Connect Snowflake Host with Snowflake OAuth and Secret
This page details how to use the /data
v1 API to connect a Snowflake host to Immuta using Snowflake OAuth with a client secret. This connection works with a single set of credentials rather than configuring an integration and registering data sources separately. To manage your host, see the Manage a host reference guide.
Requirements
To complete this guide, you must be a user with the following:
Immuta permissions:
APPLICATION_ADMIN
CREATE_DATA_SOURCE
Snowflake permissions:
CREATE DATABASE ON ACCOUNT WITH GRANT OPTION
CREATE ROLE ON ACCOUNT WITH GRANT OPTION
CREATE USER ON ACCOUNT WITH GRANT OPTION
MANAGE GRANTS ON ACCOUNT WITH GRANT OPTION
APPLY MASKING POLICY ON ACCOUNT WITH GRANT OPTION
APPLY ROW ACCESS POLICY ON ACCOUNT WITH GRANT OPTION
Complete the following steps to connect a Snowflake host:
Use the
/integrations/scripts/create
endpoint to receive a script.Run the script in Snowflake.
Use the
/data/connection
endpoint to finish creating the connection to your host and Immuta.
Step 1: Generate the script
POST
/integrations/scripts/create
Copy the request and update the <placeholder_values>
with your connection details. Then submit the request.
Find descriptions of the editable attributes in the table below and of the full payload in the Integration configuration payload reference guide. All values should be included and those you should not edit are noted.
Payload parameters
Attribute | Description | Required |
---|---|---|
config.host | The URL of your Snowflake account. | Yes |
config.warehouse | The default pool of compute resources the Immuta system user will use to run queries and perform other Snowflake operations. | Yes |
config.database | Name of a new empty database that the Immuta system user will manage and store metadata in. | Yes |
config.oAuthClientConfig.provider | The identity provider for OAuth, such as Okta. | Yes |
config.oAuthClientConfig.clientId | The client identifier of your registered application. | Yes |
config.oAuthClientConfig.authorityUrl | Authority URL of your identity provider. | Yes |
config.oAuthClientConfig.clientSecret | Client secret of the application. | Yes |
Step 2: Run the script in Snowflake
Step one will return a script. Copy the script and run it in your Snowflake environment as a user with the permissions listed in the requirements section.
The script will allow an Immuta system user to authenticate using the Snowflake OAuth and client secret you specified in step one. This system user will have the permissions listed on the Snowflake integration reference guide. Additionally, the script will create the database you specified in step one.
Step 3: Create the host in Immuta
POST
/data/connection
Copy the request and update the <placeholder_values>
with your connection details. Note that the connection details here should match the ones used in step one. Then submit the request.
Find descriptions of the editable attributes in the table below and of the full payload in the Snowflake object table. All values should be included and those you should not edit are noted.
Test run
Opt to test and validate the create connection payload using a dry run:
POST
/data/connection/test
Payload parameters
Attribute | Description | Required |
---|---|---|
connectionKey | A unique name for the host connection. | Yes |
connection | Configuration attributes that should match the values used when getting the script from the integration endpoint. | Yes |
connection.hostname | The URL of your Snowflake account. This is the same as | Yes |
connection.port | The port to use when connecting to your Snowflake account host. Defaults to | Yes |
connection.warehouse | The default pool of compute resources the Immuta system user will use to run queries and perform other Snowflake operations. | Yes |
connection.role | The privileged Snowflake role used by the Immuta system account when configuring the Snowflake host. At minimum, it must be able to see the data that Immuta will govern. | Yes |
connection.oAuthClientConfig.clientId | The client identifier of your registered application. | Yes |
connection.oAuthClientConfig.authorityUrl | Authority URL of your identity provider. | Yes |
connection.oAuthClientConfig.clientSecret | Client secret of the application. | Yes |
connection.oAuthClientConfig.resource | An optional resource to pass to the token provider. | No |
nativeIntegration | Configuration attributes that should match the values used when getting the script from the integration endpoint. | Yes |
nativeIntegration.config.oAuthClientConfig.clientId | Same as | Yes |
nativeIntegration.config.oAuthClientConfig.authorityUrl | Same as | Yes |
nativeIntegration.config.oAuthClientConfig.resource | Same as | No |
nativeIntegration.config.oAuthClientConfig.clientSecret | Same as | Yes |
nativeIntegration.config.host | Same as | Yes |
nativeIntegration.config.port | Same as | Yes |
nativeIntegration.config.warehouse | Same as | Yes |
nativeIntegration.config.database | Name of a new empty database that the Immuta system user will manage and store metadata in. | Yes |
Response schema
Attribute | Description |
---|---|
objectPath | The list of names that uniquely identify the path to a data object in the remote platform's hierarchy. The first element should be the associated |
bulkId | A bulk ID that can be used to search for the status of background jobs triggered by this request. |
Example response
Last updated