Connecting to DevReady using Snowflake OAuth
Overview
This document describes how to set up an OAuth connection between Snowflake and DevReady. OAuth is required to allow DevReady to connect to Snowflake if you are using Single Sign-On (SSO), but can also be used for non-SSO environments.
Creating a Snowflake OAuth connection
This first step is to create a Snowflake Security Integration which should be completed by a Snowflake administrator with the ACCOUNTADMIN role.
CREATE SECURITY INTEGRATION DATAOPS_DEV_READY
TYPE = OAUTH
ENABLED = TRUE
OAUTH_CLIENT = CUSTOM
OAUTH_CLIENT_TYPE = 'PUBLIC'
OAUTH_ENFORCE_PKCE = TRUE
OAUTH_REDIRECT_URI = 'https://snowflake-oauth.dataops.live'
OAUTH_ISSUE_REFRESH_TOKENS = TRUE
OAUTH_REFRESH_TOKEN_VALIDITY = 86400;
Once you have created the security integration, retrieve the required OAuth details for later use.
select SYSTEM$SHOW_OAUTH_CLIENT_SECRETS( 'DATAOPS_DEV_READY' );
The output should look something like this:
{
"OAUTH_CLIENT_SECRET_2": "QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVo=",
"OAUTH_CLIENT_SECRET": "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXo=",
"OAUTH_CLIENT_ID": "MTIzNDU2Nzg5MTAxMTEyMTM="
}
Creating the configuration file
Using the OAUTH_CLIENT_ID
and OAUTH_CLIENT_SECRET
from the previous step,
create a configuration file dataops/develop/snowflake-oauth.yml
in your
project with the following contents:
ACCOUNT
- The Snowflake account nameCLIENT_ID
- The OAuth client IDCLIENT_SECRET
- The OAuth client secretAVAILABLE_ROLES
- A list of roles that the user can choose from to assume.AVAILABLE_WAREHOUSES
- A list of warehouses that the user chooses from to run development queries.
If either AVAILABLE_ROLES
or AVAILABLE_WAREHOUSES
only have one value, then
the user will not be prompted to choose a role or warehouse.
e.g.
ACCOUNT: "ab12345.eu-west-1.aws"
CLIENT_ID: "MTIzNDU2Nzg5MTAxMTEyMTM="
CLIENT_SECRET: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXo="
AVAILABLE_ROLES: ["ROLE_ONE"]
AVAILABLE_WAREHOUSES: ["DEVELOPMENT_WAREHOUSE"]
Because we are using OAUTH_CLIENT_TYPE = 'PUBLIC'
, there is no need to keep
the CLIENT_SECRET
confidential. However, it's still necessary for calling Snowflake OAuth API endpoints, so it's required in the configuration file.
Troubleshooting
Snowflake sign-in failed with "400 Bad Request"
This error can occur when DevReady has not been given access to your Snowflake account through a network policy. Refer to the Workspaces and network access documentation for more information.