Documentation
HomeCommunityQuickStartsStatus
Start typing to search…

Connect to Snowflake with OAuth

If you want to authenticate to Snowflake from Sigma using OAuth, follow the steps in this document after you complete the first two steps to Connect to Snowflake:

  1. Add a connection and specify connection details
  2. Specify your connection credentials

This document describes how to connect Sigma to Snowflake using one of several possible OAuth configurations:

After you set up your OAuth configuration for the connection, do the following:

  1. Complete the configuration steps for OAuth. See Complete your OAuth configuration.
  2. Complete the rest of the setup steps for your connection. See Configure write access and Configure connection features for additional options.

For more details about using OAuth with Sigma, see Configure OAuth.

Requirements

You must be assigned the Admin account type in Sigma.

Connect to Snowflake with organization-level OAuth

If you use OAuth to authenticate users to your Sigma organization with an external IdP (such as Okta, Microsoft Entra ID, Auth0, or PingIdentity) and you want to reuse that OAuth configuration for this connection:

  1. In the Connection credentials section, turn on the Use organization-level OAuth configuration toggle.
  2. Complete the remaining configuration steps for OAuth. See Complete your OAuth configuration.

If you do not use OAuth to authenticate users to your Sigma organization, the toggle is not displayed. Follow the steps in Connect to Snowflake with connection-level OAuth instead.

Connect to Snowflake with connection-level OAuth

🚩

This documentation describes one or more public beta features that are in development. Beta features are subject to quick, iterative changes; therefore the current user experience in the Sigma service can differ from the information provided in this page.

This page should not be considered official published documentation until Sigma removes this notice and the beta flag on the corresponding feature(s) in the Sigma service. For the full beta feature disclaimer, see Beta features.

You can connect to Snowflake with a different OAuth configuration than the one you use to authenticate users to Sigma. For example, you might configure connection-level OAuth if Sigma users have user accounts in Snowflake and you want your Snowflake policies and grants to be inherited in Sigma on a per-user basis, regardless of the authentication method set up for your Sigma organization. For example, you can connect to Snowflake using OAuth while authenticating users to your Sigma organization with SAML, or configure connections to multiple Snowflake accounts using OAuth.

🚩

Before you can connect to Snowflake with connection-level OAuth, complete the procedure in Configure a Sigma OAuth application. This configuration requires the values of multiple fields you obtain when configuring the Sigma OAuth application in your IdP:

If you plan to use the Snowflake OAuth configuration to connect Sigma to Snowflake, this step is not required. See Use the Snowflake authorization server for connection-level OAuth.

To set up a unique OAuth configuration for this connection, do the following:

  1. For OAuth Provider, choose one of the supported providers:

    • ADFS

    • Auth0

    • Microsoft Entra

    • Okta

    • Ping Identity

    • Snowflake

    • Other

    🚩

    If you choose Snowflake, you must follow different configuration steps. See Use the Snowflake authorization server for connection-level OAuth.

  2. For Scopes, enter any additional scopes to specify the access of the OAuth token.

    • The default scopes openid, profile, and email are required.

    • You must enter a session:role scope. By default, the session:role-any scope is provided. Specify one of the following scopes to specify which role to use when accessing Snowflake through this connection:

      • session:role-any maps to the ANY role in Snowflake. Requires the user to have a default role set in Snowflake.
      • session:role:<custom_role> maps to the specified custom role in Snowflake. All users access Snowflake with the specified role. For example, session:role:sigmadata to use the SIGMADATA role for all users.
      • session:role:public maps to the PUBLIC role in Snowflake. All users access Snowflake with the PUBLIC role.

      For more information about how the OAuth scopes are used by Snowflake, see External OAuth overview in the Snowflake documentation.

      📘

      If you use Microsoft Entra ID as your IdP, prepend any of the session:role role scopes with the application ID URI, found under "Scopes defined by this API" on the Expose an API page in Microsoft Entra ID. The resulting scope matches the following example pattern: <application_id_uri>/session:role-any. You can optionally prepend the scope with your Azure domain: https://<your_azure_domain>/<your_app_UUID>/session:role-any.

    • The default scope offline_access is strongly recommended but not required. If this scope is not provided, users must log in every time their access token expires and any scheduled operations fail if the tasks run for a longer duration than the access token expiration configured in the IdP (such as 5 minutes).

    For more information about these scopes, see the table in Step 3: Create an OAuth authorization server in Configure a Sigma OAuth application.

  3. In the Metadata URI field, enter the OAuth metadata URI from your IdP.

  4. In the Redirect URI field, select Copy to clipboard () and store the value somewhere. You need this value to complete the OAuth configuration in your IdP.

  5. In the Client ID field, enter the client ID from your OAuth application.

  6. Provide the relevant authentication details to match what you configured in your OAuth application:

    • If you configured a client secret in your OAuth application, for Client Secret, enter the client secret from your OAuth application. After you enter and save this value, Sigma does not display it.
    • If you also configured Proof Key for Code Exchange (PKCE) in your OAuth application, select the checkbox for Require PKCE.
    • If you configured your OAuth application to authenticate with a public key and private key pair, or a JWT bearer token, select the checkbox for Use JWT bearer tokens. You do not need to provide a client secret.

  7. Complete the remaining steps. See Complete your OAuth configuration.

Use the Snowflake authorization server for connection-level OAuth

🚩

This documentation describes one or more public beta features that are in development. Beta features are subject to quick, iterative changes; therefore the current user experience in the Sigma service can differ from the information provided in this page.

