Create a Snowflake Data Cloud connection to securely read data from or write data to Snowflake.
Prepare for authentication
Before you configure the connection properties, you need to keep the authentication details handy based on the authentication type that you want to use.
Standard
To connect to Snowflake using standard authentication, you need the Snowflake account user name and password.
Let's get the required details such as the Snowflake account name, warehouse, and role details from the Snowflake account.
The following image shows you where you can find the name of your Snowflake account:
The following image shows you where you can find the name of the warehouse and role details of your Snowflake account:
Authorization code
To connect to Snowflake using the OAuth 2.0 authorization code, you need the Snowflake client ID, authorization URL, access token URL, and access token.
To get the authorization details, you need to create an authorization integration in Snowflake, and register the Informatica redirect URL in Security Integration. Security Integration is a type of integration that enables clients that support OAuth to redirect users to an authorization page and generate access tokens, and optionally, refresh tokens to access Snowflake.
Register the following Informatica redirect URL in Security Integration:
https://<Informatica cloud hosting facility for your organization>/ma/proxy/oauthcallback
If the access token expires, Informatica redirect URL, which is outside the customer firewall, tries to connect to the endpoint and retrieves a new access token.
For more information about how to create a security integration and get the authorization details, see Create security integration in the Snowflake documentation.
Key pair
To connect to Snowflake using key pair authentication, you need the private key file and private key file password, along with your Snowflake account user name.
Generate the public and private key pair using OpenSSL. The key pair authentication method requires a 2048-bit RSA key pair. Specify the path to the private key file and password in the connection properties to access Snowflake.
Generate the public and private key
Before you generate the public and private key for key pair authentication, you need to have the security admin role or higher in Snowflake.
1From the OpenSSL command line, generate a private key:
- To generate a decrypted private key, run the following command, and provide a passphrase when prompted:
3Copy the public and private key files in a directory that the Secure Agent can access.
For example, C:\Program Files\Informatica Cloud Secure Agent\apps\Data_Integration_Server\data\snowflake\rsa_key.p8
You require the path details when you configure the Snowflake connection.
4In Snowflake, assign the public key to the Snowflake user using the ALTER USER command:
alter user <user> set rsa_public_key='<content of the public key after removing the header and footer lines>';
For example, alter user jsmith set rsa_public_key='MIIXBIjABCdef...';
For more information about configuring a key pair authentication for Snowflake, see the Snowflake documentation.
Configure the private key on an advanced cluster
After you generate the public and private key pair using OpenSSL, you need to additionally perform certain tasks for the connection to work in a mapping in advanced mode.
Before you run mappings with the configured connection on an advanced cluster, set the properties for the cluster application in the mapping task.
The following list describes the properties that you need to set in the advanced session properties in a mapping task:
Spark.NeedUserCredentialFileForAdapter=true
Copies the contents of the private key from the location you specify in Spark.UserCredentialDirOnDIS from the Secure Agent machine to the Spark driver and executers. The folder that contains the credential file does not have the 1 MB limit. You need to ensure that the credential file of the secret key content that you copy to the cluster application does not exceed 1 MB. You need to set the value to true. Default is false.
If you do not set this flag or you set this flag to false, the private key file is not copied to the cluster application and the mapping fails.
Overrides the default Secure Agent directory that contains the private key with the directory that you specify for copying the private key contents to the cluster application. The default directory is /infa/user/credentials. Ensure that the directory does not include the private key file name.
If you do not set this flag, the default location is used. To use the default location, create the /infa/user/credentials directory on the Secure Agent machine and the copy the private key file here.
If you set the flag to override the location specified in the advanced session properties of the mapping task, make sure that the override location that you specify in Spark.UserCredentialDirOnDIS contains the private key file. Ensure that the override location and the private key file have the write permissions.
The following image shows the configured advanced custom property in the mapping task:
Client credentials
To connect to Snowflake using OAuth 2.0 client credentials, you need your Snowflake client ID, access token URL, client secret, scope, and the access token.
Configure the OAuth endpoint with the client credentials grant type and then create a security integration to get the authorization details.
Before you use the client credentials authentication to connect Snowflake, the organization administrator needs to perform the prerequisite tasks.
1Create a client application that is compatible with OAuth to use with Snowflake.
2Configure the authorization server with the client credentials Grant type.
3Create a security integration of type OAuth in Snowflake.
The following table describes the basic connection properties:
Property
Description
Connection Name
Name of the connection.
Each connection name must be unique within the organization. Connection names can contain alphanumeric characters, spaces, and the following special characters: _ . + -,
Maximum length is 255 characters.
Description
Description of the connection. Maximum length is 4000 characters.
