Host Connection Payloads Reference Guide

connectionKey string

A unique name for the host connection.

connection.technology string

The technology backing the new host.

• Snowflake

• Databricks

connection.hostname string

The URL of your Snowflake account. This is the same as host.

connection.port integer

The port to use when connecting to your Snowflake account host. Defaults to 443.

connection.warehouse string

The default pool of compute resources the Immuta system user will use to run queries and perform other Snowflake operations.

connection.role string

The privileged Snowflake role used by the Immuta system account when configuring the Snowflake host. It must be able to see the data that Immuta will govern.

connection.authenticationType string

The authentication type to connect to the host. Make sure this auth type is the same used when requesting the script.

• keyPair

• oAuthClientCredentials

• userPassword

connection.username string

The username of the system account that can act on Snowflake objects and configure the host. Required if using keyPair or userPassword.

connection.password string

The password of the system account that can act on Snowflake objects and configure the host. Required if using userPassword.

connection.privateKeyPassword string

The Snowflake private key password. Required if using keyPair and the private key is encrypted.

connection.privateKey.keyName string

The Immuta-given name of your private key. Required if using keyPair.

This must be PRIV_KEY_FILE.

connection.privateKey.userFilename string

The name of the private key file on your machine. Required if using keyPair.

connection.privateKey.content string

The private key. Replace new lines in the private key with a backslash before the new line character: "\n". If you are using another means of configuration, such as a Python script, the "\n" should not be added. Required if using keyPair. In the integrations API, this is the config.privateKey attribute.

connection.oAuthClientConfig.useCertificate boolean

Specifies whether or not to use a certificate and private key for authenticating with OAuth. Required if using oAuthClientCredentials.

• true

• false

connection.oAuthClientConfig.clientId string

The client identifier of your registered application. Required if using oAuthClientCredentials.

connection.oAuthClientConfig.authorityUrl string

Authority URL of your identity provider. Required if using oAuthClientCredentials.

connection.oAuthClientConfig.scope string

The scope limits the operations and roles allowed in Snowflake by the access token. Required if using oAuthClientCredentials.

This must be session:role-any.

connection.oAuthClientConfig.resource string

An optional resource to pass to the token provider.

connection.oAuthClientConfig.publicCertificateThumbprint string

Your certificate thumbprint. Required if using oAuthClientCredentials and useCertificate is true.

connection.oAuthClientConfig.oauthPrivateKey.keyName string

The Immuta-given name of your private key. Required if using oAuthClientCredentials and useCertificate is true.

This must be oauth client certificate.

connection.oAuthClientConfig.oauthPrivateKey.userFilename string

The name of your private key file on your machine. Required if using oAuthClientCredentials and useCertificate is true.

connection.oAuthClientConfig.oauthPrivateKey.content string

The private key. Replace new lines in the private key with a backslash before the new line character: "\n". If you are using another means of configuration, such as a Python script, the "\n" should not be added. Required if using oAuthClientCredentials and useCertificate is true. In the integrations API, this is the config.oauthPrivateKey attribute.

connection.oAuthClientConfig.clientSecret string

Client secret of the application. Required if using oAuthClientCredentials and useCertificate is false.

settings.isActive boolean

When false, data objects will be inactive by default when created in Immuta.

options.forceRecursiveCrawl boolean

When true, both active and inactive objects will be found by object sync.

nativeIntegration object

Configuration attributes that should match the values used when getting the script from the integration endpoint.

nativeIntegration.type string

The type of technology.

• Snowflake

• Databricks

nativeIntegration.autoBootstrap boolean

When false, you must set up your environment manually before configuring the host with the API.

This must be false.

nativeIntegration.config.authenticationType string

The authentication type to connect to the host. Make sure this auth type is the same used when requesting the script.

• keyPair

• oAuthClientCredentials

• userPassword

nativeIntegration.config.username string

The username of the system account that can act on Snowflake objects and configure the host. Required if using keyPair or userPassword.

nativeIntegration.config.password string

The password of the system account that can act on Snowflake objects and configure the host. Required if using userPassword.

nativeIntegration.config.privateKeyPassword string

The Snowflake private key password. Required if using keyPair and the private key is encrypted.

nativeIntegration.config.keyName string

The Immuta-given name of your private key. Required if using keyPair.

This must be PRIV_KEY_FILE.

nativeIntegration.config.userFilename string

The name of the private key file on your machine. Required if using keyPair.

nativeIntegration.config.content string

The private key. Replace new lines in the private key with a backslash before the new line character: "\n". If you are using another means of configuration, such as a Python script, the "\n" should not be added. Required if using keyPair. In the integrations API, this is the config.privateKey attribute.

nativeIntegration.config.oAuthClientConfig.useCertificate boolean

Specifies whether or not to use a certificate and private key for authenticating with OAuth. Required if using oAuthClientCredentials.

nativeIntegration.config.oAuthClientConfig.clientId string

The client identifier of your registered application. Required if using oAuthClientCredentials.

nativeIntegration.config.oAuthClientConfig.authorityUrl string

Authority URL of your identity provider. Required if using oAuthClientCredentials.

nativeIntegration.config.oAuthClientConfig.scope string

The scope limits the operations and roles allowed in Snowflake by the access token. Required if using oAuthClientCredentials.

