Connect to a Git repository over a public network¶

You can set up Snowflake to access your Git repository over a public network. If your Git server uses IP-based allowlisting, see Securing ingress of Snowflake requests with egress IP addresses to configure stable egress IPs for Snowflake Git traffic.

You can have Snowflake authenticate using any of the following strategies:

Authenticate through an OAuth flow.

Configure an API integration to allow for an OAuth2 flow.
Authenticate with a token, such as a personal access token.

Configure a secret containing the username and token to use, then configure an API integration that allows Snowflake to use the secret when authenticating.
No authentication.

Configure an API integration with details about the Git repository server.

Configure for authenticating with OAuth¶

Note

OAuth support is generally available for repositories hosted at github.com. For other repository providers, OAuth support is in preview.

Diagram showing components needed to configure Git connection requiring no authentication

You can configure Snowflake to authenticate with the remote Git repository using an OAuth2 flow.

The Snowflake GitHub App is a pre-configured OAuth2 application that simplifies authentication. You don’t need to register an OAuth application or a redirect URI.

Create an API integration that specifies the Snowflake GitHub App:

CREATE OR REPLACE API INTEGRATION my_git_api_integration
  API_PROVIDER = git_https_api
  API_ALLOWED_PREFIXES = ('https://github.com')
  API_USER_AUTHENTICATION = (TYPE = SNOWFLAKE_GITHUB_APP)
  ENABLED = TRUE;

Create a workspace connected to a Git repository as described in Create a Git workspace.

For any repository provider, you can create an API integration that specifies OAuth2 parameters directly. Before you begin, create an OAuth application with your provider and collect the client ID, client secret, authorization endpoint, and token endpoint. For provider-specific instructions, see Set up OAuth for Git integration by provider.

Register the Snowflake redirect URI with your Git provider.

When you register the OAuth application, the provider asks for a redirect URI (sometimes called a callback URL). Set this to the following value, based on the cloud region that hosts your Snowflake account:
```
https://apps-api.c1.<region>.<cloud>.app.snowflake.com/oauth/complete-secret
```
Replace <region> and <cloud> with the values for your Snowflake deployment. For example, for an account in AWS US West (Oregon), the redirect URI is https://apps-api.c1.us-west-2.aws.app.snowflake.com/oauth/complete-secret.

Create an API integration that specifies your OAuth2 parameters.

For details on each parameter, see CREATE API INTEGRATION.

CREATE OR REPLACE API INTEGRATION my_git_api_integration
  API_PROVIDER = git_https_api
  API_ALLOWED_PREFIXES = ('https://example.com/my_account')
  API_USER_AUTHENTICATION = (
    TYPE = OAUTH2
    OAUTH_AUTHORIZATION_ENDPOINT = '<your_oauth_authorization_endpoint>'
    OAUTH_TOKEN_ENDPOINT = '<your_oauth_token_endpoint>'
    OAUTH_CLIENT_ID = '<your_oauth_client_id>'
    OAUTH_CLIENT_SECRET = '<your_oauth_client_secret>'
    OAUTH_ACCESS_TOKEN_VALIDITY = 3600
    OAUTH_REFRESH_TOKEN_VALIDITY = 2592000
    OAUTH_ALLOWED_SCOPES = ( 'read_api', 'read_repository', 'write_repository' )
  )
  ENABLED = TRUE;

Create a workspace connected to a Git repository as described in Create a Git workspace.

Configure for authenticating with a token¶

To have Snowflake authenticate with the Git repository by using a username and token such as a personal access token (PAT), follow these steps:

Provide credentials in a basic authentication secret.

To provide the credentials that Snowflake uses to authenticate with the repository, create a secret that contains the following:
- A TYPE value of password
- A username and token, such as a personal access token (PAT)
  
  If your Git repository is hosted on Bitbucket, specify x-token-auth as the username value.
  
