Connections > Snowflake Data Cloud connection > Prepare for authentication

Prepare for authentication

You can configure standard, authorization code, client credentials, and programmatic access token authentication types to access Snowflake. Consider using authorization code, client credentials, or programmatic access token authentication to connect more securely to Snowflake. Key pair authentication type is not applicable.

Before you configure the connection properties, you need to keep the authentication details handy based on the authentication type that you want to use.

Standard

To connect to Snowflake using standard authentication, you need the Snowflake user name, password, account name, and warehouse name.

Let's get the required details such as the Snowflake account name, warehouse, and role details from the Snowflake account.

The following image shows you where you can find the name of your Snowflake account:

The Snowflake account name that you can get from the from the first part of the URL.

The following image shows you where you can find the name of the warehouse and role details of your Snowflake account:

The values for the User Role and Warehouse name fields are available on the Worksheet tab.

Authorization code

To connect to Snowflake using the OAuth 2.0 authorization code, you need the Snowflake account name, warehouse name, authorization URL, access token URL, client ID, client secret, and access token.

To get the authorization details, create a security integration in Snowflake that enables OAuth access, which acts as a secure gateway for your application to connect to Snowflake and register the following Informatica redirect URL in Security Integration:

https://<Informatica cloud hosting facility for your organization>/ma/proxy/oauthcallback

If the access token expires, Informatica redirect URL, which is outside the customer firewall, tries to connect to the endpoint and retrieves a new access token.

When you use the OAuth 2.0 authorization code to connect to Snowflake, you can use either the Snowflake OAuth provider or an external OAuth authorization server, such as Okta or Microsoft Entra ID, that uses the OAuth protocol for accessing Snowflake.

For more information about how to create a security integration and get the authorization details, see Create security integration in the Snowflake documentation.

Create a security integration for Snowflake

To use the OAuth 2.0 authorization code authentication with Snowflake, the Snowflake administrator needs to create a security integration in Snowflake.

When you create a security integration in Snowflake that uses Snowflake as the OAuth provider, Snowflake acts as both the OAuth authorization server and the OAuth resource server. This setup enables secure OAuth-based authentication with Snowflake using an access token issued by Snowflake.

Note: The third-party information included in Informatica documentation is subject to change without prior notice. Check the third-party documentation for the most up-to-date information.

1Log in to Snowflake.
2From the Worksheets tab, copy the user name and warehouse name.

Note: Keep these details handy as you need them while creating a connection.

3Select the database and schema where you want to operate.
4Select the resource name that you want to access.
5In the Snowflake Console, select the ACCOUNTADMIN role and run the Security Integration command.
6When prompted, enter the following details:

- Name of the security integration
- OAuth redirect URI that you provided when you registered the OAuth application
- Snowflake pre-authorized user roles, such as SYSADMIN and PUBLIC, that you don't need to explicitly consent to use after authenticating

For example,

Create security integration oauth_int_ac
type = oauth
enabled = true
oauth_client = custom
oauth_client_type = 'CONFIDENTIAL'
oauth_redirect_uri = 'https://<Informatica cloud hosting facility for your organization>/ma/proxy/oauthcallback'
oauth_issue_refresh_token = true
pre_authorized_roles_list = ('SYSADMIN','PUBLIC')

7Re-run the Security Integration command to apply changes.

The Snowflake Console creates a security integration.

The following video shows you how to get the information that you need from your Snowflake account while using the OAuth 2.0 authorization code authentication:

The video shows you how to get information from your Snowflake account.

Create a security integration for Okta

To use the OAuth 2.0 authorization code authentication with Okta, the organization administrator needs to perform certain prerequisites tasks.

When you create a security integration in Snowflake for Okta, Snowflake acts as the OAuth resource server, while Okta serves as the external OAuth authorization server. This setup enables secure OAuth-based authentication to Snowflake using an access token issued by Okta.

Note: The third-party information included in Informatica documentation is subject to change without prior notice. Check the third-party documentation for the most up-to-date information.

1Create an Okta account.

Note: Ensure that the Snowflake account name and Okta account name are same.

2Register your application in Okta from the Admin Console.

For more information about registering an application in Okta, see Set up your application in the Okta documentation.

3Create an authorization server in Okta.

For more information about creating an Okta authorization server, see Create an OAuth authorization server in the Snowflake documentation.

4Get the Okta authorization details.

Note: Keep these details handy as you need them while creating the security integration in Snowflake for Okta.

5Log in as administrator in Snowflake.
6To create a security integration in Snowflake for Okta, run the following command with the valid parameter values:

create security integration external_oauth_okta_2
type = external_oauth
enabled = true
external_oauth_type = okta
external_oauth_issuer = '<Okta_Issuer>'
external_oauth_jws_keys_url = '<Okta_JWS_Key_Endpoint>'
external_oauth_audience_list = ('<Snowflake_audience>')
external_oauth_token_user_mapping_claim = 'sub'
external_oauth_snowflake_user_mapping_attribute = 'login_name';

For the detailed steps to create a security integration in Snowflake for Okta, see Configure Okta for External OAuth in the Snowflake documentation.

Create a security integration for Microsoft Entra ID

To use OAuth 2.0 authorization code authentication with Microsoft Entra ID, the organization administrator needs to perform certain prerequisites tasks.

When you create a security integration in Snowflake for Microsoft Entra ID, Snowflake acts as the OAuth resource server, while Microsoft Entra ID serves as the external OAuth authorization server. This setup enables secure OAuth-based authentication to Snowflake using an access token issued by Microsoft Entra ID.

Note: The third-party information included in Informatica documentation is subject to change without prior notice. Check the third-party documentation for the most up-to-date information.

