/
How to configure Snowflake's external OAuth

How to configure Snowflake's external OAuth

Depending on the OAuth authorization provider, follow one of the points.

Microsoft Entra ID (Azure Active Directory)

We recommend following Snowflake’s documentation here:

OAuth 2.0 Client Credentials Grant to Snowflake with Entra

After creating the resource and client on Azure, you can use the following commands for testing:

  1. Generate a token with the CURL command

    curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \ --data-urlencode "client_id=<Client_ID>" \ --data-urlencode "client_secret=<Client_Secret>" \ --data-urlencode "grant_type=client_credentials" \ --data-urlencode "scope=<Scope>/.default" \ '<Token_Endpoint>'

    1. Postman can also be used to test the token retrieval:

    2. These steps are to help you get the mapping claims and validate that you can get a valid token from Entra.

  2. Take the generated token and decode it with, for example, JTW.IO

  3. When you decode the token, see which field (e.g. <token_field>) will be mapped to the column of the user inside Snowflake (e.g. <snowflake_user_filed>)

    1. As Write-Back is authenticating as a client, not a user, this is typically the “sub” field in the token.

    2. NOTE: You can detect the Snowflake user field by executing the SHOW USERS command inside snowflake

  4. Create security integration by executing this command inside Snowflake

    create security integration external_oauth_azure_2 type = external_oauth enabled = true external_oauth_type = azure external_oauth_issuer = '<AZURE_AD_ISSUER>' external_oauth_jws_keys_url = '<AZURE_AD_JWS_KEY_ENDPOINT>' external_oauth_audience_list = ('<SNOWFLAKE_APPLICATION_ID_URI>') external_oauth_token_user_mapping_claim = <token_field> (usually: sub) external_oauth_snowflake_user_mapping_attribute = <snowflake_user_filed>; (common attribute: login_name)

  5. Create a user inside the Snowflake that also exists in Azure

    1. This corresponds to “Step 6: Create a system user (for the client) in Snowflake” in the documentation linked above.

    2. NOTE: The user should have assigned the default role (inside the Snowflake with command ALTER USER <user> SET DEFAULT ROLE <role>) and the role that has access (GRANT for all privileges) over the warehouse, database and schema that is using.

 

 

 

OKTA

  1. Create an OAuth compatible client to use with Snowflake

  2. Create an OAuth authorization server

    1. NOTE: Also follow “complete the following steps for the newly added Authorization Server

  3. Collect Okta information

  4. Generate token with curl command

    curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \ --user <OAUTH_CLIENT_ID>:<OAUTH_CLIENT_SECRET> \ --data-urlencode "username=<OKTA_USER_USERNAME>" \ --data-urlencode "password=<OKTA_USER_PASSWORD>" \ --data-urlencode "grant_type=password" \ --data-urlencode "scope=<created_scope>" \ <OKTA_OAUTH_TOKEN_ENDPOINT>

  5. Take the generated token and decode it with for example JTW.IO

    1. When you decode the token see which field (e.g. <token_field>) will be mapped to the column of the user inside Snowflake (e.g. <snowflake_user_filed>)

      1. NOTE: You can detect the Snowflake user field by executing the SHOW USERS command inside Snowflake

  6. Create security integration executing this command inside Snowflake

    create security integration external_oauth_okta_2 type = external_oauth enabled = true external_oauth_type = okta external_oauth_issuer = '<OKTA_ISSUER>' external_oauth_jws_keys_url = '<OKTA_JWS_KEY_ENDPOINT>' external_oauth_audience_list = ('<snowflake_account_url') external_oauth_token_user_mapping_claim = 'sub' external_oauth_snowflake_user_mapping_attribute = 'login_name';

  7. Create a user inside the Snowflake that also exists in Okta

    1. NOTE: The user should have assigned the default role (inside the Snowflake with the command ALTER USER <user> SET DEFAULT ROLE <role>) and the role that has access (GRANT for all privileges) over the warehouse, database and schema that is using.

After the user sets up all the above steps, in the Write-Back Manager, the user needs to set up the credentials needed for fetching the access token from the Azure AD/Okta that is valid inside Snowflake.

To achieve that under the Configure site → Data Storage, select the site you want to configure with this authentication. Select Snowflake database, and for Authentication Type select “Oauth authentication”. Enter all the credentials needed, add the JDBC Driver and that’s it.