  Note
  
  For information about creating a personal access token in GitHub, see Managing your personal access tokens in the GitHub documentation.
For more information on the SQL command for creating a secret, see the CREATE SECRET.

Code in the following example creates a secret called my_git_secret with a username and the user’s personal access token to use as credentials:
```
CREATE OR REPLACE SECRET db.schema.my_git_secret
  TYPE = password
  USERNAME = 'gladyskravitz'
  PASSWORD = 'ghp_token';
```
Create an API integration that supports authenticating with a token.

To create an API integration for access to a Git repository with a token, specify the following details:
- git_https_api as the value of the API_PROVIDER parameter
- HTTPS endpoints to which requests must be limited as values of the API_ALLOWED_PREFIXES parameter
For more information, see CREATE API INTEGRATION.
```
CREATE OR REPLACE API INTEGRATION my_git_api_integration
  API_PROVIDER = git_https_api
  API_ALLOWED_PREFIXES = ('https://github.com/my-account')
  ALLOWED_AUTHENTICATION_SECRETS = (my_git_secret)
  ENABLED = TRUE;
```
Create a Git repository clone as described in Create a Snowflake Git repository clone.

Configure for no authentication¶

To set up Snowflake to use a Git repository without authenticating, follow these steps:

Create an API integration that supports access without authenticating, and specify the following details:
- git_https_api as the value of the API_PROVIDER parameter
- HTTPS endpoints to which requests must be limited as values of the API_ALLOWED_PREFIXES parameter
For more information, see CREATE API INTEGRATION.
```
CREATE OR REPLACE API INTEGRATION my_git_api_integration
  API_PROVIDER = git_https_api
  API_ALLOWED_PREFIXES = ('https://example.com/my-account')
  ENABLED = TRUE;
```
Create a Git repository clone as described in Create a Snowflake Git repository clone.

Create a Snowflake Git repository clone¶

After you configure Snowflake for access to your remote repository, create a Git repository clone in Snowflake to contain files fetched from the remote repository.

Note

For information on creating a Git workspace in Snowsight, see Create a Git workspace.

A Git repository clone in Snowflake specifies the following details:

The remote repository’s origin

In Git, origin is the remote repository’s URL. Use that URL when setting up Snowflake to use a remote Git repository. The URL must use HTTPS. For example, you can retrieve the origin URL in the following ways:
- In the GitHub user interface, you can get the origin URL from the repository home page. Select the Code button, and then copy the HTTPS URL from the box displayed beneath the button.
- From the command line, use the git config command from within your local repository, as in the following example:
  $ git config --get remote.origin.url
  The command produces output such as the following:
  https://github.com/my-account/snowflake-extensions.git
  For reference information about git config, see the git documentation.
Credentials, if needed, for Snowflake to use when authenticating with the repository

For the GIT_CREDENTIALS parameter, specify a Snowflake secret you created.
An API integration specifying details for Snowflake interaction with the repository API

You can create a Git repository clone by using either Snowsight or SQL.

Note

Before creating a Git repository clone, you’ll need to create a secret (if the remote repository requires authentication) and an API integration.

Code in the following example creates a Git repository clone called snowflake_extensions. The clone specifies the my_git_api_integration API integration and the my_git_secret secret with credentials for authenticating.

USE ROLE ACCOUNTADMIN;
GRANT CREATE GIT REPOSITORY ON SCHEMA myco_db.integrations TO ROLE myco_git_admin;
GRANT USAGE ON INTEGRATION my_git_api_integration TO ROLE myco_git_admin;
GRANT USAGE ON SECRET db.schema.my_git_secret TO ROLE myco_git_admin;

USE ROLE myco_git_admin;

CREATE OR REPLACE GIT REPOSITORY snowflake_extensions
  API_INTEGRATION = my_git_api_integration
  GIT_CREDENTIALS = my_git_secret
  ORIGIN = 'https://github.com/my-account/snowflake-extensions.git';