Configuring OAuth connections to Snowflake
PreviousConfiguring S3 Bucket for Redshift ImportsNextConfiguring OAuth U2M connections to Databricks
Last updated
Was this helpful?
Last updated
Was this helpful?
As an admin, you can enable your CARTO organization to connect to Snowflake using OAuth, instead of requiring username and password. Once this integration is enabled, the option will be available for all users whenever they try to create a new .
Although it requires an initial setup, connecting CARTO and Snowflake via OAuth is the recommended approach. It has multiple benefits:
Security and traceability is improved since OAuth consent can be revoked easily, programmatically, and it can be set up to expire. This can be centralized in your organization using External OAuth.
Connections with username and password are disabled by policy in some Snowflake accounts.
Users can leverage their multi-factor authentication (MFA) to connect CARTO and Snowflake.
Additionally, it will lead to performance improvements in the future as newer versions of Snowflake APIs do not support username/password-based authentication.
To enable this for all users, navigate to Settings > Advanced Settings > Integrations, where you'll find an integration to start this process. Click on "Add" to configure the integration.
Snowflake offers two different types of OAuth-based authentication:
To setup this integration you need to be able to run queries with the ACCOUNTADMIN role in Snowflake. Ask an Snowflake admin in your organization to help if you are not one.
The high-level process to allow users to connect CARTO and Snowflake using their Snowflake credentials is to create a SECURITY INTEGRATION in Snowflake for a custom OAuth client. Then, pass the details of this integration to CARTO.
First we need to create the integration in your Snowflake console. To do this, copy and paste the provided SQL code and execute it in your Snowflake console. It will run the CREATE SECURITY INTEGRATION SQL command with all the necessary information already included.
Once the security integration has been created in Snowflake, you will need to fill the following fields in the CARTO integration panel:
Snowflake Account Name: this is your Snowflake account name, in the following format: <account_name>.snowflakecomputing.com.
Requirements
You will need to be able to run queries with the ACCOUNTADMIN role in Snowflake to setup this integration. Ask an Snowflake admin in your organization to help if you are not one.
You will also need to be able to create resources in your company's directory (the identity provider, for example Azure AD or Okta). Ask an IT admin in your organization to help if you don't have the needed permissions.
The high-level process to allow users to connect CARTO and Snowflake using an External OAuth server is to first create the necessary resources in your Identity Provider, and then use them to create a SECURITY INTEGRATION in Snowflake with type = external_oauth. Then, pass the same OAuth resources to CARTO.
We have created unique flows for Azure Active Directory, Okta, and a Custom flow for any other identity provider.
Snowflake has created different guides for each of the possible Identity Providers:
For Azure AD integrations
Please use api://snowflake-carto as your Application ID URI, as seen in the screenshot below.
Make sure that in all cases you create an OAuth Client for this integration. You will later need to pass the Client ID and Client Secret to CARTO so that it can initiate the OAuth flow for the user.
Once you finish these steps you should have created a SECURITY INTEGRATION in Snowflake and your IdP will be connected to Snowflake using OAuth. Now we just need to pass the IdP information to CARTO to leverage this integration.
Once the security integration has been created in Snowflake, you will need to fill the following fields in the CARTO integration panel:
Snowflake Account Name: this is your Snowflake account name, in the following format: <account_name>.snowflakecomputing.com.
Auth URL: The Authorization URL from your IdP that was used as external_oauth_issuer in your Snowflake security integration.
Access Tokens URL: The URL from your IdP that was used as external_oauth_jws_keys_url in your Snowflake security integration. If that field wasn't used (for example, if you specified a public key), this needs to be an URL where you can download public keys or certificates to validate an External OAuth access token.
OAuth Client ID: The ID for the OAuth client that was set up in your Authorization Server.
OAuth Client Secret: The secret for the OAuth client that was set up in your Authorization Server.
Snowflake OAuth: connect CARTO and Snowflake using your Snowflake credentials. .
External OAuth: connect CARTO and Snowflake using your company credentials from Okta, Azure Active Directory or a different identity provider, that is also being used in Snowflake. .
If you are not sure about which OAuth to configure or have any additional questions, please get in touch with our team, with your Snowflake administrators, or read the guide in their documentation.
For the exact commands and steps in the Snowflake console, please refer to the guide in the Snowflake documentation.
Auth URL: The URL found under OAUTH_ALLOWED_AUTHORIZATION_ENDPOINTS in your newly created security integration in Snowflake. You can use the command to obtain it.
Access Tokens URL: The URL found under OAUTH_ALLOWED_TOKEN_ENDPOINTS in your newly created security integration in Snowflake. You can use the command to obtain it.
OAuth Client ID: The ID found under OAUTH_CLIENT_ID in your newly created security integration in Snowflake. Use the with your integration name to obtain it.
OAuth Client Secret: The secret found under OAUTH_CLIENT_SECRET in your newly created security integration in Snowflake. Use the with your integration name to obtain it. Alternatively you can use the OAUTH_CLIENT_SECRET_2 in case you're rotating the secret.
Once you've filled all this information, click on "Save". The integration will be saved and you will be back at the Integrations list. To validate your setup, try to create a Snowflake OAuth connection as described in our guide.
CARTO and Snowflake support any valid OAuth authorization server as an identity Provider. You can find more details in the of the Snowflake documentation.
Azure AD: Follow the steps in .
Okta: Follow the steps in .
Custom: Follow the guide in .
We recommend enabling the ANY role mode as part of your setup. Read more about .
Once you've filled all this information, click on "Save". The integration will be saved and you will be back at the Integrations list. To validate your setup, try to create a Snowflake OAuth connection as described in our guide.