Type
Snowflake Data Cloud
Runtime Environment
The name of the runtime environment where you want to run tasks.
You cannot run application ingestion and replication tasks and database ingestion and replication tasks on a Hosted Agent or serverless runtime environment.
Authentication types
Select the required authentication method and then configure the authentication-specific parameters.
Standard authentication
Standard authentication is the default type which requires at a minimum your Snowflake account name and password.
The following table describes the basic connection properties for standard authentication:
Property
Description
Username
The user name to connect to the Snowflake account.
Password
The password to connect to the Snowflake account.
Account
The name of the Snowflake account.
For example, if the Snowflake URL is https://<123abc>.us-east-2.aws.snowflakecomputing.com/console/login#/, your account name is the first segment in the URL before snowflakecomputing.com. Here, 123abc.us-east-2.aws is your account name.
If you use the Snowsight URL, for example, https://app.snowflake.com/us-east-2.aws/<123abc>/dashboard, your account name is 123abc.us-east-2.aws.
Note: Ensure that the account name doesn't contain underscores. If the account name contains underscores, you need to use the alias name. To use an alias name, contact Snowflake Customer Support.
Warehouse
The Snowflake warehouse name.
Advanced settings
The following table describes the advanced connection properties for standard authentication:
Property
Description
Role
The Snowflake role assigned to the user.
Additional JDBC URL Parameters
The additional JDBC connection parameters.
You can specify multiple JDBC connection parameters, separated by ampersand (&), in the following format:
For example, you can pass the following database and schema values when you connect to Snowflake:
db=mydb&schema=public
When you add parameters, ensure that there is no space before and after the equal sign (=).
For the list of additional JDBC parameters that you can configure, see JDBC URL parameters.
Authorization code authentication
OAuth 2.0 authentication requires the OAuth 2.0 protocol with Authorization Code grant type to connect to Snowflake. Authorization Code allows authorized access to Snowflake without the need to share or store your login credentials.
The following table describes the basic connection properties for OAuth 2.0 authorization code authentication:
Property
Description
Account
The name of the Snowflake account.
For example, if the Snowflake URL is https://<123abc>.us-east-2.aws.snowflakecomputing.com/console/login#/, your account name is the first segment in the URL before snowflakecomputing.com. Here, 123abc.us-east-2.aws is your account name.
If you use the Snowsight URL, for example, https://app.snowflake.com/us-east-2.aws/<123abc>/dashboard, your account name is 123abc.us-east-2.aws.
Note: Ensure that the account name doesn't contain underscores. If the account name contains underscores, you need to use the alias name. To use an alias name, contact Snowflake Customer Support.
Warehouse
The Snowflake warehouse name.
Authorization URL
The Snowflake server endpoint that is used to authorize the user request.
The authorization URL is https://<account name>.snowflakecomputing.com/oauth/authorize, where <account name> specifies the full name of your account provided by Snowflake.
For example, https://<abc>.snowflakecomputing.com/oauth/authorize
Note: If the account name contains underscores, use the alias name.
You can also use the Authorization Code grant type that supports the authorization server in a Virtual Private Cloud network.
Access Token URL
The Snowflake access token endpoint that is used to exchange the authorization code to get an access token.
The access token URL is https://<account name>.snowflakecomputing.com/oauth/token-request, where <account name> specifies the full name of your account provided by Snowflake.
For example, https://<abc>.snowflakecomputing.com/oauth/token-request
Note: Ensure that the account name doesn't contain underscores. If the account name contains underscores, you need to use the alias name. To use an alias name, contact Snowflake Customer Support.
Client ID
Client ID of your application generated when you create a security integration of type OAuth in Snowflake.
Client Secret
Client secret generated for the client ID.
Access Token
The access token value.
Enter the populated access token value that you get from the OAuth endpoint, or click Generate Access Token to populate the access token value.
Advanced settings
The following table describes the advanced connection properties for OAuth 2.0 authorization code authentication:
Property
Description
Additional JDBC URL Parameters
The additional JDBC connection parameters.
You can specify multiple JDBC connection parameters, separated by ampersand (&), in the following format:
For example, you can pass the following database and schema values when you connect to Snowflake:
db=mydb&schema=public
When you add parameters, ensure that there is no space before and after the equal sign (=).
For the list of additional JDBC parameters that you can configure, see JDBC URL parameters.
Scope
Determines the access control when the API endpoint has defined custom scopes.
For example, specify session:role:CQA_GCP as the scope to override the value of the default user role. The value needs to be one of the roles assigned in Security Integration.
To enter multiple scope attributes, separate each scope attribute with a space.
Access Token Parameters
Additional parameters to use with the access token URL.
