The Baton toolkit gives developers the ability to extract, normalize, and interact with workforce identity data such as user accounts, permissions, roles, groups, resources, and more. Through the Baton CLI, developers can audit infrastructure access on-demand, run diffs, and extract access data. This can be used for automating user access reviews, exports into SIEMs, real-time visibility, and many other use cases.

Baton is structured as a toolkit of related command line tools. For each data source there is a "connector", such as baton-github for interacting with GitHub's API. This tool exports data in a format that the baton tool can understand, transform, and use to perform operations on the application

• Announcing Baton, an Open Source Toolkit for Auditing Infrastructure User Access
• Technical Deep Dive: Using Baton to Audit Infrastructure Access
• Baton and the Journey to Identity Security and Unified Access Control

As a generic toolkit for auditing access, Baton can be used for many use cases, such as:

• Export GitHub access updates to a CSV file using Baton
• Use Baton to get Splunk alerts when a new Github admin is added
• Set up a daily check for GitHub user rights updates using Baton
• Diff access rights from two SaaS systems with Baton
• Finding all AWS IAM Users with a specific IAM Role
• Auditing Github Repo Admins
• Finding users in apps that aren't in your IdP
• Detecting differences or changes in permissions in GitHub or AWS
• Discovering all access for an user or account across all SaaS and IaaS systems
• Calculating the effective access of a user based on group membership

These are just a few of the use cases that Baton can be leveraged for.

Baton can installed via Homebrew:

brew install conductorone/baton/baton conductorone/baton/baton-github

Once installed, you can audit GitHub access with the following:

# Run the baton github connector
baton-github 
# Output the resources discovered
baton resources
# Output the same data to JSON and parse it with jq
baton resources -o json | jq '.resources[].resource.displayName'

We have also recorded a short video exploring some of the data Baton can extract from Github:

We're releasing five initial connectors with the open source launch of Baton. The ConductorOne team has dozens of more connectors written in our precursor proprietary project from before Baton, and is aggressively porting them to the Baton ecosystem.

Additionally, making a new connector is really easy -- we wrap up many complexities in the SDK, letting a connector developer focus on translating to the Baton data model.

The Baton documentation site contains more documentation and example use cases.

We started Baton because we were tired of taking screenshots and manually building spreadsheets. We welcome contributions, and ideas, no matter how small -- our goal is to make identity and permissions sprawl less painful for everyone. If you have questions, problems, or ideas: Please open a Github Issue!

See CONTRIBUTING.md for more details.

baton is a utility for working with the output of a baton-based connector

Usage:
  baton [command]

Available Commands:
  access         List effective access for a user
  completion     Generate the autocompletion script for the specified shell
  diff           Perform a diff between sync runs
  entitlements   List entitlements
  export         Export data from the C1Z for upload
  grants         List grants
  help           Help about any command
  principals     List principals
  resource-types List resource types for the latest (or current) sync
  resources      List resources for the latest sync
  stats          Simple stats about the c1z

Flags:
  -f, --file string            The path to the c1z file to work with. (default "sync.c1z")
  -h, --help                   help for baton
  -o, --output-format string   The format to output results in: (console, json) (default "console")
  -v, --version                version for baton

Use "baton [command] --help" for more information about a command.