This must be session:role-any.

nativeIntegration.config.oAuthClientConfig.resource string

An optional resource to pass to the token provider.

nativeIntegration.config.oAuthClientConfig.oauthPrivateKey.keyName string

The Immuta-given name of your private key. Required if using oAuthClientCredentials and useCertificate is true.

This must be oauth client certificate.

nativeIntegration.config.oAuthClientConfig.oauthPrivateKey.userFiles string

The name of your private key file on your machine. Required if using oAuthClientCredentials and useCertificate is true.

nativeIntegration.config.oAuthClientConfig.oauthPrivateKey.content string

The private key. Replace new lines in the private key with a backslash before the new line character: "\n". If you are using another means of configuration, such as a Python script, the "\n" should not be added. Required if using oAuthClientCredentials and useCertificate is true. In the integrations API, this is the config.oauthPrivateKey attribute.

connection.oAuthClientConfig.clientSecret string

Client secret of the application. Required if using oAuthClientCredentials and useCertificate is false.

nativeIntegration.config.host string

The URL of your Snowflake account.

nativeIntegration.config.port integer

The port to use when connecting to your Snowflake account host. Defaults to 443.

nativeIntegration.config.warehouse string

The default pool of compute resources the Immuta system user will use to run queries and perform other Snowflake operations.

nativeIntegration.config.database string

Name of a new empty database that the Immuta system user will manage and store metadata in.

nativeIntegration.config.impersonation object

Enables user impersonation. User impersonation is not currently supported with this connection.

This must be enabled: false.

nativeIntegration.config.audit object

This object enables Snowflake query audit.

This must be enabled: true.

nativeIntegration.config.workspaces object

This object represents an Immuta project workspace configured for Snowflake. Project workspaces are not currently supported with this connection.

This must be enabled: false.

nativeIntegration.config.lineage object

Enables Snowflake lineage ingestion so that Immuta can apply tags added to Snowflake tables to their descendant data source columns. Lineage is not currently supported with this connection.

This must be enabled: false.

nativeIntegration.config.userRolePattern object

This object excludes roles and users from authorization checks. Excluded roles and users are not currently supported with this connection.

This must be exclude: [].

connectionKey string

A unique name for the host connection.

connection.technology string

The technology backing the new host.

• Snowflake

• Databricks

connection.hostname string

Your Databricks workspace URL. This is the same as host and workspaceURL.

connection.port integer

The port to use when connecting to your Databricks account host. Defaults to 443.

connection.httpPath string

The HTTP path of your Databricks cluster or SQL warehouse.

connection.authenticationType string

The authentication type to connect to the host. Make sure this auth type is the same used when requesting the script.

token

connection.token string

The Databricks personal access token for the service principal created for Immuta.

settings.isActive boolean

When false, data objects will be inactive by default when created in Immuta.

This must be false.

options.forceRecursiveCrawl boolean

When true, both active and inactive objects will be found by object sync.

This must be true.

nativeIntegration object

Configuration attributes that should match the values used when getting the script from the integration endpoint.

nativeIntegration.type string

The type of technology.

• Snowflake

• Databricks

nativeIntegration.autoBootstrap boolean

When false, you must set up your environment manually before configuring the host with the API.

This must be false.

nativeIntegration.unityCatalog boolean

When true, the integration is for Databricks Unity Catalog.

This must be true.

nativeIntegration.config.authenticationType string

The authentication type to connect to the host. Make sure this auth type is the same used when requesting the script.

token

nativeIntegration.config.token string

The Databricks personal access token for the service principal created for Immuta.

nativeIntegration.config.host string

Your Databricks workspace URL. This is the same as hostname and workspaceURL.

nativeIntegration.config.port integer

The port to use when connecting to your Databricks account host. Defaults to 443.

nativeIntegration.config.httpPath string

The HTTP path of your Databricks cluster or SQL warehouse.

nativeIntegration.config.catalog string

The name of the Databricks catalog Immuta will create to store internal entitlements and other user data specific to Immuta. This catalog will only be readable for the Immuta service principal and should not be granted to other users. The catalog name may only contain letters, numbers, and underscores and cannot start with a number.

nativeIntegration.config.audit boolean

This object enables Snowflake query audit.

This must be true.

nativeIntegration.config.enableNativeQueryParsing boolean

If true, native query parsing is enabled.

This must be false.

nativeIntegration.config.jobConfig.workspaceDirectoryPath string

The file path of the workspace directory.

This must be /Workspace/ImmutaArtifacts.

nativeIntegration.config.jobConfig.jobClusterId string

The ID of the job cluster.

This must be undefined.