Categories:

User & Security DDL (Third-Party Service Integrations)

CREATE SECURITY INTEGRATION (External OAuth)

Creates a new External OAuth security integration in the account or replaces an existing integration. An External OAuth security integration allows a client to use a third-party authorization server to obtain the access tokens needed to interact with Snowflake.

For information about creating other types of security integrations (e.g. Snowflake OAuth), see CREATE SECURITY INTEGRATION.

See also:

ALTER SECURITY INTEGRATION (External OAuth) , DROP INTEGRATION , SHOW INTEGRATIONS

In this Topic:

Syntax

CREATE [ OR REPLACE ] SECURITY INTEGRATION [IF NOT EXISTS]
  <name>
  TYPE = EXTERNAL_OAUTH
  ENABLED = { TRUE | FALSE }
  EXTERNAL_OAUTH_TYPE = { OKTA | AZURE | PING_FEDERATE | CUSTOM }
  EXTERNAL_OAUTH_ISSUER = '<string_literal>'
  EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = '<string_literal>' | ('<string_literal>', '<string_literal>' [ , ... ] )
  EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'LOGIN_NAME | EMAIL_ADDRESS'
  [ EXTERNAL_OAUTH_JWS_KEYS_URL = '<string_literal>' ] -- For OKTA | PING_FEDERATE | CUSTOM
  [ EXTERNAL_OAUTH_JWS_KEYS_URL = '<string_literal>' | ('<string_literal>' [ , '<string_literal>' ... ] ) ] -- For Azure
  [ EXTERNAL_OAUTH_BLOCKED_ROLES_LIST = ( '{role_name}' [ , '{role_name}' , ... ] ) ]
  [ EXTERNAL_OAUTH_ALLOWED_ROLES_LIST = ( '{role_name}' [ , '{role_name}' , ... ] ) ]
  [ EXTERNAL_OAUTH_RSA_PUBLIC_KEY = <public_key1> ]
  [ EXTERNAL_OAUTH_RSA_PUBLIC_KEY_2 = <public_key2> ]
  [ EXTERNAL_OAUTH_AUDIENCE_LIST = ('<string_literal>') ]
  [ EXTERNAL_OAUTH_ANY_ROLE_MODE = DISABLE | ENABLE | ENABLE_FOR_PRIVILEGE ]
  [ EXTERNAL_OAUTH_SCOPE_DELIMITER = '<string_literal>' ] -- Only for EXTERNAL_OAUTH_TYPE = CUSTOM

Required Parameters

name

String that specifies the identifier (i.e. name) for the integration; must be unique in your account.

In addition, the identifier must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (e.g. "My object"). Identifiers enclosed in double quotes are also case-sensitive.

For more details, see Identifier Requirements.

TYPE = EXTERNAL_OAUTH

Distinguishes the External OAuth integration from a Snowflake OAuth integration.

ENABLED = TRUE | FALSE

Specifies whether to initiate operation of the integration or suspend it.

  • TRUE allows the integration to run based on the parameters specified in the pipe definition.

  • FALSE suspends the integration for maintenance. Any integration between Snowflake and a third-party service fails to work.

EXTERNAL_OAUTH_TYPE = OKTA | AZURE | PING_FEDERATE | CUSTOM

Specifies the OAuth 2.0 authorization server to be Okta, Microsoft Azure AD, Ping Identity PingFederate, or a Custom OAuth 2.0 authorization server.

EXTERNAL_OAUTH_ISSUER = 'string_literal'

Specifies the URL to define the OAuth 2.0 authorization server.

EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'string_literal' | ('string_literal', 'string_literal' [ , ... ] )

Specifies the access token claim or claims that can be used to map the access token to a Snowflake user record.

The data type of the claim must be a string or a list of strings.

EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'LOGIN_NAME | EMAIL_ADDRESS'

Indicates which Snowflake user record attribute should be used to map the access token to a Snowflake user record.

Optional Parameters

EXTERNAL_OAUTH_JWS_KEYS_URL = 'string_literal'

Specifies the endpoint from which to download public keys or certificates to validate an External OAuth access token.

This syntax applies to security integrations where EXTERNAL_OAUTH_TYPE = OKTA | PING_FEDERATE | CUSTOM

EXTERNAL_OAUTH_JWS_KEYS_URL = 'string_literal' | ('string_literal' [ , 'string_literal' ... ] )

Specifies the endpoint or a list of endpoints from which to download public keys or certificates to validate an External OAuth access token. The maximum number of URLs that can be specified in the list is 3.

This syntax applies to security integrations where EXTERNAL_OAUTH_TYPE = AZURE

EXTERNAL_OAUTH_RSA_PUBLIC_KEY = public_key1

Specifies a Base64-encoded RSA public key, without the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- headers.

EXTERNAL_OAUTH_RSA_PUBLIC_KEY_2 = public_key2

Specifies a second RSA public key, without the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- headers. Used for key rotation.

