OAuth Integration
You can provide configuration to Snowflake Object Lifecycle Engine for the following operation with OAuth integration:
- Manage the lifecycle of new and existing OAuth integrations
Usage
note
We have introduced SOLE for Data Products as a new framework for SOLE to help you easily build an ecosystem of data products. Learn more about SOLE for Data Products which is currently available as a private preview.
- OAuth Integration in Current Configuration
- OAuth Integration in SOLE for Data Products
oauth_integrations:
<oauth_integration-name>:
<configuration-key>: <value>
grants:
<privilege>:
- <role-name>
- <role-name>
- oauth_integration:
name: <oauth_integration-name>
<configuration-key>: <value>
grants:
<privilege>:
- rel(role.<role-name>)
- rel(role.<role-name>)
Supported parameters
The engine supports the parameters listed below.
| Configuration Key | Required / Optional | Data Types and Values | Description |
|---|---|---|---|
oauth_client | Required | String | Specifies the OAuth client type |
blocked_roles_list | Optional | Set/List of String | List of roles that a user cannot explicitly consent to use after authenticating. Do not include ACCOUNTADMIN, ORGADMIN or SECURITYADMIN as they are already implicitly enforced and will cause in-place updates. |
comment | Optional | String | Specifies a comment for the OAuth integration |
deleted | Optional | Boolean: True enables deletion prevention, False does nothing | Specifies what objects are allowed to be deleted |
enabled | Optional | Boolean | Specifies whether this OAuth integration is enabled or disabled |
environment | Optional | String | Specify the environment in which the OAuth integration is managed. Regex can be provided as well |
grants | Optional | Map: See Supported OAuth Integration Grants to Roles | List of Privileges and Roles to which privileges are granted on the current OAuth integration |
manage_mode | Optional | Enumeration: all (default), none, grants | Configures what properties to manage for the OAuth integration. See Changing Manage Mode before changing the value. |
namespacing | Optional | Enumeration: both (default), prefix, suffix, none | Specify whether prefix or suffix or both are to be added to OAuth integration name |
oauth_issue_refresh_tokens | Boolean | List of String | Specifies whether to allow the client to exchange a refresh token for an access token when the current access token has expired |
oauth_refresh_token_validity | Optional | Number | Specifies how long refresh tokens should be valid (in seconds). oauth_issue_refresh_tokens must be set to TRUE. |
oauth_use_secondary_roles | Optional | String | Specifies whether default secondary roles set in the user properties are activated by default in the session being opened |
Supported OAuth integration grants to roles
Following are the privileges you can grant to roles in the OAuth integration definition:
- ALL PRIVILEGES
- USAGE
- USE_ANY_ROLE
- OWNERSHIP
Example
- OAuth Integration in Current Configuration
- OAuth Integration in SOLE for Data Products
oauth_integrations:
OAUTH_INTEGRATION_1:
grants:
USAGE:
- ROLE_1
comment: "Test OAuth 1"
oauth_client: TABLEAU_DESKTOP
enabled: false
oauth_issue_refresh_tokens: false
oauth_refresh_token_validity: 3600
- oauth_integration:
name: OAUTH_INTEGRATION_1
grants:
USAGE:
- rel(role.ROLE_1)
comment: "Test OAuth 1"
oauth_client: TABLEAU_DESKTOP
enabled: false
oauth_issue_refresh_tokens: false
oauth_refresh_token_validity: 3600