Add a Wiz Service Account
Note
You must have created a Wiz service account before you can set up the Wiz Connector for Illumio. Service accounts are required for machine interfaces to be able to authenticate with the Wiz API.
Log into the Wiz application, navigate to Settings > Access Management > Service Accounts, and click Add Service Account.
Name the account and select the Custom Integration (GraphQL API) type of service account.
Select the projects that you want to limit access to if you do not want to grant access to all projects. Note that you cannot change the projects after you have created the service account. You must create a new service account.
Note
If you create a new service account, you must also edit the Client ID and Client Secret and save the values to a secure location on your machine.
Under API Scopes, grant the following permissions:
read: issues
read: vulnerabilities
read: threat_issues
read: projects
read: reports
create: reports
Click Add Service Account. The dialog box shows the Client ID and Client Secret for the service account. Your application uses this information to request a new API token. Tokens last for 24 hours, and after one expires, your system asks for a new one.
Copy the Client ID and Client Secret to a secure location. Note that this information only displays once, so make sure to copy it.
Click Finish.
Note
Note the following recommendations for service accounts:
Restrict service accounts to the minimal permissions possible.
Rotate the Client Secret on a scheduled basis. When you do this, remember to update the value in the Wiz Connector and save the secret in a secure location.
Remove unused service accounts.
Securely store Client IDs and Client Secrets.