Define the access token parameters in the following JSON format:
Enter the populated refresh token value that you get from the OAuth endpoint, or click Generate AccessToken to populate the refresh token value. If the access token is not valid or expires, the Secure Agent fetches a new access token with the help of the refresh token.
Note: If the refresh token expires, provide a valid refresh token or regenerate a new refresh token by clicking Generate Access Token.
Key pair authentication
Key pair authentication requires the private key file and private key file password, along with your Snowflake account user name to connect to Snowflake.
The following table describes the basic connection properties for key pair authentication:
Property
Description
Username
The user name to connect to the Snowflake account.
Account
The name of the Snowflake account.
For example, if the Snowflake URL is https://<123abc>.us-east-2.aws.snowflakecomputing.com/console/login#/, your account name is the first segment in the URL before snowflakecomputing.com. Here, 123abc.us-east-2.aws is your account name.
If you use the Snowsight URL, for example, https://app.snowflake.com/us-east-2.aws/<123abc>/dashboard, your account name is 123abc.us-east-2.aws.
Note: Ensure that the account name doesn't contain underscores. If the account name contains underscores, you need to use the alias name. To use an alias name, contact Snowflake Customer Support.
Warehouse
The Snowflake warehouse name.
Private Key File
Path to the private key file, including the private key file name, that the Secure Agent uses to access Snowflake.
For example, specify the following path and key file name in the Secure Agent machine:
- On Windows: C:\Users\path_to_key_file\rsa_key.p8
- On Linux: /export/home/user/path_to_key_file/rsa_key.p8
To use the serverless runtime environment, specify the following path and key file name in the serverless agent directory:
For example, you can pass the following database and schema values when you connect to Snowflake:
db=mydb&schema=public
When you add parameters, ensure that there is no space before and after the equal sign (=).
For the list of additional JDBC parameters that you can configure, see JDBC URL parameters.
Private Key File Password
Password for the private key file.
Client credentials authentication
OAuth 2.0 client credentials authentication requires at a minimum the client ID, access token URL, client secret, scope, and the access token.
The following table describes the basic connection properties for OAuth 2.0 client credentials authentication:
Property
Description
Account
The name of the Snowflake account.
For example, if the Snowflake URL is https://<123abc>.us-east-2.aws.snowflakecomputing.com/console/login#/, your account name is the first segment in the URL before snowflakecomputing.com. Here, 123abc.us-east-2.aws is your account name.
If you use the Snowsight URL, for example, https://app.snowflake.com/us-east-2.aws/<123abc>/dashboard, your account name is 123abc.us-east-2.aws.
Note: Ensure that the account name doesn't contain underscores. If the account name contains underscores, you need to use the alias name. To use an alias name, contact Snowflake Customer Support.
Warehouse
The Snowflake warehouse name.
Access Token URL
The Snowflake access token endpoint that is used to exchange the authorization code for an access token.
Specify the access token URL that you get from the OAuth endpoint.
Client ID
Client ID of your application generated when you configure the application for OAuth.
Client Secret
Client secret generated for the client ID.
Scope
Determines the access control when the API endpoint has defined custom scopes.
For example, specify session:role:CQA_GCP as the scope to override the value of the default user role. The value needs to one of the roles assigned in Security Integration.
To enter multiple scope attributes, separate each scope attribute with a space.
Access Token
The access token value.
Enter the populated access token value that you get from the OAuth endpoint, or click Generate Access Token to populate the access token value.
Advanced settings
The following table describes the advanced connection properties for OAuth 2.0 client credentials authentication:
Property
Description
Additional JDBC URL Parameters
The additional JDBC connection parameters.
You can specify multiple JDBC connection parameters, separated by ampersand (&), in the following format::
For more information about access token parameters that you can define, see Introduction to OAuth in the Snowflake documentation.
JDBC URL parameters
You can use the additional JDBC URL parameters field in the Snowflake Data Cloud connection to customize and set any additional parameters when you connect to Snowflake.
The Snowflake warehouse, database, schema, table, and storage integration names are case-sensitive. Be sure to take this into account when you define properties in the additional JDBC parameters field.
You can configure the following properties as additional JDBC URL parameters in the Snowflake Data Cloud connection:
•To override the database and schema name used to create temporary tables in Snowflake, enter the database and schema name in the following format:
•To load data from Amazon S3, Google Cloud Storage, or Microsoft Azure Data Lake Storage Gen2 to Snowflake for SQL ELT optimization, enter the Cloud Storage Integration name created for the Amazon S3, Google Cloud Storage, or Microsoft Azure Data Lake Storage Gen2 account in Snowflake in the following format:
storage_integration=<Storage Integration name>
The storage integration name is case-sensitive. For example, if the storage integration name you created for Amazon S3, Google Cloud Storage, or Microsoft Azure Data Lake Storage Gen2 in Snowflake is STORAGE_INT, you need to specify the same integration name:
storage_integration=STORAGE_INT
Note: You can also load data from Amazon S3 to Snowflake for SQL ELT optimization without using storage integration.
