> ## Documentation Index
> Fetch the complete documentation index at: https://conductorone-docs-mcp-bridge-private-server.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up a Harness connector

> C1 provides identity governance for Harness. Integrate your Harness instance with C1 for unified visibility and governance over user access.

## Capabilities

| Resource         | Sync                                                          | Provision |
| ---------------- | ------------------------------------------------------------- | --------- |
| Users            | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Service accounts | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| User groups      | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Roles            | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Resource groups  | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |

## Gather Harness credentials

<Warning>
  Use a Harness service account API key token with account-scope read access to
  the RBAC surface. A personal API key token also works, but C1 recommends a
  dedicated service account for connector sync.
</Warning>

<Steps>
  <Step>
    In Harness, create or select the service account that C1 will use.
  </Step>

  <Step>
    Assign role bindings and resource groups that grant
    `core_user_view`, `core_usergroup_view`, `core_serviceaccount_view`,
    `core_role_view`, `core_resourcegroup_view`, and
    `core_authsetting_view`.
  </Step>

  <Step>
    Create an API key and token for that service account.
  </Step>

  <Step>
    Copy the token. Harness shows token values only at creation time.
  </Step>

  <Step>
    Copy the Harness account identifier from the Harness UI URL.
  </Step>

  <Step>
    Copy the Harness API base URL if you do not use Harness SaaS.
  </Step>
</Steps>

## Configuration fields

| Field        | Required | Description                                                                  |
| ------------ | -------- | ---------------------------------------------------------------------------- |
| `base-url`   | No       | Harness NextGen API base URL. Defaults to `https://app.harness.io` for SaaS. |
| `api-key`    | Yes      | Harness API key token sent as `x-api-key` on each request.                   |
| `account-id` | Yes      | Harness account identifier sent as `accountIdentifier` on API calls.         |

## Synced resource types

* **Users**: Harness account users.
* **Service accounts**: Harness service accounts.
* **User groups**: user groups and group membership grants.
* **Roles**: Harness roles and role assignment grants.
* **Resource groups**: Harness resource groups used by role assignments.

## Special notes

* The connector targets the Harness NextGen platform API.
* Harness SaaS uses `https://app.harness.io`. The connector authenticates with
  the Harness NextGen `x-api-key` header.
* Role assignment grants can point to users, service accounts, or user groups.
* Disabled role assignments are not emitted as grants.

## Configure the Harness connector

<Tabs>
  <Tab title="Cloud-hosted">
    Follow these instructions to use a built-in, no-code connector hosted by C1.

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Harness** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Harness connector.
      </Step>

      <Step>
        Set the owner for this connector.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Paste the Harness settings into the relevant fields:

        * **Base URL**: Optional Harness API base URL.
        * **API key**: Harness API key.
        * **Account identifier**: Harness account identifier.
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by
        **Connected**. You can view the logs to ensure that information is
        syncing.
      </Step>
    </Steps>

    **Done.** Your Harness connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    Follow these instructions to run the Harness connector in your own
    environment.

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Harness connector, set the owner, and
        click **Next**.
      </Step>

      <Step>
        In the **Settings** area, click **Edit**, then click **Rotate** to
        generate a new Client ID and Client Secret. Store these values
        securely for your deployment.
      </Step>

      <Step>
        Configure C1 credentials and Harness settings as environment variables:

        ```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
        BATON_CLIENT_ID=<C1 client ID>
        BATON_CLIENT_SECRET=<C1 client secret>
        BATON_HOST_ID=baton-harness
        BATON_BASE_URL=https://app.harness.io
        BATON_API_KEY=<Harness API key>
        BATON_ACCOUNT_ID=<Harness account identifier>
        ```
      </Step>

      <Step>
        Deploy the connector using the Public ECR image:

        ```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
        public.ecr.aws/conductorone/baton-harness:<version>
        ```

        Use a version tag without the leading `v`, such as `0.0.3`.
      </Step>
    </Steps>

    **Done.** Your Harness connector is now pulling access data into C1.
  </Tab>
</Tabs>