EXTERNAL_OAUTH_BLOCKED_ROLES_LIST = ( 'role_name' [ , 'role_name' , ... ] )

Specifies the list of roles that a client cannot set as the primary role. A role in this list cannot be used when creating a Snowflake session based on the access token from the External OAuth authorization server.

By default, this list includes the ACCOUNTADMIN and SECURITYADMIN roles. To remove these privileged roles from the list, use the ALTER ACCOUNT command to set the EXTERNAL_OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST account parameter to FALSE.

EXTERNAL_OAUTH_ALLOWED_ROLES_LIST = ( 'role_name' [ , 'role_name' , ... ] )

Specifies the list of roles that the client can set as the primary role.

A role in this list can be used when creating a Snowflake session based on the access token from the External OAuth authorization server.

Caution

This parameter supports the ACCOUNTADMIN and SECURITYADMIN system roles.

Exercise caution when creating a Snowflake session with these highly privileged roles set as the primary role.

EXTERNAL_OAUTH_AUDIENCE_LIST = ('string_literal')

Specifies additional values that can be used for the access token’s audience validation on top of using the Customer’s Snowflake Account URL (i.e. <account_identifier>.snowflakecomputing.com). For more information, see Account Identifiers.

For details on this property when using Power BI SSO, refer to Power BI SSO security integrations.

Currently, multiple audience URLs can be specified for External OAuth Custom Clients only. Each URL must be enclosed in single quotes, with a comma separating each URL. For example:

external_oauth_audience_list = ('https://example.com/api/v2/', 'https://example.com')
EXTERNAL_OAUTH_ANY_ROLE_MODE = DISABLE | ENABLE | ENABLE_FOR_PRIVILEGE

Specifies whether the OAuth client or user can use a role that is not defined in the OAuth access token. Note that with a Power BI to Snowflake integration, the PowerBI user cannot switch roles even when this parameter is enabled.

  • DISABLE does not allow the OAuth client or user to switch roles (i.e. use role <role>;). Default.

  • ENABLE allows the OAuth client or user to switch roles.

  • ENABLE_FOR_PRIVILEGE allows the OAuth client or user to switch roles only for a client or user with the USE_ANY_ROLE privilege. This privilege can be granted and revoked to one or more roles available to the user. For example:

Note that the value can be optionally enclosed in single quotes (e.g. either DISABLE or 'DISABLE').

grant USE_ANY_ROLE on integration external_oauth_1 to role1;
revoke USE_ANY_ROLE on integration external_oauth_1 from role1;
EXTERNAL_OAUTH_SCOPE_DELIMITER = 'string_literal'

Specifies the scope delimiter in the authorization token.

The delimiter can be any single character, such as comma (',') or space (' ').

This security integration property is optional and can be used to override the default comma delimiter. Note that this property is only supported for custom External OAuth integrations, where:

EXTERNAL_OAUTH_TYPE = CUSTOM

Contact Snowflake Support to enable this property in your Snowflake account.

Access Control Requirements

A role used to execute this SQL command must have the following privileges at a minimum:

Privilege

Object

Notes

CREATE INTEGRATION

Account

Only the ACCOUNTADMIN role has this privilege by default. The privilege can be granted to additional roles as needed.

For instructions on creating a custom role with a specified set of privileges, see Creating Custom Roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Access Control in Snowflake.

Usage Notes

  • Regarding metadata:

    Attention

    Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata Fields in Snowflake.

  • CREATE OR REPLACE <object> statements are atomic. That is, when the object is replaced, the old object deletion and the new object creation are processed in a single transaction.

Examples

Microsoft Azure AD Example

The following example creates an External OAuth security integration for a Microsoft Azure AD OAuth 2.0 authorization server.

create security integration external_oauth_azure_1
    type = external_oauth
    enabled = true
    external_oauth_type = azure
    external_oauth_issuer = '<AZURE_AD_ISSUER>'
    external_oauth_jws_keys_url = '<AZURE_AD_JWS_KEY_ENDPOINT>'
    external_oauth_token_user_mapping_claim = 'upn'
    external_oauth_snowflake_user_mapping_attribute = 'login_name';

View the integration settings using DESCRIBE INTEGRATION:

DESC SECURITY INTEGRATION external_oauth_azure_1;

Okta Example

The following example creates an External OAuth security integration for an Okta OAuth 2.0 authorization server.

create security integration external_oauth_okta_1
    type = external_oauth
    enabled = true
    external_oauth_type = okta
    external_oauth_issuer = '<OKTA_ISSUER>'
    external_oauth_jws_keys_url = '<OKTA_JWS_KEY_ENDPOINT>'
    external_oauth_token_user_mapping_claim = 'sub'
    external_oauth_snowflake_user_mapping_attribute = 'login_name';

View the integration settings using DESCRIBE INTEGRATION:

DESC SECURITY INTEGRATION external_oauth_okta_1;

Microsoft Power BI SSO Examples

For examples, see:

Back to top