Skip to main content
Baton-runner runs multiple Baton connectors from a single process. Instead of managing each connector individually, you define all your connectors and their credentials in one config.yaml file and run them together.

Download

Download baton-runner from dist.conductorone.com/C1/baton-runner. Builds are available for Windows (amd64), macOS (amd64 and arm64), and Linux (amd64 and arm64). For step-by-step setup instructions on Windows Server, see Run multiple connectors as a Windows service.

Configuration

Baton-runner is configured with a single YAML file. By default it looks for config.yaml in the current directory. Use the -c flag to specify a different path:
A config.yaml has three top-level keys: log-level, connectors, and secrets.

Real-world example

Here’s what a production config looks like when running multiple config-driven connectors of the same type — in this case, several SQL Server databases and two HTTP API applications, each with its own connector-specific config file:
A few patterns to note:
  • BATON_CONFIG_PATH points each connector to its own config file, which is how config-driven connectors like baton-sql and baton-http handle per-instance settings.
  • BATON_FILE gives each connector a unique output path so sync files don’t overwrite each other.
  • BATON_PROVISIONING: true enables write-back provisioning for each connector.

Connector options

Secret reference format

Values in config.envFrom.secrets use the format secretname:FIELD:
  • secretname — the name defined in the secrets section of config.yaml
  • FIELD — the key to retrieve from within that secret
For example, org1:BATON_TOKEN reads the BATON_TOKEN field from the secret named org1.

Secret backends

Baton-runner supports multiple backends for storing connector credentials. You can define one backend per config.yaml, and all connectors in that file share it.

Windows Credential Manager (wincred)

Stores credentials in the Windows Credential Manager. Recommended for Windows Server deployments. The secrets map associates a connector secret name with its target name in Windows Credential Manager.
Use the wincred set command to load credentials into the store:
Where org1.yaml is a YAML file containing the connector’s environment variables. See Run multiple connectors as a Windows service for a full walkthrough.

Insecure (YAML files)

The insecure backend stores credentials in plaintext YAML files on disk. Use it for local development and testing only — not in production.
The secrets map associates a connector secret name with the path to its YAML file.
Each YAML file contains the connector’s environment variables as key-value pairs:

AWS Secrets Manager

Reads credentials from AWS Secrets Manager. AWS credentials are loaded from the default credential chain (environment variables, shared credentials file, IAM role, and so on) — no AWS credentials are configured in config.yaml itself. The secrets map associates a connector secret name with the path to a YAML pointer file:
Each pointer file specifies the AWS secret name and region:
The secret value stored in AWS Secrets Manager must be a JSON or YAML string containing the connector’s environment variables as key-value pairs.

HashiCorp Vault

Reads credentials from a HashiCorp Vault KV secrets engine. Both KV v1 and v2 are supported.
The secrets map associates a connector secret name with the KV path in Vault. Authentication — specify credentials using one of these options (listed in priority order): Credential file format:

Log level

Set the log level using the log-level key in config.yaml or the BATON_LOG_LEVEL environment variable. Valid values: debug, info, warn, error, panic. The default is info.