Skip to main content

Enable Snowflake OAuth

Atlan supports Snowflake OAuth-based authentication for Snowflake connections. Once the integration has been completed, Atlan generates a trusted secure token with Snowflake. This enables Atlan to authenticate users with Snowflake on their behalf to:

This page covers the Okta flow. For PingFederate as the identity provider, see Enable Snowflake OAuth with PingFederate.

Configure Snowflake OAuth in Atlan

Who can do this?

You must be a connection admin in Atlan to complete these steps. You also need inputs and approval from your Snowflake account administrator.

To configure Snowflake OAuth on a Snowflake connection, from Atlan:

  1. From the left menu of any screen, click Assets.
  2. From the Assets page, click the Connector filter, and from the dropdown, click Snowflake.
  3. From the pills below the search bar at the top of the screen, click Connection.
  4. From the list of results, select a Snowflake connection to enable Snowflake OAuth-based authentication.
  5. From the sidebar on the right, next to Connection settings, click Edit.
  6. In the Connection settings dialog:
    • Under Allow query, for Authentication type, click Snowflake OAuth to enforce Snowflake OAuth credentials for querying data:
      1. For Authentication Required, click Copy Code to copy a security authorization code to execute it in Snowflake.
    • Under Display sample data, for Source preview, click Snowflake OAuth to enforce Snowflake OAuth credentials for viewing sample data:
      • If Snowflake OAuth-based authentication is enabled for querying data, the same connection details are reused for viewing sample data.
      • If a different authentication method is enabled for querying data, click Copy Code to copy a security authorization code to execute it in Snowflake.
  7. (Optional) Toggle on Enable data policies created at source to apply for querying in Atlan to apply any data policies and user permissions at source to querying data and viewing sample data in Atlan. If toggled on, any existing data policies on the connection in Atlan are deactivated and creation of new data policies are disabled.
  8. At the bottom right of the Connection settings dialog, click Update.
Did you know?

The refresh token doesn't expire by default.

Create security integration in Snowflake

Who can do this?

You must have your Snowflake account administrator to run these commands. You also need to have an existing Snowflake connection in Atlan.

To create a security integration in Snowflake:

  1. Log in to your Snowflake instance.

  2. From the top right of your Snowflake instance, click the + button, and then from the dropdown, click SQL Worksheet to open a new worksheet.

  3. In the query editor of your Snowflake SQL worksheet, paste the security authorization code you copied in Atlan. See a representative example below:

    CREATE SECURITY INTEGRATION <name>
        TYPE = EXTERNAL_OAUTH
        ENABLED = TRUE
        EXTERNAL_OAUTH_TYPE = OKTA
        EXTERNAL_OAUTH_ISSUER = 'https://<COMPANY>.okta.com/oauth2/<ID>'
        EXTERNAL_OAUTH_JWS_KEYS_URL = 'https://<COMPANY>.okta.com/oauth2/<ID>/v1/keys'
        EXTERNAL_OAUTH_AUDIENCE_LIST = ('<snowflake_account_url')
        EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'sub'
        EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE';
        EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'EMAIL_ADDRESS'

  4. Run the security integration in Snowflake.

  5. (Optional) To enable the ACCOUNTADMIN, ORGADMIN, or SECURITYADMIN role to query with Snowflake OAuth-based authentication, add and run the following command to set account-level permissions:

    ALTER ACCOUNT SET EXTERNAL_OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST = FALSE;

Your users can run queries and view sample data using their Snowflake OAuth credentials! 🎉

Did you know?

You can refer to troubleshooting connector-specific SSO authentication to troubleshoot any errors.