Skip to main content

Connecting to DevReady using Snowflake OAuth

Overview

This document describes how to set up an OAuth connection between Snowflake and DevReady. OAuth is required to allow DevReady to connect to Snowflake if you are using Single Sign-On (SSO), but can also be used for non-SSO environments.

Creating a Snowflake OAuth connection

This first step is to create a Snowflake Security Integration which should be completed by a Snowflake administrator with the ACCOUNTADMIN role.

CREATE SECURITY INTEGRATION DATAOPS_DEV_READY
TYPE = OAUTH
ENABLED = TRUE
OAUTH_CLIENT = CUSTOM
OAUTH_CLIENT_TYPE = 'PUBLIC'
OAUTH_ENFORCE_PKCE = TRUE
OAUTH_REDIRECT_URI = 'https://snowflake-oauth.dataops.live'
OAUTH_ISSUE_REFRESH_TOKENS = TRUE
OAUTH_REFRESH_TOKEN_VALIDITY = 86400;

Once you have created the security integration, retrieve the required OAuth details for later use.

select SYSTEM$SHOW_OAUTH_CLIENT_SECRETS( 'DATAOPS_DEV_READY' );

The output should look something like this:

{
"OAUTH_CLIENT_SECRET_2": "QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVo=",
"OAUTH_CLIENT_SECRET": "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXo=",
"OAUTH_CLIENT_ID": "MTIzNDU2Nzg5MTAxMTEyMTM="
}

Creating the configuration file

Using the OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET from the previous step, create a configuration file dataops/develop/snowflake-oauth.yml in your project with the following contents:

  • ACCOUNT - The Snowflake account name
  • CLIENT_ID - The OAuth client ID
  • CLIENT_SECRET - The OAuth client secret
  • AVAILABLE_ROLES - A list of roles that the user can choose from to assume.
  • AVAILABLE_WAREHOUSES - A list of warehouses that the user chooses from to run development queries.

If either AVAILABLE_ROLES or AVAILABLE_WAREHOUSES only have one value, then the user will not be prompted to choose a role or warehouse.

e.g.

dataops/develop/snowflake-oauth.yml
ACCOUNT: "ab12345.eu-west-1.aws"
CLIENT_ID: "MTIzNDU2Nzg5MTAxMTEyMTM="
CLIENT_SECRET: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXo="
AVAILABLE_ROLES: ["ROLE_ONE"]
AVAILABLE_WAREHOUSES: ["DEVELOPMENT_WAREHOUSE"]
info

Because we are using OAUTH_CLIENT_TYPE = 'PUBLIC', there is no need to keep the CLIENT_SECRET confidential. However, it's still necessary for calling Snowflake OAuth API endpoints, so it's required in the configuration file.

Troubleshooting

Snowflake sign-in failed with "400 Bad Request"

This error can occur when DevReady has not been given access to your Snowflake account through a network policy. Refer to the Workspaces and network access documentation for more information.