Enabling Snowflake OAuth in Aginity TeamΒΆ

We now support OAuth for the snowflake platform. This feature only works on Aginity Team. The details below will guide your through setting up the configuration on the server.

  1. Connect to your Snowflake server and create a Security Integration object for a custom client (more details can be found at this link).

For example,

CREATE SECURITY INTEGRATION
CREATE OR REPLACE SECURITY INTEGRATION
aginity_team_oAuth
TYPE = OAUTH
ENABLED = TRUE
OAUTH_CLIENT = CUSTOM
OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
OAUTH_REDIRECT_URI = '{Aginity Team Public URL}/api/oauth/snowflake'
OAUTH_ALLOW_NON_TLS_REDIRECT_URI = FALSE
OAUTH_ENFORCE_PKCE = TRUE
OAUTH_ISSUE_REFRESH_TOKENS = TRUE
OAUTH_REFRESH_TOKEN_VALIDITY = 86400;

Note

{Aginity Team Public URL} is a URL of a server running Aginity Team. It is a public URL available outside your corporate network.

{Aginity Team Public URL} has the following format {scheme}://{host}:{port} where {scheme} can be either http or https, {host} is hostname of the server running Aginity Team, {port} is TCP port Aginity Team is using.

  1. Ssh to the Aginity Team server.
  2. Edit /etc/aginity-team/application.yml and uncomment and update the following properties:

platforms.snowflake.oauth.host

Snowflake account in format {account_name}.snowflakecomputing.com where {account_name} is your Snowflake account name.

platforms.snowflake.oauth.clientId

Snowflake client ID of the Security Integration object. The Snowflake administrator can find the client ID by describing the integration, that is, by using the DESC SECURITY INTEGRATION command.

platforms.snowflake.oauth.clientSecret

Snowflake client secret of the Security Integration object. The Snowflake administrator can find the client secrets by using the system function SHOW_OAUTH_CLIENT_SECRETS.

server:
publicUrl: {Aginity Team Public URL}

#
# Database platform specific configurations
#
platforms:
snowflake:
  oauth:
    clientSecrets:
      - host: {account_name}.snowflakecomputing.com
        clientId: {client id}
        clientSecret: {client secret}

For example, a customer has 2 Snowflake accounts. The first one is eb39151.us-east-1.snowflakecomputing.com and it is being used for Dev environment. The second one is xr58911.us-east-1.snowflakecomputing.com and it is being used for Production environment. Then to enable OAuth connections to these environments via Aginity Team, administrator should add the following parameters to service.conf:

server:
publicUrl: https://aginity.example.com

platforms:
snowflake:
  oauth:
    clientSecrets:
#Dev environment
      - host: eb39151.us-east-1.snowflakecomputing.com
        clientId: fnm4OgHhswi/hrEfsahTyZo=
        clientSecret: sHljg51o7jdsjds8723786f35Q0K+TthasjuczjQwY=
#Production environment
      - host: xr58911.us-east-1.snowflakecomputing.com
        clientId: kwajw56h(usaELkkwu=
        clientSecret: gfhfrejds3232372822378YUUYthasjuczjQwY=
  1. Restart the Aginity Team server.