Connect Snowflake Host with Snowflake OAuth and Secret

This page details how to use the /data v1 API to connect a Snowflake host to Immuta using Snowflake OAuth with a client secret. This connection works with a single set of credentials rather than configuring an integration and registering data sources separately. To manage your host, see the Manage a host reference guide.

Requirements

To complete this guide, you must be a user with the following:

  • Immuta permissions:

    • APPLICATION_ADMIN

    • CREATE_DATA_SOURCE

  • Snowflake permissions:

    • CREATE DATABASE ON ACCOUNT WITH GRANT OPTION

    • CREATE ROLE ON ACCOUNT WITH GRANT OPTION

    • CREATE USER ON ACCOUNT WITH GRANT OPTION

    • MANAGE GRANTS ON ACCOUNT WITH GRANT OPTION

    • APPLY MASKING POLICY ON ACCOUNT WITH GRANT OPTION

    • APPLY ROW ACCESS POLICY ON ACCOUNT WITH GRANT OPTION

Complete the following steps to connect a Snowflake host:

  1. Use the /integrations/scripts/create endpoint to receive a script.

  2. Run the script in Snowflake.

  3. Use the /data/connection endpoint to finish creating the connection to your host and Immuta.

Step 1: Generate the script

POST /integrations/scripts/create

Copy the request and update the <placeholder_values> with your connection details. Then submit the request.

Find descriptions of the editable attributes in the table below and of the full payload in the Integration configuration payload reference guide. All values should be included and those you should not edit are noted.

curl -X 'POST' \
    'https://<your-immuta-url>/integrations/scripts/create' \
    -H 'accept: application/json' \
    -H 'Content-Type: application/json' \
    -H 'Authorization: <your-bearer-token>' \
    -d '{
    "": "Snowflake",
    "": false,
    "config": {
      "host": "<your-Snowflake-hostname-url>",
      "warehouse": "<your-Snowflake-warehouse>",
      "database": "<your-Snowflake-database>",
      "": {"enabled": true},
      "": {"enabled": false},
      "": {"enabled": false},
      "": "oAuth",
      "oAuthClientConfig": {
        "provider": "<your-provider>",
        "clientId": "<your-client-ID>",
        "authorityUrl": "<your-example.authority.com>",
        "clientSecret": "<your-client-secret>",
        "": false,
        "": "session:role-any"
      }
    }
    }'

Payload parameters

AttributeDescriptionRequired

config.host string

The URL of your Snowflake account.

Yes

config.warehouse string

The default pool of compute resources the Immuta system user will use to run queries and perform other Snowflake operations.

Yes

config.database string

Name of a new empty database that the Immuta system user will manage and store metadata in.

Yes

config.oAuthClientConfig.provider string

The identity provider for OAuth, such as Okta.

Yes

config.oAuthClientConfig.clientId string

The client identifier of your registered application.

Yes

config.oAuthClientConfig.authorityUrl string

Authority URL of your identity provider.

Yes

config.oAuthClientConfig.clientSecret string

Client secret of the application.

Yes

Step 2: Run the script in Snowflake

Step one will return a script. Copy the script and run it in your Snowflake environment as a user with the permissions listed in the requirements section.

The script will allow an Immuta system user to authenticate using the Snowflake OAuth and client secret you specified in step one. This system user will have the permissions listed on the Snowflake integration reference guide. Additionally, the script will create the database you specified in step one.

Step 3: Create the host in Immuta

POST /data/connection

Copy the request and update the <placeholder_values> with your connection details. Note that the connection details here should match the ones used in step one. Then submit the request.

Find descriptions of the editable attributes in the table below and of the full payload in the Snowflake object table. All values should be included and those you should not edit are noted.

