You can configure standard, authorization code, key pair, and client credentials authentication types to access Snowflake. Consider using authorization code, key pair, or client credentials authentication to connect more securely to Snowflake.
Before you configure the connection properties, you need to keep the authentication details handy based on the authentication type that you want to use.
Standard
To connect to Snowflake using standard authentication, you need the Snowflake account name, warehouse name, user name, and either your account password or a programmatic access token (PAT).
Let's get the required details such as the Snowflake account name, warehouse, and role details from the Snowflake account.
The following image shows you where you can find the name of your Snowflake account:
The following image shows you where you can find the name of the warehouse and role details of your Snowflake account:
Generate the programmatic access token
To connect to Snowflake using standard authentication, you can use a programmatic access token (PAT) generated in Snowflake instead of your account password.
If you use the Secure Agent deployed in your environment, serverless runtime environment, or elastic runtime environment, you need to allow the range of IP addresses to connect to Snowflake using a PAT.
To allow the range of IP addresses in Snowflake, perform the following tasks:
1Create a network rule for the allowed IP addresses.
For more information about creating a network rule, see Working with network rules in the Snowflake documentation.
2Create a network policy for the network rule that you created.
For more information about creating a network policy, see Working with network policies in the Snowflake documentation.
To connect to Snowflake using the OAuth 2.0 authorization code, you need the Snowflake account name, warehouse name, authorization URL, access token URL, client ID, client secret, and access token.
To get the authorization details, create a security integration in Snowflake that enables OAuth access, which acts as a secure gateway for your application to connect to Snowflake and register the following Informatica redirect URL in Security Integration:
https://<Informatica cloud hosting facility for your organization>/ma/proxy/oauthcallback
If the access token expires, Informatica redirect URL, which is outside the customer firewall, tries to connect to the endpoint and retrieves a new access token.
When you use the OAuth 2.0 authorization code to connect to Snowflake, you can use either the Snowflake OAuth provider or an external OAuth authorization server, such as Okta or Microsoft Entra ID, that uses the OAuth protocol for accessing Snowflake.
For more information about how to create a security integration and get the authorization details, see Create security integration in the Snowflake documentation.
Note: You can't use connections configured with the authorization code authentication in mappings configured in advanced mode.
Create a security integration for Snowflake
To use the OAuth 2.0 authorization code authentication with Snowflake, the Snowflake administrator needs to create a security integration in Snowflake.
When you create a security integration in Snowflake that uses Snowflake as the OAuth provider, Snowflake acts as both the OAuth authorization server and the OAuth resource server. This setup enables secure OAuth-based authentication with Snowflake using an access token issued by Snowflake.
Note: The third-party information included in Informatica documentation is subject to change without prior notice. Check the third-party documentation for the most up-to-date information.
1Log in to Snowflake.
2From the Worksheets tab, copy the user name and warehouse name.
Note: Keep these details handy as you need them while creating a connection.
3Select the database and schema where you want to operate.
4Select the resource name that you want to access.
5In the Snowflake Console, select the ACCOUNTADMIN role and run the Security Integration command.
6When prompted, enter the following details:
- Name of the security integration
- OAuth redirect URI that you provided when you registered the OAuth application
- Snowflake pre-authorized user roles, such as SYSADMIN and PUBLIC, that you don't need to explicitly consent to use after authenticating
7Re-run the Security Integration command to apply changes.
The Snowflake Console creates a security integration.
The following video shows you how to get the information that you need from your Snowflake account while using the OAuth 2.0 authorization code authentication:
Create a security integration for Okta
To use the OAuth 2.0 authorization code authentication with Okta, the organization administrator needs to perform certain prerequisites tasks.
When you create a security integration in Snowflake for Okta, Snowflake acts as the OAuth resource server, while Okta serves as the external OAuth authorization server. This setup enables secure OAuth-based authentication to Snowflake using an access token issued by Okta.
Note: The third-party information included in Informatica documentation is subject to change without prior notice. Check the third-party documentation for the most up-to-date information.
1Create an Okta account.
Note: Ensure that the Snowflake account name and Okta account name are same.
2Register your application in Okta from the Admin Console.
For more information about registering an application in Okta, see Set up your application in the Okta documentation.
For the detailed steps to create a security integration in Snowflake for Okta, see Configure Okta for External OAuth in the Snowflake documentation.
Create a security integration for Microsoft Entra ID
To use OAuth 2.0 authorization code authentication with Microsoft Entra ID, the organization administrator needs to perform certain prerequisites tasks.
When you create a security integration in Snowflake for Microsoft Entra ID, Snowflake acts as the OAuth resource server, while Microsoft Entra ID serves as the external OAuth authorization server. This setup enables secure OAuth-based authentication to Snowflake using an access token issued by Microsoft Entra ID.
Note: The third-party information included in Informatica documentation is subject to change without prior notice. Check the third-party documentation for the most up-to-date information.
1Configure Snowflake as the OAuth resource in Microsoft Entra ID.
Note: Ensure that you add a scope to define the permissions your application needs to request during OAuth authentication.
2Create an OAuth client in Microsoft Entra ID and configure it with API permissions set as Delegated Permissions.
3Get the Microsoft Entra ID authorization details.
Note: Keep these details handy as you need them while creating the security integration in Snowflake for Microsoft Entra ID.
4Log in as administrator in Snowflake.
