OAuth eliminates the need to store Snowflake user credentials in Salesforce. See this blog post for more details.
Using this method, a token is issued which allows Salesforce to access Snowflake as a particular user. The user's password does not need to be kept up-to-date, and access can be revoked from the Snowflake side if required.
Increase your Snowflake refresh token validity
By default, OAuth refresh tokens only last 90 days, which means the OAuth connection between Salesforce and Snowflake would need to be manually re-authenticated every 90 days.
To increase this to, for example, 5 years, you must log a ticket with Snowflake support and ask that the maximum
OAUTH_REFRESH_TOKEN_VALIDITY for a
SECURITY INTEGRATION be raised to 157784630 seconds.
Create a Snowflake Security Integration
To enable connections from Salesforce, a security integration must be created in your Snowflake account, using the ACCOUNTADMIN role:
create security integration SALESFORCE_CONNECT type = oauth enabled = true oauth_client = custom oauth_client_type = 'CONFIDENTIAL' oauth_redirect_uri = 'https://TBA' oauth_issue_refresh_tokens = true oauth_refresh_token_validity = 157784630; select SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('SALESFORCE_CONNECT');
From the output of the second query, take a copy of the OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET field values, as these will be required to configure Salesforce.
Create Named Credentials
Back in Salesforce, we need to add Named Credentials for the OAuth Client to communicate with Snowflake. The following values can be used:
- Label: Enter
- Name: Enter
- URL: Enter the URL of your Snowflake instance
- Identity Type: Select "Named Principal"
- Authentication Protocol: Select "Password Authentication"
- Username: Enter the Client ID from your Snowflake Security Integration
- Password: Enter the Client Secret from your Snowflake Security Integration
Create an Auth Provider
- Provider Type: Select
SnowflakeOAuthfrom the drop down list
- Name: Enter
- URL Suffix: Enter
- Account Name: Enter the name of the Snowflake account, including the region/cloud name if applicable
- Client ID: Enter the Client ID from your Snowflake Security Integration
- OAuth Client Credentials Name: Enter
Snowflake_OAuthto match the Named Credentials created above.
- Redirect URI: Leave blank, we'll update it after creation
- Execute Registration As: Click the magnifying glass icon and select your own User
Update the Snowflake Security Integration
The Redirect URI must also be set on the Snowflake Security Integration. Go back to your Snowflake query editor and execute the following (after pasting in your Redirect URI):
ALTER SECURITY INTEGRATION SALESFORCE_CONNECT SET OAUTH_REDIRECT_URI = '<paste your redirect uri value here>'
Update the Snowflake connection Named Credentials to use OAuth
The Named Credentials you just created were to allow Salesforce and Snowflake to exchange token information.
The Omnata setup wizard automatically creates a set of Named Credentials named 'Snowflake', which must be updated to use OAuth instead of the default username/password auth.
Under "Setup", "Named Credentials", edit the named credential "Snowflake"
- Authentication Protocol: OAuth 2.0
- Authentication Provider: Choose the
SnowflakeOAuthAuth Provider created above
Click Save, and you should be redirected out to Snowflake for authentication.
Once the OAuth flow completes successfully, connections to Snowflake will use OAuth.