Test run

Opt to test and validate the create connection payload using a dry run:

POST /data/connection/test

curl -X 'POST' \
    'https://<your-immuta-url>/data/connection' \
    -H 'accept: application/json' \
    -H 'Content-Type: application/json' \
    -H 'Authorization: <your-bearer-token>' \
    -d '{
     connectionKey: "<your-connection-key-name>",
     connection: {
       : "Snowflake",
       hostname: "<your-Snowflake-hostname-url>",
       port: <your-Snowflake-port>,
       warehouse: "<your-Snowflake-warehouse>",
       role: "<your-Snowflake-role>",
       : "oAuthClientCredentials",
       oAuthClientConfig: {
         : false,
         clientId: "<your-client-ID>",
         authorityUrl: "<your-example.authority.com>",
         : "session:role-any",
         resource: "<your-optional-resource>",
         clientSecret: "<your-client-secret>"
       }
     },
     settings: {
         : false
     },
     options: {
       : true
     },
     : {
       : "Snowflake",
       : false,
       config: {
         : "oAuthClientCredentials",
         oAuthClientConfig: {
           : false,
           clientId: "<your-client-ID>",
           authorityUrl: "<your-example.authority.com>",
           : "session:role-any",
           resource: "<your-optional-resource>",
           clientSecret: "<your-client-secret>"           
         }
         : "<your-Snowflake-hostname-url>",
         : <your-Snowflake-port>,
         : "<your-Snowflake-warehouse>",
         : "<your-Snowflake-database>",
         : { enabled: false },
         : { enabled: true },
         : { enabled: false },
         : { enabled: false },
         : { exclude: [] }
       }
     }
    }'
    

Payload parameters

AttributeDescriptionRequired

connectionKey string

A unique name for the host connection.

Yes

connection object

Configuration attributes that should match the values used when getting the script from the integration endpoint.

Yes

connection.hostname string

The URL of your Snowflake account. This is the same as host.

Yes

connection.port integer

The port to use when connecting to your Snowflake account host. Defaults to 443.

Yes

connection.warehouse string

The default pool of compute resources the Immuta system user will use to run queries and perform other Snowflake operations.

Yes

connection.role string

The privileged Snowflake role used by the Immuta system account when configuring the Snowflake host. At minimum, it must be able to see the data that Immuta will govern.

Yes

connection.oAuthClientConfig.clientId string

The client identifier of your registered application.

Yes

connection.oAuthClientConfig.authorityUrl string

Authority URL of your identity provider.

Yes

connection.oAuthClientConfig.clientSecret string

Client secret of the application.

Yes

connection.oAuthClientConfig.resource string

An optional resource to pass to the token provider.

No

nativeIntegration object

Configuration attributes that should match the values used when getting the script from the integration endpoint.

Yes

nativeIntegration.config.oAuthClientConfig.clientId string

Same as connection.oAuthClientConfig.clientId

Yes

nativeIntegration.config.oAuthClientConfig.authorityUrl string

Same as connection.oAuthClientConfig.authorityUrl

Yes

nativeIntegration.config.oAuthClientConfig.resource string

Same as connection.oAuthClientConfig.resource

No

nativeIntegration.config.oAuthClientConfig.clientSecret string

Same as connection.oAuthClientConfig.clientSecret

Yes

nativeIntegration.config.host string

Same as connection.hostname

Yes

nativeIntegration.config.port integer

Same as connection.port

Yes

nativeIntegration.config.warehouse string

Same as connection.warehouse

Yes

nativeIntegration.config.database string

Name of a new empty database that the Immuta system user will manage and store metadata in.

Yes

Response schema

AttributeDescription

objectPath string

The list of names that uniquely identify the path to a data object in the remote platform's hierarchy. The first element should be the associated connectionKey.

bulkId string

A bulk ID that can be used to search for the status of background jobs triggered by this request.

Example response

{
  objectPath: ['<your-connection-key-name>'],
  bulkId: "a-new-uuid"
}

Last updated

Self-managed versions

2024.32024.22024.12023.4

Copyright © 2014-2024 Immuta Inc. All rights reserved.