Skip to main content

OAuth Integration

You can provide configuration to Snowflake Object Lifecycle Engine for the following operation with OAuth integration:

  • Manage the lifecycle of new and existing OAuth integrations
  • Manage grants of OAuth integration

Usage

- oauth_integration:
    name: <oauth_integration-name>
    <configuration-key>: <value>
    grants:
      <privilege>:
        - rel(role.<role-name>)
        - rel(role.<role-name>)

Supported parameters

The engine supports the parameters listed below.

Configuration KeyRequired / OptionalData Types and ValuesDescription
oauth_clientRequiredStringSpecifies the OAuth client type
blocked_roles_listOptionalSet/List of StringList of roles that a user cannot explicitly consent to use after authenticating. Do not include ACCOUNTADMIN, ORGADMIN or SECURITYADMIN as they are already implicitly enforced and will cause in-place updates.
commentOptionalStringSpecifies a comment for the OAuth integration
deletedOptionalBoolean: True enables deletion prevention, False does nothingSpecifies what objects are allowed to be deleted
enabledOptionalBooleanSpecifies whether this OAuth integration is enabled or disabled
environmentOptionalStringSpecify the environment in which the OAuth integration is managed. Regex can be provided as well
grantsOptionalMap: See Supported OAuth Integration Grants to RolesList of Privileges and Roles to which privileges are granted on the current OAuth integration
manage_modeOptionalEnumeration: all (default), none, grantsConfigures what properties to manage for the OAuth integration.
See Changing Manage Mode before changing the value.
namespacingOptionalEnumeration: both (default), prefix, suffix, noneSpecify whether prefix or suffix or both are to be added to OAuth integration name
oauth_client_typeOptionalStringSpecifies the type of client being registered. Snowflake supports both confidential and public clients.
oauth_issue_refresh_tokensBooleanList of StringSpecifies whether to allow the client to exchange a refresh token for an access token when the current access token has expired
oauth_redirect_uriOptionalStringSpecifies the client URI. After a user is authenticated, the web browser is redirected to this URI.
oauth_refresh_token_validityOptionalNumberSpecifies how long refresh tokens should be valid (in seconds). oauth_issue_refresh_tokens must be set to TRUE.
oauth_use_secondary_rolesOptionalStringSpecifies whether default secondary roles set in the user properties are activated by default in the session being opened

Supported OAuth integration grants to roles

Following are the privileges you can grant to roles in the OAuth integration definition:

  • ALL PRIVILEGES
  • USAGE
  • USE_ANY_ROLE
  • OWNERSHIP
ALL PRIVILEGES handling

When you define ALL PRIVILEGES in the SOLE configuration file, you grant all the privileges listed above to roles on this object except OWNERSHIP. However, the management of ALL PRIVILEGES in SOLE differs from its handling in Snowflake. See Handling ALL PRIVILEGES in SOLE for more information.

Example

- oauth_integration:
    name: OAUTH_INTEGRATION_1
    grants:
      USAGE:
        - rel(role.ROLE_1)
    comment: "Test OAuth 1"
    oauth_client: TABLEAU_DESKTOP
    enabled: false
    oauth_issue_refresh_tokens: false
    oauth_refresh_token_validity: 3600
Last updated on