ALTER SECURITY INTEGRATION (External API Authentication)

Modifies the properties of an existing security integration created for external API authentication.

For information about modifying other types of security integrations (e.g. Snowflake OAuth), see ALTER SECURITY INTEGRATION.

See also:

CREATE SECURITY INTEGRATION (External API Authentication) , DESCRIBE INTEGRATION , DROP INTEGRATION , SHOW INTEGRATIONS

Syntax

ALTER SECURITY INTEGRATION <name> SET
  [ ENABLED = { TRUE | FALSE } ]
  [ OAUTH_CLIENT_AUTH_METHOD = CLIENT_SECRET_POST ]
  [ OAUTH_CLIENT_ID = '<string_literal>' ]
  [ OAUTH_CLIENT_SECRET = '<string_literal>' ]
  [ OAUTH_TOKEN_ENDPOINT = '<string_literal>' ]
  [ OAUTH_GRANT = '<string_literal>' ]
  [ OAUTH_ALLOWED_SCOPES = ( <list>) ]
  [ OAUTH_ACCESS_TOKEN_VALIDITY = <integer> ]
  [ OAUTH_REFRESH_TOKEN_VALIDITY = <integer> ]
Copy

Required Parameters

name

String that specifies the identifier (i.e. name) for the integration.

SET ...

Specifies one or more properties/parameters to set for the integration (separated by blank spaces, commas, or new lines):

Optional Parameters

ENABLED = { TRUE | FALSE }

Specifies whether this security integration is enabled or disabled.

TRUE

Allows the integration to run based on the parameters specified in the integration definition.

FALSE

Suspends the integration for maintenance. Any integration between Snowflake and a third-party service fails to work.

OAUTH_CLIENT_AUTH_METHOD = CLIENT_SECRET_POST

Specifies that POST is used as the authentication method to the external service.

OAUTH_CLIENT_ID = 'string_literal'

Specifies the client ID for the OAuth application in the external service.

OAUTH_CLIENT_SECRET = 'string_literal'

Specifies the client secret for the OAuth application in the ServiceNow instance from the previous step. The connector uses this to request an access token from the ServiceNow instance.

OAUTH_AUTHORIZATION_ENDPOINT = 'string_literal'

Specifies the URL for authenticating to the external service. For example, to connect to the ServiceNow instance the URL should be in the following format:

https://<instance_name>.service-now.com/oauth_token.do
Copy

Where instance_name is the name of your ServiceNow instance.

OAUTH_GRANT = 'string_literal'

Specifies the type of OAuth flow. One of the following: 'CLIENT_CREDENTIALS' or 'AUTHORIZATION_CODE'.

This value must match the OAuth flow you choose when creating a secret.

OAUTH_ALLOWED_SCOPES = ( list )

Specifies a comma-separated list of scopes, with single quotes surrounding each scope, to use when making a request from the OAuth by a role with USAGE on the integration during the OAuth client credentials flow.

This list must be a subset of the scopes defined in the OAUTH_ALLOWED_SCOPES property of the security integration. If the OAUTH_SCOPES property values are not specified, the secret inherits all of the scopes that are specified in the security integration.

For the ServiceNow connector, the only possible scope value is 'useraccount'.

Default: Empty list (i.e. []).

OAUTH_ACCESS_TOKEN_VALIDITY = integer

Specifies the default lifetime of the OAuth access token (in seconds) issued by an OAuth server.

The value set in this property is used if the access token lifetime is not returned as part of OAuth token response. When both values are available, the smaller of the two values will be used to refresh the access token.

OAUTH_REFRESH_TOKEN_VALIDITY = integer

Specifies the value to determine the validity of the refresh token obtained from the OAuth server.

Access Control Requirements

A role used to execute this SQL command must have the following privileges at a minimum:

Privilege

Object

Notes

OWNERSHIP

Integration

OWNERSHIP is a special privilege on an object that is automatically granted to the role that created the object, but can also be transferred using the GRANT OWNERSHIP command to a different role by the owning role (or any role with the MANAGE GRANTS privilege).

For instructions on creating a custom role with a specified set of privileges, see Creating Custom Roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

Usage Notes

  • Regarding metadata:

    Attention

    Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata Fields in Snowflake.

Examples

The following example initiates operation of a suspended integration:

ALTER SECURITY INTEGRATION myint SET ENABLED = TRUE;
Copy