Designer Cloud Powered by Trifacta
Page tree


Support | BlogContact Us 

Versions Compared

Old Version 5

changes.mady.by.user docuser1

Saved on

compared with

New Version Current

changes.mady.by.user docuser1

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DEV and version r097

...

Excerpt

Configure the

D s webapp
rtypetruePortal
to  to integrate with your Snowflake deployment using OAuth 2.0 to authenticate.

...

  1. Login to the Snowflake console as an account admin.
  2. Click Worksheets.
  3. For your role, select ACCOUNTADMIN.

  4. Paste the following command in the worksheet and modify its parameters:

    Code Block
    CREATE [ OR REPLACE ] SECURITY INTEGRATION [IF NOT EXISTS]
         <NAME>
         TYPE = OAUTH
         OAUTH_CLIENT = CUSTOM
         OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
         OAUTH_REDIRECT_URI = '<URI>'
         ENABLED = TRUE
         OAUTH_ALLOW_NON_TLS_REDIRECT_URI = FALSE
         [PRE_AUTHORIZED_ROLES_LIST = ( '<role_name_1>' [ , '<role_name_2>' , ... ]) ]
         [ BLOCKED_ROLES_LIST = ( '<role_name_3>' [ , '<role_name_4>' , ... ] ) ]
         OAUTH_ISSUE_REFRESH_TOKENS = TRUE
         OAUTH_REFRESH_TOKEN_VALIDITY = 7776000 (90 Days)
         [ NETWORK_POLICY = '<network_policy>']
         [ COMMENT = '<Description of your Integration>' ]
    ParameterDescription
    <NAME>Name of the integration. Example: OAuth 2.0 Client
    <URI>

    Callback URI of the

    D s platform
    .

    Code Blockhttps://cloud.trifacta.com/oauth2/

    D s deployment url
    typecallback

    PRE_AUTHORIZED_ROLES_LIST

    A comma-separated list of Snowflake roles that do not need user consent when accessing Snowflake. The roles SECURITYADMIN and ACCOUNTADMIN cannot be included in this list.

    Tip

    Tip: The roles in this list should match up with the roles that are scoped in the OAuth 2.0 client in the

    D s webapp
    typePortal
    . In the client, you can specify the Snowflake roles that are permitted to use the client for authentication. Roles that are scoped for access that are not in this list must consent to access Snowflake after login. In some use cases, such as API access or scheduled executions, this can be problematic.

    BLOCKED_ROLES_LISTA comma-separated list of Snowflake roles that cannot explicitly consent to use when accessing Snowflake. The roles SECURITYADMIN and ACCOUNTADMIN are included by default in this list. If you need to remove either of those roles, please contact Snowflake Support.
    <NETWORK_POLICY>(Optional) Provide the identifier for any applicable Snowflake network policy.
    <COMMENT>(Optional) Add a comment if needed.

  5. Run the above command. The security integration is created. 

  6. Paste the following command and run it to acquire the following information: Client ID, Authorization URL, Token URL, and Refresh Token Expires In, where <NAME> Is the name you provided above:

    Code Block
    DESC integration <NAME>

    Retain the values for the following parameters. You must apply these parameters to the OAuth 2.0 client that you create in the the

    D s webapp
    typePortal
    :

    Snowflake parameter

    D s webapp
    typePortal
    Client parameter

    OAUTH_CLIENT_IDClient Id
    OAUTH_AUTHORIZATION_ENDPOINTAuthorization URL
    OAUTH_TOKEN_ENDPOINTToken URL
    OAUTH_REFRESH_TOKEN_VALIDITYRefresh Token Expires In

  7. Paste the following command and run it to acquire the client secret, where <NAME> Is the name you provided above:

    Code Block
    SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('<NAME>')

    Retain the values for the following. You must apply these parameters to the OAuth 2.0 client that you create in the the

    D s webapp
    typePortal
    :

    Snowflake parameter

    D s webapp
    typePortal
    Client parameter

    OAUTH_CLIENT_SECRETClient Secret
  8. Save your changes.

Create OAuth 2.0 Client for Snowflake

After the Snowflake client app is created, you must create an OAuth 2.0 client in the the

D s webapp
typePortal
, which is used to integrate with the OAuth 2.0 Client app (security integration) that you created above.

Info

NOTE: You must create one OAuth 2.0 client in the

D s webapp
type
for
Portal
 for each Snowflake role that you wish to use. See "Scopes" below for more information.

Steps:

  1. Login to the the
    D s webapp
    typePortal
     as a workspace administrator.
  2. In the lefthand menu, select User menu > Admin console > OAuth 2.0 Clients
  3. In the OAuth 2.0 Clients page, click Register OAuth 2.0.0 Client.
  4. Specify the new client.
    1. For the Type value, select snowflake.
    2. You must apply the values listed in the previous section to your client object.
    3. For more information on Scopes, see "Scopes for Snowflake" below.

    4. Access Token Expires in: 600000 

      Info

      NOTE: The value of 600000 is required for Snowflake.

  5. To save your OAuth 2.0 client, click Save.

...

Code Block
refresh_token session:role:<role_name>
ScopeDescription
refresh_token(required) Snowflake session tokens have a short duration. By adding this scope, a refresh token is issued for the session. This token allows the OAuth 2.0 client to refresh the connection with Snowflake without user interaction.
role:<role_name>

(optional) The Snowflake role for which you wish to access its databases, schemas, and tables. If this value is not provided, then the default role is used.

Info

NOTE: Only one role can be specified per client. This role must provide access to the databases, schemas, and objects that you wish to make accessible through this client.

Info

NOTE: The value for <role_name> is case-sensitive, unless you specified the role in quotes when creating it. For more information, see https://docs.snowflake.com/en/user-guide/oauth-custom.html#scope.

Create Snowflake Connection

...

Info

NOTE: You must create a separate connection for each OAuth 2.0 client that is available in the

D s webapp
typePortal
.

For more information, see Snowflake Connections.

...

If you receive an invalid consent request error, then the user that is passed for OAuth 2.0 authorization does authorization does not have access to the role that is referenced in the corresponding OAuth 2.0 client that you created in the the

D s webapp
typePortal
.

You can do one of the following:

  • Specify a different user in the connection.

  • Create a new OAuth 2.0 client in the the

    D s webapp
    typePortal
     which is scoped for a role that the database user has.

    Info

    NOTE: This new role must also be authorized to use the security integration within Snowflake.

...

© 2013-2023 Alteryx® Inc Privacy Policy  |  Terms of Use