Snowflake with External OAuth Setup

Overview

This document provides an overview of how TrustLogix uses Snowflake External OAuth to secure access to our Snowflake data warehouse. It outlines the general process, supported Identity Providers (IdPs), and configuration guides.

What is External OAuth

External OAuth allows Snowflake to leverage an external, trusted Identity Provider (IdP) for user authentication and authorization. This enables a seamless Single Sign-On (SSO) experience for programmatic clients (like Azure AD or Okta) and aligns Snowflake access with TrustLogix's central identity and access management policies.

Supported OAuth Provider

TrustLogix supports external authorization servers, custom clients, and partner application integration, which are natively supported by Snowflake. Choose one of the supported providers:

Note: We recommend consulting the official Snowflake documentation for the latest configuration details and prerequisites.

Configuration Overview

The external OAuth setup is a two-part process that establishes a trust relationship between your IdP provider and Snowflake.

1. Configure an App registration as OAuth client.

2. Request and decode the OAuth access token.

3. Create an External OAuth Security Integration in Snowflake

4. Verify the Access Token against the security integration.

5. Alter TrustLogix user in Snowflake

6. Register Snowflake account using the access token.

Step 1: Configure an App registration as OAuth client.

• Refer to the Snowflake official document to register IdP provider applications.

• Get the below value from IdP.

  • OAuth token endpoint.

  • Application scope

  • Client ID

  • Client secret

• Use the TrustLogix role in the application scope: Ex:- session:role:<TLX_ROLE>

Step 2: Request and decode the OAuth access token.

1. Refer to the Snowflake official document to prepare the CURL command to request the access token using the client_credentials grant.

2. Decode the OAuth Access Token

   1. Copy the value of the access_token and decode it on an online decoder of your choice (e.g. jwt.ms), it will provide the details present in the token.

   2. Make sure the following attributes from the decoded token match the configuration in the external authorization server.

      • issuer

      • audience

      • roles

Step 3: Create an External OAuth Security Integration in Snowflake

Now configure the Snowflake account to trust and accept the access token generated in Step 2.

• ISSUER

• AUDIENCE

• JWS_KEY_ENDPOINT

create security integration external_oauth_integration type = external_oauth enabled = true external_oauth_type = <idp_type> external_oauth_issuer = '<ISSUER>' external_oauth_jws_keys_url = '<JWS_KEY_ENDPOINT>' external_oauth_audience_list = ('<AUDIENCE >') external_oauth_token_user_mapping_claim = 'sub' external_oauth_snowflake_user_mapping_attribute = 'login_name';

Step 4: Verify the Access Token against the Security Integration

Now that the security integration is created in Snowflake, it can accept or reject an access token issued from an OAuth provider client based on the configuration. Use the function SYSTEM$VERIFY_EXTERNAL_OAUTH_TOKEN to confirm whether your token will be accepted by the Snowflake account or not.

A successful validation would look like the below:

Token Validation finished. { "Validation Result":"Passed", "Issuer":"issuer endpoint/", "Extracted User claim(s) from token":"3d63xxxxxxxx0652895d" }

Please note down the value get from the token validation response Extracted User claim(s) from token . We will use it in the next step.

Step 5: Alter TrustLogix user in Snowflake

Finally, alter the TrustLogix Snowflake user and use Extracted User claim(s) from token (the value from step 4 in LOGIN_NAME).

Ex: ALTER USER TLX_<id>_CP_USER SET LOGIN_NAME = "3d63xxxxxxxx0652895d" TYPE = 'SERVICE'

Step 6: Register a Snowflake account using the access token.

• Once the token validation is successful, we can register the Snowflake account in TrustLogix.

• Enter all the details in the TrustLogix registration page, and click on save.

• 

External OAuth Authentication Setup For Customer-hosted TrustLet

Below are the additional steps required for Customer-hosted TrustLet or hybrid tenant.

1. Follow these steps mentioned above to create data plane user

   1. Configure an App registration as the OAuth Resource server

   2. Request and decode the OAuth access token.

   3. Alter the External OAuth Security Integration created for the DP user

      1. Run the describe command to check the audience list for the security integration created for the CP user.

      2. Alter Security Integration to add audience for DP user(include all audience from output of the above command)

   4. Verify the Access Token against the Security Integration

   5. Alter TrustLogix user in Snowflake

2. Set following key and value

• Trustlet is hosted on AWS ECS (Amazon Elastic Container Service)

• Trustlet is hosted on Azure Kubernetes Service (AKS)

Please note that the value username (tlx/<tenant-id>/<account-id>/username or tlx-<tenant-id>-<account-id>-username) must match the LOGIN_NAME used in Step 5. For example:

tlx/<tenant-id>/<account-id>/username = 672a90b3-xxxx-xxxx-xxxx-xxxx2f7befef

Final Steps to Confirm Setup

After completing the configuration:

• Create a test policy on a sample dataset.

• Deploy the policy.

• If the policy creation and deployment flow proceeds without errors (during database/schema selection and deployment), then the External OAuth setup is successful.