Snowflake OAuth

Paradime supports OAuth authentication with Snowflake. When Snowflake OAuth is enabled, users can authorize their Development credentials using Single Sign On (SSO) via Snowflake rather than submitting a username and password to Paradime.

Snowflake

If Snowflake is setup with SSO through a third-party identity provider, developers can use this method to log into Snowflake and authorize the dbt™️ Development credentials without any additional setup.

Configuring a security integration

To enable Snowflake OAuth, you will need to create a security integration in Snowflake to manage the OAuth connection between Paradime and Snowflake.

Note: Only Snowflake account administrators (users with the ACCOUNTADMIN role) or a role with the global CREATE INTEGRATION privilege can execute this SQL command.

In Snowflake, execute a query to create a security integration. Please find the complete documentation on creating a security integration for custom clients here. You can find a sample create or replace security integration query below.

CREATE OR REPLACE SECURITY INTEGRATION PARADIME
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = '<the redirect URI based on your paradime instance region>'
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 7776000;
FieldDescription

TYPE

Required

ENABLED

Required

OAUTH_CLIENT

Required

OAUTH_CLIENT_TYPE

Required

OAUTH_REDIRECT_URI

Required. Use the correct domain, you can check your selected region during onboarding in the Workspace Management section of your Account Settings. 🇪🇺 eu-west-2 (Europe - London) https://api.paradime.io/control-plane/snowflake/redirect 🇪🇺 eu-west-1 (Europe - Ireland) https://eu-w1-api.paradime.io/control-plane/snowflake/redirect 🇪🇺 eu-central-1 (Europe - Frankfurt) https://eu-c1-api.paradime.io/control-plane/snowflake/redirect 🇺🇸 us-east-1 (US East - N. Virginia) https://api.us.paradime.io/control-plane/snowflake/redirect

OAUTH_ISSUE_REFRESH_TOKENS

Required

OAUTH_REFRESH_TOKEN_VALIDITY

Required. This configuration dictates the number of seconds that a refresh token is valid for. Use a smaller value to force users to re-authenticate with Snowflake more frequently.

Retrieve ClientID and Secret

To get the Client ID and Secret required to connect to Paradime run the below query in Snowflake:

with 

integration_secrets as (
  select parse_json(system$show_oauth_client_secrets('PARADIME')) as secrets
)

select
  secrets:"OAUTH_CLIENT_ID"::string     as client_id,
  secrets:"OAUTH_CLIENT_SECRET"::string as client_secret
from 
  integration_secrets;

Last updated