•To connect to Snowflake using the proxy server, enter the following parameters:
useProxy=true& proxyHost=<Proxy host IP address>& proxyPort=<Proxy server port number>& proxyUser=<Proxy server user name>& proxyPassword=<Proxy server password>
•To ignore double quotes in the table and treat all tables as case-insensitive, enter the following parameter:
QUOTED_IDENTIFIERS_IGNORE_CASE=true
When you set this property in the connection to true, Snowflake ignores the double quotes in the table and treats all tables as case-insensitive.
If you have set this property to true, you cannot access case-sensitive tables with the same connection. You need to create a new connection to fetch any existing case-sensitive tables.
•To filter queries that are executed in a Snowflake job on the Snowflake web interface, enter the tag name in the following format:
query_tag=<Tag name>
You have an option to override the query_tag parameter that is defined in the Snowflake connection when you run a mapping task.
To override the query_tag parameter, click the Runtime Options tab of the mapping task. In the Advanced Session Properties section, select Custom Properties from the Session Property Name list, and then enter the following value:
snowflake_query_tag=<Tag name>
Note: In advanced mode, you can't override the query_tag parameter.
In addition to the parameters listed, this field provides you the flexibility to configure other Snowflake parameters based on your requirements.
Microsoft Azure Active Directory for external OAuth authorization
You can use Microsoft Azure Active Directory as an external OAuth authorization server to authenticate Snowflake.
To use Microsoft Azure Active Directory as an external OAuth authorization server, select Authorization Code as the authentication type in the connection properties. Provide the account name, warehouse, authorization URL, access token URL, client ID, client secret, access token, and scope details from the Microsoft Azure Active Directory OAuth authorization server.
If your organization uses an outgoing proxy server to connect to the Internet, the Secure Agent connects to Informatica Intelligent Cloud Services through the proxy server.
You can configure the Secure Agent to use the proxy server on Windows and Linux. You can use the unauthenticated or authenticated proxy server. You can configure proxy for connections used both in mappings and in mappings in advanced mode.
To configure proxy settings for the Secure Agent, use one of the following methods:
•Configure the Secure Agent through the Secure Agent Manager on Windows or shell command on Linux.
•Configure the JVM options for the DTM in the Secure Agent properties. For instructions, see the Proxy server settings Knowledge Base article.
•Configure the proxy server properties in the additional JDBC URL parameters in the Snowflake connection. For more information, see .
Private links to access Snowflake
You can access Snowflake using AWS or Azure Private Link endpoints.
When you create a Snowflake Data Cloud connection, specify the Snowflake private link account name in the Account field in the connection properties.
The AWS or Azure Private Link setup ensures that the connection to Snowflake uses the AWS or Azure internal network and does not take place over the public Internet.
Use the serverless runtime environment with key pair authentication
You can use a serverless runtime environment hosted on AWS or Azure to connect to Snowflake with key pair authentication.
Before you configure a Snowflake connection using the serverless runtime environment, perform the following tasks:
•Add the private key file path and file name in the Amazon S3 bucket or Azure container in your AWS or Azure account.
•Configure the .yml serverless configuration file.
•Configure the connection properties to connect to Snowflake.
Add the private key file path and file name in the Amazon S3 bucket or Azure container in your AWS or Azure account
Perform the following steps to configure a Snowflake connection in a serverless runtime environment:
1Create the following structure for the serverless agent configuration in AWS or Azure: <Supplementary file location>/serverless_agent_config
2Add the path to the private key file, including the private key file name, in the Amazon S3 bucket or Azure container in the following location in your AWS or Azure account: <Supplementary file location>/serverless_agent_config/SSL
Configure the .yml serverless configuration file
Perform the following steps to configure the .yml serverless configuration file in the serverless runtime environment, and to copy the private key file path and file name entries to the serverless agent directory:
1Copy the following code snippet to a text editor:
where the source path is the directory path of the private key file in AWS or Azure.
2Ensure that the syntax and indentations are valid, and then save the file as serverlessUserAgentConfig.yml in the following AWS or Azure location: <Supplementary file location>/serverless_agent_config
When the .yml file runs, the private key file is copied from the AWS or Azure location to the serverless agent directory.
Configure the connection properties to connect to Snowflake
Specify the path to the private key file, including the private key file name in the Private Key File field in the Snowflake Data Cloud connection.
For example, /home/cldagnt/SystemAgent/serverless/configurations/ssl_store/<Private key file name>
