Skip to main content

Snowflake

Snowflake is a cloud data warehouse platform that enables data storage, processing, and analytics with scalable compute and storage resources.

Authentication Types

Snowflake supports 1 authentication method:

  • OAuth - Create your own Snowflake Security Integration with PKCE. Every user connects with their Snowflake account.
    • Pros: Secure, per-user tracking, production-ready
    • Cons: Requires Snowflake admin access

General Settings

Before using the connector, you need to configure:

  • Snowflake Instance URL - Your Snowflake instance URL (e.g., https://yourcompany.snowflakecomputing.com)

Setting up OAuth

  1. Log in to your Snowflake account with admin privileges

  2. Run the following SQL command to create a Security Integration:

CREATE SECURITY INTEGRATION webrix_oauth
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = PUBLIC
  OAUTH_REDIRECT_URI = '<copy from Webrix platform>'
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 7776000
  OAUTH_ENFORCE_PKCE = TRUE
;
  1. Get the Client ID by running:
DESCRIBE SECURITY INTEGRATION WEBRIX_OAUTH;

  1. Copy the OAUTH_CLIENT_ID value from the describe output

  2. In Webrix, paste the Client ID

tip

You don't need a Client Secret because Snowflake uses PKCE (Proof Key for Code Exchange) for enhanced security. The Client ID combined with PKCE is sufficient for secure authentication.

  1. Enter your Snowflake Instance URL in General Settings

  2. Click Save Changes

Troubleshooting

Role Block Error

If your users encounter the following error when trying to connect:

"The role requested has been explicitly blocked for use with this application by an administrator. Please try logging in with a different role, or contact your administrator."

Cause: The user's default role may not have the necessary permissions to use the OAuth integration.

Solution:

Have the user (or a Snowflake admin) run the following SQL command to set an appropriate default role:

ALTER USER <user-name>
  SET DEFAULT_ROLE = <role>;

Replace <user-name> with the actual username and <role> with the a role different than ACCOUNTADMIN, ORGADMIN, or SECURITYADMIN.