How to enable Snowflake OAuth

Atlan supports Snowflake OAuth-based authentication for Snowflake connections. Once the integration has been completed, Atlan will generate a trusted secure token with Snowflake. This will allow Atlan to authenticate users with Snowflake on their behalf to:

Configure Snowflake OAuth in Atlan

🤓 Who can do this? You will need to be a connection admin in Atlan to complete these steps. You will also need inputs and approval from your Snowflake account administrator.

 

To configure Snowflake OAuth on a Snowflake connection, from Atlan:

  1. From the left menu of any screen, click Assets.
  2. From the Assets page, click the Connector filter, and from the dropdown, click Snowflake.
  3. From the pills below the search bar at the top of the screen, click Connection.
  4. From the list of results, select a Snowflake connection to enable Snowflake OAuth-based authentication.
  5. From the sidebar on the right, next to Connection settings, click Edit.
  6. In the Connection settings dialog:
    • Under Allow query, for Authentication type, click Snowflake OAuth to enforce Snowflake OAuth credentials for querying data:
      1. For Authentication Required, click Copy Code to copy a security authorization code to execute it in Snowflake.
    • Under Display sample data, for Source preview, click Snowflake OAuth to enforce Snowflake OAuth credentials for viewing sample data:
      • If Snowflake OAuth-based authentication is enabled for querying data, the same connection details will be reused for viewing sample data.
      • If a different authentication method is enabled for querying data, click Copy Code to copy a security authorization code to execute it in Snowflake.
  7. (Optional) Toggle on Enable data policies created at source to apply for querying in Atlan to apply any data policies and user permissions at source to querying data and viewing sample data in Atlan. If toggled on, any existing data policies on the connection in Atlan will be deactivated and creation of new data policies will be disabled.
  8. At the bottom right of the Connection settings dialog, click Update.
💪 Did you know? The refresh token does not expire by default.

Create a security integration in Snowflake

🤓 Who can do this? You will need your Snowflake account administrator to run these commands. You will also need to have an existing Snowflake connection in Atlan.

To create a security integration in Snowflake:

  1. Log in to your Snowflake instance.
  2. From the top right of your Snowflake instance, click the + button, and then from the dropdown, click SQL Worksheet to open a new worksheet.
  3. In the query editor of your Snowflake SQL worksheet, paste the security authorization code you copied in Atlan. See a representative example below:
    CREATE SECURITY INTEGRATION <name>
        TYPE = EXTERNAL_OAUTH
        ENABLED = TRUE
        EXTERNAL_OAUTH_TYPE = OKTA
        EXTERNAL_OAUTH_ISSUER = 'https://<COMPANY>.okta.com/oauth2/<ID>'
        EXTERNAL_OAUTH_JWS_KEYS_URL = 'https://<COMPANY>.okta.com/oauth2/<ID>/v1/keys'
        EXTERNAL_OAUTH_AUDIENCE_LIST = ('<snowflake_account_url')
        EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'sub'
        EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE';
        EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'EMAIL_ADDRESS'
  4. Run the security integration in Snowflake.
  5. (Optional) To allow the ACCOUNTADMIN, ORGADMIN, or SECURITYADMIN role to query with Snowflake OAuth-based authentication, add and run the following command to set account-level permissions:
    ALTER ACCOUNT SET EXTERNAL_OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST = FALSE;

Your users will now be able to run queries and view sample data using their Snowflake OAuth credentials! 🎉

💪 Did you know? You can refer to troubleshooting connector-specific SSO authentication to troubleshoot any errors.

Related articles

Was this article helpful?
0 out of 0 found this helpful