1Configure Snowflake as the OAuth resource in Microsoft Entra ID.

Note: Ensure that you add a scope to define the permissions your application needs to request during OAuth authentication.

2Create an OAuth client in Microsoft Entra ID and configure it with API permissions set as Delegated Permissions.
3Get the Microsoft Entra ID authorization details.

Note: Keep these details handy as you need them while creating the security integration in Snowflake for Microsoft Entra ID.

4Log in as administrator in Snowflake.
5To create a security integration in Snowflake for Microsoft Entra ID, run the following command with the valid parameter values:

create security integration external_oauth_azure_2
type = external_oauth
enabled = true
external_oauth_type = azure
external_oauth_issuer = '<Microsoft Entra ID_Issuer>'
external_oauth_jws_keys_url = '<Microsoft Entra ID_JWS_Key_Endpoint>'
external_oauth_audience_list = ('<Snowflake application ID URI>')
external_oauth_token_user_mapping_claim = 'upn'
external_oauth_snowflake_user_mapping_attribute = 'login_name';

For the detailed steps to create a security integration in Snowflake for Microsoft Entra ID, see Configure Microsoft Entra ID for External OAuth in the Snowflake documentation.

Client credentials

To connect to Snowflake using the OAuth 2.0 client credentials, you need the Snowflake account name, warehouse name, access token URL, client ID, client secret, scope, and access token.

Configure the OAuth endpoint with the client credentials grant type and then create a security integration to get the authorization details.

Before you use the client credentials authentication to connect Snowflake, the organization administrator needs to perform the prerequisite tasks.

1Create a client application that is compatible with OAuth to use with Snowflake.
2Configure the authorization server with the client credentials Grant type.
3Create a security integration for an external OAuth in Snowflake.

When you use the OAuth 2.0 client credentials to connect to Snowflake, you need to use an external OAuth authorization server, such as Okta or Microsoft Entra ID, that uses the OAuth protocol for accessing Snowflake.

For more information about how to create a security integration for external OAuth authorization server and get the authorization details, see Create security integration for external OAuth in the Snowflake documentation.

Create a security integration for Okta

To use the OAuth 2.0 client credentials authentication with Okta, the organization administrator needs to perform certain prerequisites tasks.

Note: The third-party information included in Informatica documentation is subject to change without prior notice. Check the third-party documentation for the most up-to-date information.

1Create an Okta account.

Note: Ensure that the Snowflake account name and Okta account name are same.

2Register your application in Okta from the Admin Console.

For more information about registering an application in Okta, see Set up your application in the Okta documentation.

3Create an authorization server in Okta.

For more information about creating an Okta authorization server, see Create an OAuth authorization server in the Snowflake documentation.

4Get the Okta authorization details.

Note: Keep these details handy as you need them while creating the security integration in Snowflake for Okta.

5Log in as administrator in Snowflake.
6To create a security integration in Snowflake for Okta, run the following command with the valid parameter values:

create security integration external_oauth_okta_2
type = external_oauth
enabled = true
external_oauth_type = okta
external_oauth_issuer = '<Okta_Issuer>'
external_oauth_jws_keys_url = '<Okta_JWS_key_Endpoint>'
external_oauth_audience_list = ('<Snowflake_audience>')
external_oauth_token_user_mapping_claim = 'sub'
external_oauth_snowflake_user_mapping_attribute = 'login_name';

For the detailed steps to create a security integration in Snowflake for Okta, see Configure Okta for External OAuth in the Snowflake documentation.

Create a security integration for Microsoft Entra ID

To use OAuth 2.0 client credentials authentication with Microsoft Entra ID, you need to perform certain prerequisites tasks.

Note: The third-party information included in Informatica documentation is subject to change without prior notice. Check the third-party documentation for the most up-to-date information.

1Configure Snowflake as the OAuth resource in Microsoft Entra ID.

Note: Ensure that you edit the manifest to manage the scopes and other application settings required for OAuth authentication.

2Create an OAuth client in Microsoft Entra ID and configure it with API permissions set as Application Permissions.
3Get the Microsoft Entra ID authorization details.

Note: Keep these details handy as you need them while creating the security integration in Snowflake for Microsoft Entra ID.

4Log in as administrator in Snowflake.
5To create a security integration in Snowflake for Microsoft Entra ID, run the following command with the valid parameter values:

create security integration external_oauth_azure_2
type = external_oauth
enabled = true
external_oauth_type = azure
external_oauth_issuer = '<Microsoft Entra ID_Issuer>'
external_oauth_jws_keys_url = '<Microsoft Entra ID_JWS_Key_Endpoint>'
external_oauth_audience_list = ('<Snowflake application ID URI>')
external_oauth_token_user_mapping_claim = 'sub'
external_oauth_snowflake_user_mapping_attribute = 'login_name';

For the detailed steps to create a security integration in Snowflake for Microsoft Entra ID, see Configure Microsoft Entra ID for External OAuth in the Snowflake documentation.

Programmatic access token

To connect to Snowflake using programmatic access token authentication, you need the Snowflake user name, programmatic access token, account name, and warehouse name.

If you use the Secure Agent deployed in your environment, serverless runtime environment, or elastic runtime environment, you need to allow the range of IP addresses to connect to Snowflake using a PAT.

To allow the range of IP addresses in Snowflake, perform the following tasks:

1Create a network rule for the allowed IP addresses.

For more information about creating a network rule, see Working with network rules in the Snowflake documentation.

2Create a network policy for the network rule that you created.

For more information about creating a network policy, see Working with network policies in the Snowflake documentation.

For the detailed steps to generate a PAT, see Generating a programmatic access token in the Snowflake documentation.