Snowflake

Enhanced Advanced

Register OAuth application in Snowflake

The Snowflake administrator registers an OAuth Application in Snowflake.

The Snowflake administrator adds a redirect_uri for the OAuth application. This redirect is where Snowflake sends the user’s OAuth credentials at the end of the OAuth handshake. This allows Posit Connect to obtain a temporary access token and refresh token from Snowflake, which is then used to access protected resources on behalf of the user.

Note

Connect currently only supports integrations which target Confidential Snowflake OAuth applications. Confidential applications require clients to authenticate with a client secret.

The following example uses Snowflake SQL’s CREATE SECURITY INTEGRATION command to create a new OAuth application:

Note

Replace connect.example.org with the address of the Connect server.

CREATE SECURITY INTEGRATION posit_connect
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = 'https://connect.example.org/__oauth__/integrations/callback'
  OAUTH_ALLOW_NON_TLS_REDIRECT_URI = FALSE
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE

To obtain the client ID and secret, use the following command:

SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS( 'posit_connect' );

The Snowflake administrator makes note of the client_id and client_secret from the registered OAuth application and shares this information with the Posit Connect administrator.

Create OAuth integration in Posit Connect

The Posit Connect administrator creates an OAuth integration through the dashboard’s Integrations settings. Once the OAuth integration has been created in Connect, it is available for use by all publishers.

Create Snowflake OAuth integration.

Alternatively, the example below shows how to create a Snowflake OAuth integration using curl and the Connect Server API.

Note

Replace connect.example.org with the address of the Connect server. Replace https://myorg-account_xyz.snowflakecomputing.com with the Snowflake account URL.

Terminal
curl -H "Authorization: Key ${CONNECT_API_KEY}" \
  -XPOST https://connect.example.org/__api__/v1/oauth/integrations \
  --data '{
    "template": "snowflake",
    "name": "Snowflake OAuth integration",
    "config": {
      "account_url": "https://myorg-account_xyz.snowflakecomputing.com",
      "client_id": "<snowflake-client-id>",
      "client_secret": "<snowflake-client-secret>"
    }
  }'
# 200 OK
# {"guid": "<oauth-integration-guid>", ... }

Debugging

Certain Snowflake roles are blocked from logging in via OAuth integrations by default. See the Snowflake documentation for more details on which roles are included in their BLOCKED_ROLES_LIST. If you attempt to test the OAuth Integration within Connect using a Snowflake user with that role they will receive "Invalid consent request." as a response and be unable to log in.

If Publishers experience problems connecting to Snowflake while using the Snowflake OAuth Integration they may want to check that the account name passed to the Snowflake client conforms to the expected format. For example, while Snowflake uses _ when creating and querying account names some clients expect - instead, similar to the format used when navigating to their Snowflake console (e.g. my_account versus my-account).