This document describes how to set up an OAuth connection between Snowflake and DevReady. OAuth is required to allow DevReady to connect to Snowflake if you are using Signle Sign-On (SSO), but can also be used for non-SSO environments.
Creating a Snowflake OAuth Connection
This first step is to create a Snowflake Security Integration which should be completed by a Snowflake administrator with the ACCOUNTADMIN role.
CREATE SECURITY INTEGRATION DATAOPS_DEV_READY
TYPE = OAUTH
ENABLED = TRUE
OAUTH_CLIENT = CUSTOM
OAUTH_CLIENT_TYPE = 'PUBLIC'
OAUTH_ENFORCE_PKCE = TRUE
OAUTH_REDIRECT_URI = 'https://snowflake-oauth.dataops.live'
OAUTH_ISSUE_REFRESH_TOKENS = TRUE
OAUTH_REFRESH_TOKEN_VALIDITY = 86400;
Once you have created the security integration, retrieve the required OAuth details for later use.
select SYSTEM$SHOW_OAUTH_CLIENT_SECRETS( 'DATAOPS_DEV_READY' );
The output should look something like this:
Creating the configuration file
OAUTH_CLIENT_SECRET from the previous step,
create a configuration file
dataops/develop/snowflake-oauth.yml in your
project with the following contents:
ACCOUNT- The Snowflake account name
CLIENT_ID- The OAuth client ID
CLIENT_SECRET- The OAuth client secret
AVAILABLE_ROLES- A list of roles that the user can choose from to assume.
AVAILABLE_WAREHOUSES- A list of warehouses that the user chooses from to run development queries.
AVAILABLE_WAREHOUSES only have one value, then
the user will not be prompted to choose a role or warehouse.
Because we are using
OAUTH_CLIENT_TYPE = 'PUBLIC', there is no need to keep
CLIENT_SECRET confidential, however, it is still required to call the
Snowflake OAuth API endpoints therefore is required in the configuration file.