This page should not be considered official published documentation until Sigma removes this notice and the beta flag on the corresponding feature(s) in the Sigma service. For the full beta feature disclaimer, see Beta features.

If you want to reuse the OAuth configuration used to authenticate to your Snowflake account to connect Sigma to Snowflake, follow these steps. These steps require configuration in both Snowflake and Sigma.

📘

If you reuse Snowflake OAuth to connect Sigma to Snowflake, users cannot authenticate to Snowflake using roles with high privileges (ACCOUNTADMIN, SECURITYADMIN, GLOBALORGADMIN, ORGADMIN). Other roles can be specified on a block list when the Snowflake OAuth security integration is created. For more details, see Configure Snowflake OAuth for custom clients and CREATE SECURITY INTEGRATION (Snowflake OAuth) in the Snowflake documentation

Requirements

To set up Snowflake as your OAuth provider to connect to Snowflake, you must perform some steps in Snowflake using a role granted the global CREATE INTEGRATION privilege, such as the ACCOUNTADMIN role.

Set up Sigma as a custom client for Snowflake OAuth

The steps to set up Sigma as a custom client for Snowflake OAuth require switching between Snowflake and Sigma.

After completing the steps to Add a connection and specify connection details and Specify your connection credentials in Sigma, do the following:

  1. In Sigma, on the Add new connection page:

    1. For OAuth Provider, choose Snowflake.
    2. For Redirect URI, select Copy to clipboard () to copy the value.

  2. In Snowflake, run the following SQL statement to create a security integration. Replace the placeholder value in the OAUTH_REDIRECT_URI parameter with the copied value:

    CREATE SECURITY INTEGRATION snowflake_oauth_sigma
TYPE = OAUTH
ENABLED = TRUE
OAUTH_CLIENT = CUSTOM
OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
OAUTH_REDIRECT_URI = '<Sigma_redirect_URI>'
OAUTH_ISSUE_REFRESH_TOKENS = TRUE
OAUTH_REFRESH_TOKEN_VALIDITY = 86400
OAUTH_ENFORCE_PKCE = TRUE;
    💡

    You can use a different name for this security integration. If you use a different name, run the system function in step 3 referencing the name of the security integration that you create.

    For more details about this command, see CREATE SECURITY INTEGRATION (Snowflake OAuth) in the Snowflake documentation.

  3. After you create the security integration, retrieve the client credentials for the OAuth configuration by running the following SQL statement:

    SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('SNOWFLAKE_OAUTH_SIGMA');

    Save the response somewhere secure. You need the returned client ID and client secret in the following steps.

    For more details about this system function, see SYSTEM$SHOW_OAUTH_CLIENT_SECRETS.

  4. In Sigma, complete the remaining steps for your OAuth configuration:

    1. For Scopes, enter any additional scopes to specify the access of the OAuth token.

      • The refresh_token scope is required. The refresh_token scope allows Sigma to refresh the OAuth token on behalf of the users so that they do not need to log in when their access token expires.
      • (Optional) If you want every user to use a specific role when accessing Snowflake, specify that role with the session:role:<custom_role> scope. If you do not specify a session role scope, the default role for the user in Snowflake is used instead. For more details, see the Scope section in Configure Snowflake OAuth for custom clients in the Snowflake documentation.

    2. For Client ID, enter the oauth_client_id returned by the system function in step 3.

    3. For Client Secret, enter the oauth_client_secret returned by the system function in step 3.

  5. Complete the remaining steps. See Complete your OAuth configuration.

Complete your OAuth configuration

To complete your OAuth configuration, determine whether you plan to use functionality in Sigma that requires a service account. A service account is a Snowflake user created for administrative purposes in Sigma.

There are three reasons to configure a service account:

  • If you enable write access on this connection, a service account is required. Sigma uses the service account to log all edits made to all input tables on this connection.
  • If you plan to use public embedding, a service account is required. Service account credentials are used to run queries on publicly embedded dashboards.
  • If you want users assigned the Admin account type to configure individual workbooks to run using a service account rather than each individual’s OAuth credentials, a service account is required.

If you determine that you need a service account, configure a user in Snowflake to use as the service account user:

  • The Snowflake user must be configured to use key-pair authentication. Follow the steps in the Snowflake documentation to generate a pair of public and private keys and assign the public key to the user. See Key-pair authentication and key-pair rotation in the Snowflake documentation.
  • Grant the service account user a role that can perform service account tasks. At a minimum, the role must be granted USAGE privileges on the service account warehouse.
  • If you have a multi-factor authentication (MFA) policy applied, exclude the service account from this policy.

After creating or configuring a user to use as the service account, complete the following steps in Sigma:

  1. In the Service account configuration section, turn on the Service account toggle.
  2. From the Authentication drop-down, select Key Pair.
  3. For User, enter the username of the Snowflake user that you plan to use as the service account.
  4. For Private key, enter the private key to authenticate as the service account user.
  5. If the private key is encrypted with a passphrase, for Private key passphrase, enter the passphrase for the private key.
  6. (Optional) For Role, enter a Snowflake role for the service account to perform tasks in Snowflake. If you do not provide a role, the default role of the user in Snowflake is used.
  7. (Optional) For Service account warehouse, enter a warehouse name to be used by the service account, such as to run queries for public embeds. If you do not provide a warehouse, the default warehouse for the user in Snowflake is used.

Next, see Configure write access and Configure connection features for additional options. Or, if you are finished configuring your connection, click Create at the top right to create your connection.

Updated about 8 hours ago

Related resources
Resources
Sigma home
Blog
Learn
Sigma Community
© Sigma Computing