5To create a security integration in Snowflake for Microsoft Entra ID, run the following command with the valid parameter values:
To connect to Snowflake using key pair authentication, you need the private key file and private key file password, along with your Snowflake account user name.
Generate the public and private key pair using OpenSSL. The key pair authentication method requires a 2048-bit RSA key pair. Specify the path to the private key file and password in the connection properties to access Snowflake.
Generate the public and private key
Before you generate the public and private key for key pair authentication, you need to have the security admin role or higher in Snowflake.
1From the OpenSSL command line, generate a private key:
- To generate a decrypted private key, run the following command, and provide a passphrase when prompted:
3Copy the public and private key files in a directory that the Secure Agent can access.
For example, C:\Program Files\Informatica Cloud Secure Agent\apps\Data_Integration_Server\data\snowflake\rsa_key.p8
You require the path details when you configure the Snowflake connection.
4In Snowflake, assign the public key to the Snowflake user using the ALTER USER command:
alter user <user> set rsa_public_key='<content of the public key after removing the header and footer lines>';
For example, alter user jsmith set rsa_public_key='MIIXBIjABCdef...';
For more information about configuring a key pair authentication for Snowflake, see the Snowflake documentation.
Configure the private key on an advanced cluster
After you generate the public and private key pair using OpenSSL, you need to additionally perform certain tasks for the connection to work in a mapping in advanced mode.
Before you run mappings with the configured connection on an advanced cluster, set the properties for the cluster application in the mapping task.
The following list describes the properties that you need to set in the advanced session properties in a mapping task:
Spark.NeedUserCredentialFileForAdapter=true
Copies the contents of the private key from the location you specify in Spark.UserCredentialDirOnDIS from the Secure Agent machine to the Spark driver and executers. The folder that contains the credential file does not have the 1 MB limit. You need to ensure that the credential file of the secret key content that you copy to the cluster application does not exceed 1 MB. You need to set the value to true. Default is false.
If you do not set this flag or you set this flag to false, the private key file is not copied to the cluster application and the mapping fails.
Overrides the default Secure Agent directory that contains the private key with the directory that you specify for copying the private key contents to the cluster application. The default directory is /infa/user/credentials. Ensure that the directory does not include the private key file name.
If you do not set this flag, the default location is used. To use the default location, create the /infa/user/credentials directory on the Secure Agent machine and the copy the private key file here.
If you set the flag to override the location specified in the advanced session properties of the mapping task, make sure that the override location that you specify in Spark.UserCredentialDirOnDIS contains the private key file. Ensure that the override location and the private key file have the write permissions.
The following image shows the configured advanced custom property in the mapping task:
Client credentials
To connect to Snowflake using the OAuth 2.0 client credentials, you need the Snowflake account name, warehouse name, access token URL, client ID, client secret, scope, and access token.
Configure the OAuth endpoint with the client credentials grant type and then create a security integration to get the authorization details.
Before you use the client credentials authentication to connect Snowflake, the organization administrator needs to perform the prerequisite tasks.
1Create a client application that is compatible with OAuth to use with Snowflake.
2Configure the authorization server with the client credentials Grant type.
3Create a security integration for an external OAuth in Snowflake.
When you use the OAuth 2.0 client credentials to connect to Snowflake, you need to use an external OAuth authorization server, such as Okta or Microsoft Entra ID, that uses the OAuth protocol for accessing Snowflake.
For more information about how to create a security integration for external OAuth authorization server and get the authorization details, see Create security integration for external OAuth in the Snowflake documentation.
Note: You can't use connections configured with the client credentials authentication in mappings configured in advanced mode.
Create a security integration for Okta
To use the OAuth 2.0 client credentials authentication with Okta, the organization administrator needs to perform certain prerequisites tasks.
When you create a security integration in Snowflake for Okta, Snowflake acts as the OAuth resource server, while Okta serves as the external OAuth authorization server. This setup enables secure OAuth-based authentication to Snowflake using an access token issued by Okta.
Note: The third-party information included in Informatica documentation is subject to change without prior notice. Check the third-party documentation for the most up-to-date information.
1Create an Okta account.
Note: Ensure that the Snowflake account name and Okta account name are same.
2Register your application in Okta from the Admin Console.
For more information about registering an application in Okta, see Set up your application in the Okta documentation.
For the detailed steps to create a security integration in Snowflake for Okta, see Configure Okta for External OAuth in the Snowflake documentation.
Create a security integration for Microsoft Entra ID
To use OAuth 2.0 client credentials authentication with Microsoft Entra ID, you need to perform certain prerequisites tasks.
When you create a security integration in Snowflake for Microsoft Entra ID, Snowflake acts as the OAuth resource server, while Microsoft Entra ID serves as the external OAuth authorization server. This setup enables secure OAuth-based authentication to Snowflake using an access token issued by Microsoft Entra ID.
Note: The third-party information included in Informatica documentation is subject to change without prior notice. Check the third-party documentation for the most up-to-date information.
1Configure Snowflake as the OAuth resource in Microsoft Entra ID.
Note: Ensure that you edit the manifest to manage the scopes and other application settings required for OAuth authentication.
2Create an OAuth client in Microsoft Entra ID and configure it with API permissions set as Application Permissions.
3Get the Microsoft Entra ID authorization details.
Note: Keep these details handy as you need them while creating the security integration in Snowflake for Microsoft Entra ID.
4Log in as administrator in Snowflake.
5To create a security integration in Snowflake for Microsoft Entra ID, run the following command with the valid parameter values:
