config.yaml file and run them together.
Download
Download baton-runner from dist.conductorone.com/C1/baton-runner. Builds are available for Windows (amd64), macOS (amd64 and arm64), and Linux (amd64 and arm64). For step-by-step setup instructions on Windows Server, see Run multiple connectors as a Windows service.Configuration
Baton-runner is configured with a single YAML file. By default it looks forconfig.yaml in the current directory. Use the -c flag to specify a different path:
config.yaml has three top-level keys: log-level, connectors, and secrets.
Real-world example
Here’s what a production config looks like when running multiple config-driven connectors of the same type — in this case, several SQL Server databases and two HTTP API applications, each with its own connector-specific config file:BATON_CONFIG_PATHpoints each connector to its own config file, which is how config-driven connectors likebaton-sqlandbaton-httphandle per-instance settings.BATON_FILEgives each connector a unique output path so sync files don’t overwrite each other.BATON_PROVISIONING: trueenables write-back provisioning for each connector.
Connector options
Secret reference format
Values inconfig.envFrom.secrets use the format secretname:FIELD:
secretname— the name defined in thesecretssection ofconfig.yamlFIELD— the key to retrieve from within that secret
org1:BATON_TOKEN reads the BATON_TOKEN field from the secret named org1.
Secret backends
Baton-runner supports multiple backends for storing connector credentials. You can define one backend perconfig.yaml, and all connectors in that file share it.
Windows Credential Manager (wincred)
Stores credentials in the Windows Credential Manager. Recommended for Windows Server deployments. Thesecrets map associates a connector secret name with its target name in Windows Credential Manager.
wincred set command to load credentials into the store:
org1.yaml is a YAML file containing the connector’s environment variables. See Run multiple connectors as a Windows service for a full walkthrough.
Insecure (YAML files)
Thesecrets map associates a connector secret name with the path to its YAML file.
AWS Secrets Manager
Reads credentials from AWS Secrets Manager. AWS credentials are loaded from the default credential chain (environment variables, shared credentials file, IAM role, and so on) — no AWS credentials are configured inconfig.yaml itself.
The secrets map associates a connector secret name with the path to a YAML pointer file:
HashiCorp Vault
Reads credentials from a HashiCorp Vault KV secrets engine. Both KV v1 and v2 are supported.secrets map associates a connector secret name with the KV path in Vault.
Authentication — specify credentials using one of these options (listed in priority order):
Credential file format:
Log level
Set the log level using thelog-level key in config.yaml or the BATON_LOG_LEVEL environment variable. Valid values: debug, info, warn, error, panic. The default is info.