the API](https://documentation.immuta.com/saas/developer-guides/api-intro/immuta-v1-api/manage-data-access/policy) * [Create subscription policies in the UI](https://documentation.immuta.com/saas/govern/secure-your-data/authoring-policies-in-secure/section-contents/how-to-guides/subscription-policy-tutorial) * [Create data policies in the UI](https://documentation.immuta.com/saas/govern/secure-your-data/authoring-policies-in-secure/data-policies/how-to-guides/data-policy-tutorial) ## Register metadata {% @mermaid/diagram content="graph LR B(Connect data platform) --> C(Protect data) --> D(Register metadata); style B fill:#fff style C fill:#fff style D fill:#2F6BA7,color:#fff" %} Register your metadata using the API or Immuta UI: * API how-to guides * [Amazon Redshift Spectrum](https://documentation.immuta.com/saas/configuration/integrations/data-and-integrations/registering-metadata/register-data-sources/redshift-tutorial) * [Amazon S3](https://documentation.immuta.com/saas/developer-guides/api-intro/how-to-guides/s3-api#create-a-data-source) * [Azure Synapse Analytics](https://documentation.immuta.com/saas/developer-guides/api-intro/immuta-v1-api/connect-your-data/asa) * [Snowflake](https://documentation.immuta.com/saas/developer-guides/api-intro/immuta-v1-api/connect-your-data/snowflake) * [Starburst (Trino)](https://documentation.immuta.com/saas/developer-guides/api-intro/immuta-v1-api/connect-your-data/trino) * UI how-to guides: * [Amazon S3](https://documentation.immuta.com/saas/configuration/integrations/data-and-integrations/registering-metadata/register-data-sources/s3-tutorial) * [Azure Synapse Analytics](https://documentation.immuta.com/saas/configuration/integrations/data-and-integrations/registering-metadata/register-data-sources/synapse-tutorial) * [Google BigQuery](https://documentation.immuta.com/saas/configuration/integrations/data-and-integrations/registering-metadata/register-data-sources/bigquery-tutorial) * [Snowflake](https://documentation.immuta.com/saas/configuration/integrations/data-and-integrations/registering-metadata/register-data-sources/snowflake-tutorial) * [Starburst (Trino)](https://documentation.immuta.com/saas/configuration/integrations/data-and-integrations/registering-metadata/register-data-sources/trino-tutorial) ## Additional resources ### How-to guides See the following how-to guides for configuration examples and steps for creating, managing, or disabling your integration: * [Amazon Redshift Spectrum integration API reference](https://documentation.immuta.com/saas/developer-guides/api-intro/integrations-api/how-to-guides/configure-an-amazon-redshift-spectrum-integration) * [Amazon S3 integration API reference](https://documentation.immuta.com/saas/developer-guides/api-intro/integrations-api/how-to-guides/s3-api) * [Azure Synapse Analytics integration API reference](https://documentation.immuta.com/saas/developer-guides/api-intro/integrations-api/how-to-guides/synapse-api) * [Google BigQuery integration API reference](https://documentation.immuta.com/saas/developer-guides/api-intro/integrations-api/how-to-guides/bigquery-api) * [Snowflake integration API reference](https://documentation.immuta.com/saas/developer-guides/api-intro/integrations-api/how-to-guides/snowflake-api) * [Starburst (Trino) integration API reference](https://documentation.immuta.com/saas/developer-guides/api-intro/integrations-api/how-to-guides/trino-api) ### Reference guides See the following reference guides for information about the integrations API endpoints, payloads, and responses: * [Integrations API endpoints](https://documentation.immuta.com/saas/developer-guides/api-intro/integrations-api/reference-guides/integrations-api) * [Integrations API payloads](https://documentation.immuta.com/saas/developer-guides/api-intro/integrations-api/reference-guides/integration-configuration-payload) * [Integrations API response schema](https://documentation.immuta.com/saas/developer-guides/api-intro/integrations-api/reference-guides/response-schema) * [HTTP status codes and error messages](https://documentation.immuta.com/saas/developer-guides/api-intro/integrations-api/reference-guides/status-codes)