Previously, we used username/password connections to authenticate to Snowflake. However, Snowflake has been consistently updating their security policies to deprecate this method of authentication. Now we are transitioning to use OAuth wherever possible.
Workato Connections
Follow the documentation here to use OAuth in a Workato connection as they work differently than using Azure as our External IdP.
Externa OAuth Connections
This documentation was followed to create the configuration. There are 4 main components that go into OAuth for Snowflake. The image at the bottom of this document illustrates how they are connected.
To create a new connection to Snowflake follow these steps.
- Create an app registration
- Grant the app registration one of the following api permisssions, depending on the Snowflake instance you need to access
- Create a secret for the app registration and save it to the the appropriate keyvault (DevKeys1 or ProdKeys1)
- Create a new user in Snowflake named after the application registration, for consistency purposes.
- CREATE OR REPLACE USER <app-registration-name>
LOGIN_NAME="<object-id-of-app-registration-service-principal">
TYPE = SERVICE
- CREATE OR REPLACE USER <app-registration-name>
- Assign the appropriate roles to the new user. (This may require creating new roles and granting privileges to the new roles)
- Let the developer know the client id, the name of the secret in the kevault, and the login_name value for the user. They can then create the connection to Snowflake.
- Grant the app registration one of the following api permisssions, depending on the Snowflake instance you need to access