You can configure standard, authorization code, key pair, and client credentials authentication types to access Snowflake.
Before you configure the connection properties, you need to keep the authentication details handy based on the authentication type that you want to use.
Standard
To connect to Snowflake using standard authentication, you need the Snowflake account user name and password.
Let's get the required details such as the Snowflake account name, warehouse, and role details from the Snowflake account.
The following image shows you where you can find the name of your Snowflake account:
The following image shows you where you can find the name of the warehouse and role details of your Snowflake account:
Authorization code
To connect to Snowflake using the OAuth 2.0 authorization code, you need the Snowflake client ID, authorization URL, access token URL, and access token.
To get the authorization details, you need to create an authorization integration in Snowflake, and register the Informatica redirect URL in Security Integration. Security Integration is a type of integration that enables clients that support OAuth to redirect users to an authorization page and generate access tokens, and optionally, refresh tokens to access Snowflake.
Register the following Informatica redirect URL in Security Integration:
https://<Informatica cloud hosting facility for your organization>/ma/proxy/oauthcallback
If the access token expires, Informatica redirect URL, which is outside the customer firewall, tries to connect to the endpoint and retrieves a new access token.
For more information about how to create a security integration and get the authorization details, see Create security integration in the Snowflake documentation.
Note: You can't use connections configured with the authorization code authentication in mappings configured in advanced mode.
Key pair
To connect to Snowflake using key pair authentication, you need the private key file and private key file password, along with your Snowflake account user name.
Generate the public and private key pair using OpenSSL. The key pair authentication method requires a 2048-bit RSA key pair. Specify the path to the private key file and password in the connection properties to access Snowflake.
Generate the public and private key
Before you generate the public and private key for key pair authentication, you need to have the security admin role or higher in Snowflake.
1From the OpenSSL command line, generate a private key:
- To generate a decrypted private key, run the following command, and provide a passphrase when prompted:
3Copy the public and private key files in a directory that the Secure Agent can access.
For example, C:\Program Files\Informatica Cloud Secure Agent\apps\Data_Integration_Server\data\snowflake\rsa_key.p8
You require the path details when you configure the Snowflake connection.
4In Snowflake, assign the public key to the Snowflake user using the ALTER USER command:
alter user <user> set rsa_public_key='<content of the public key after removing the header and footer lines>';
For example, alter user jsmith set rsa_public_key='MIIXBIjABCdef...';
For more information about configuring a key pair authentication for Snowflake, see the Snowflake documentation.
Configure the private key on an advanced cluster
After you generate the public and private key pair using OpenSSL, you need to additionally perform certain tasks for the connection to work in a mapping in advanced mode.
Before you run mappings with the configured connection on an advanced cluster, set the properties for the cluster application in the mapping task.
The following list describes the properties that you need to set in the advanced session properties in a mapping task:
Spark.NeedUserCredentialFileForAdapter=true
Copies the contents of the private key from the location you specify in Spark.UserCredentialDirOnDIS from the Secure Agent machine to the Spark driver and executers. The folder that contains the credential file does not have the 1 MB limit. You need to ensure that the credential file of the secret key content that you copy to the cluster application does not exceed 1 MB. You need to set the value to true. Default is false.
If you do not set this flag or you set this flag to false, the private key file is not copied to the cluster application and the mapping fails.
Overrides the default Secure Agent directory that contains the private key with the directory that you specify for copying the private key contents to the cluster application. The default directory is /infa/user/credentials. Ensure that the directory does not include the private key file name.
If you do not set this flag, the default location is used. To use the default location, create the /infa/user/credentials directory on the Secure Agent machine and the copy the private key file here.
If you set the flag to override the location specified in the advanced session properties of the mapping task, make sure that the override location that you specify in Spark.UserCredentialDirOnDIS contains the private key file. Ensure that the override location and the private key file have the write permissions.
The following image shows the configured advanced custom property in the mapping task:
Client credentials
To connect to Snowflake using OAuth 2.0 client credentials, you need your Snowflake client ID, access token URL, client secret, scope, and the access token.
Configure the OAuth endpoint with the client credentials grant type and then create a security integration to get the authorization details.
Before you use the client credentials authentication to connect Snowflake, the organization administrator needs to perform the prerequisite tasks.
1Create a client application that is compatible with OAuth to use with Snowflake.
2Configure the authorization server with the client credentials Grant type.
3Create a security integration of type OAuth in Snowflake.
