This is a example Python script to provision users to Snyk organizations using the Snyk API. This script supports provisioning individual users or bulk provisioning from CSV/JSON files.
- Python 3.6 or higher
- Snyk API token with organization provisioning permissions
- Snyk organization ID
- The inviting user must have "Provision Users" permission
- SSO must be configured for the Snyk Group (if using SSO)
- Clone or download this repository
- Install dependencies:
pip install -r requirements.txt
python provision_user_to_snyk.py \
--token YOUR_TOKEN \
--org-id ORG_ID \
--group-id GROUP_ID \
--email [email protected] \
--role-public-id role-abc-123python provision_user_to_snyk.py \
--token YOUR_TOKEN \
--group-id GROUP_ID \
--org-id ORG_ID \
--file users.csvpython provision_user_to_snyk.py \
--token YOUR_TOKEN \
--org-id ORG_ID \
--group-id GROUP_ID \
--file users.json- Snyk Token: Generate from Snyk Account Settings → API Token
- Must be a personal token (not service account token)
- Must have "Provision Users" permission
- Organization ID: Found in Snyk UI or via API
- Region: Your Snyk region (default: SNYK-US-01)
| Argument | Required | Description | Default |
|---|---|---|---|
--token |
Yes* | Snyk API token | SNYK_TOKEN env var |
--org-id |
Yes | Snyk organization ID | - |
--group-id |
Yes**** | Snyk group ID (required for fallback workflow) | - |
--email |
Yes** | User email address (for single user) | - |
--file |
Yes** | Path to CSV or JSON file (for bulk) | - |
--role-public-id |
Yes*** | ID of the role to grant this user | None |
--region |
No | Snyk region | SNYK-US-01 |
--version |
No | API version | 2025-11-05 |
--output |
No | Output file path for JSON results | None |
--verbose |
No | Include detailed DEBUG logs in log file | False |
* --token is required if SNYK_TOKEN or PERSONAL_SNYK_TOKEN environment variable is not set.
** Either --email or --file must be provided, but not both.
*** --role-public-id is required when using --email for single user provisioning. Optional when using --file if all users in the file have role_public_id specified.
**** --group-id is required when users already exist in the platform (for the fallback workflow). It's recommended to always provide this parameter to handle both new and existing users.
SNYK-US-01(default) - US EastSNYK-US-02- US WestSNYK-EU-01- EuropeSNYK-AU-01- Australia
The script uses role public IDs to assign roles to users. You can find role public IDs in your Snyk organization settings or via the Snyk API. Role public IDs are unique identifiers for each role in your organization.
Create a CSV file with the following columns:
email,role_public_id
[email protected],role-abc-123
[email protected],role-def-456
[email protected],role-abc-123Note: role_public_id is required for each user. If you want to use a default role for users without a specified role, use the --role-public-id command line argument.
Create a JSON file with an array of user objects:
[
{
"email": "[email protected]",
"role_public_id": "12345678-1234-1234-1234-123456789012"
},
{
"email": "[email protected]",
"role_public_id": "12345678-1234-1234-1234-123456789012"
},
{
"email": "[email protected]",
"role_public_id": "12345678-1234-1234-1234-123456789012"
}
]Note: role_public_id is required for each user. If you want to use a default role for users without a specified role, use the --role-public-id command line argument.
The script provides a formatted summary showing:
- Total users processed
- Successfully provisioned users
- Failed provisions with error details
- Any errors encountered
- Stored in
logs/directory - Timestamped filenames (e.g.,
provision_20241201_143022.log) - Detailed information about all API operations
- Error details and troubleshooting information
If --output is specified, results are saved as JSON with the following structure:
{
"provisioned": [
{
"success": true,
"email": "[email protected]",
"org_id": "org-123",
"result": {
"email": "[email protected]",
"rolePublicId": "role-abc-123",
"created": "2025-12-04T00:00:24Z"
}
}
],
"failed": [
{
"success": false,
"email": "[email protected]",
"org_id": "org-123",
"error": "User already exists",
"status_code": 409
}
],
"skipped": [],
"errors": []
}0- Success (all users provisioned successfully)1- Error (one or more users failed to provision or error occurred)130- Interrupted by user (Ctrl+C)
python provision_user_to_snyk.py \
--token "abc123-def456-ghi789" \
--org-id "org-12345" \
--group-id "group-12345" \
--email "[email protected]" \
--role-public-id "role-abc-123"python provision_user_to_snyk.py \
--token "abc123-def456-ghi789" \
--org-id "org-12345" \
--group-id "group-12345" \
--file "users.csv"python provision_user_to_snyk.py \
--token "abc123-def456-ghi789" \
--org-id "org-67890" \
--group-id "group-67890" \
--file "users.json" \
--region "SNYK-EU-01" \
--output "provisioning_results.json"export SNYK_TOKEN="your-token-here"
python provision_user_to_snyk.py \
--org-id "org-12345" \
--group-id "group-12345" \
--email "[email protected]" \
--role-public-id "role-abc-123"python provision_user_to_snyk.py \
--token "abc123-def456-ghi789" \
--org-id "org-12345" \
--group-id "group-12345" \
--file "users.csv" \
--role-public-id "role-abc-123"- User Must Not Exist: The user being provisioned must not already exist in the Snyk system
- Personal Token Required: The API must be called using a personal token (not a service account token)
- SSO Configuration: The Snyk Group must have Single Sign-On (SSO) configured
- SSO Login: Both the inviting user and the provisioned user must log in using SSO
- Permissions: The inviting user must have the "Provision Users" permission
The script handles common errors:
- 409 Conflict: User already exists
- 401 Unauthorized: Invalid token or insufficient permissions
- 404 Not Found: Organization not found
- 429 Rate Limited: Automatically retries after waiting
- 500+ Server Errors: Retries with exponential backoff
- Token Security: Never commit API tokens to version control
- Permissions: Use tokens with minimal necessary permissions
- Audit Trail: All operations are logged for audit purposes
- Read/Write Operations: This script modifies Snyk organization memberships
provision_user_to_snyk.py # Main script
README.md # This documentation
requirements.txt # Python dependencies
logs/ # Log files directory (created automatically)
-
"User already exists" error
- The user is already in the Snyk system
- Check if the user needs to be invited instead of provisioned
-
"Insufficient permissions" error
- Verify your token has "Provision Users" permission
- Ensure you're using a personal token, not a service account token
-
"Organization not found" error
- Verify the organization ID is correct
- Ensure your token has access to the organization
-
Rate limiting
- The script automatically handles rate limiting
- If issues persist, add delays between requests
This project is licensed under the Apache License 2.0.
The authors are not responsible for any unintended consequences from using this script. Always test thoroughly and ensure proper permissions before running in production environments.