Snowflakeの外部OAuth¶
本機能の提供について
The ability to set up external identity providers for Snowflake is off by default. この機能を有効にする方法については、DataRobotの担当者または管理者にお問い合わせください。
機能フラグ:Snowflake SSOで外部IDプロバイダーを有効にする
パブリックプレビューで使用できるようになりました。OAuthシングルサインオン(SSO)によるユーザー認証に外部IDプロバイダー(IdP:OktaまたはAzure Active Directory)を使用してSnowflakeデータ接続を設定できます。 Identity providers create and maintain identity information and provide authentication services to other applications, allowing a user to securely access applications without creating new passwords or usernames.
For more information on connecting to Snowflake, including troubleshooting steps, see the Snowflake documentation.
必要条件¶
The following is required before connecting to Snowflake in DataRobot:
- Snowflakeアカウント
- External OAuth configured in Snowflake for Okta.
External OAuth with security integrations
If using Okta as the external identity provider (IdP), you must specify http://localhost/account/snowflake/snowflake_authz_return as a Sign-in redirect URI when creating a new App integration in Okta.
- Snowflakeアカウント
- External OAuth configured in Snowflake for Microsoft Azure AD.
External OAuth with security integrations
If using Azure AD as the external identity provider (IdP), you must specify https://<datarobot_app_server>/account/snowflake/snowflake_authz_return as a Redirect URI when registering both applications in Azure AD.
External IdP setup¶
備考
This section uses example configurations for setting up an external IdP. For information on setting up an external IdP based on your specific environment and requirements, see the documentation for Okta or Azure AD.
In the appropriate external IdP, create the Snowflake application(s):
Create a new App Integration in Okta:
- Go to Applications > Applications.
- Click Create App Integration.
- For the Sign-in method, select OIDC - OpenID Connect.
- For the Application type, select Web Application.
- 次へをクリックします。
-
Make sure the following options are selected:
- Client Credentials
- 認証コード
- Refresh Token
- Require consent
-
Under LOGIN, add
http://localhost/account/snowflake/snowflake_authz_returnto the Sign-in redirect URIs. - This results in your
Client IDandClient secret.
Now, create a new Authorization Server:
-
Go to Security > API > Add Authorization Server.
- Set Audience to
https://<partner_name>.snowflakecomputing.com/.<partner_name>is thedatarobot_partnerfor the current DataRobot Snowflake instance.
- Set Audience to
-
Go to Scopes > Add Scope.
- Set Name to
session:role:public(refers to the Snowflake role). - For Check-in, add
Require user consent for this scopeandBlock services from requesting this scope. - (Optional) Set the
offline_accessscope to require consent.
- Set Name to
-
Go to Access Policies > Add Rule and add the following rules:
- Add Check-in
Client Credentials. - Add Check-in
Authorization Code. - Add the client integration (created above) to the
Assigned to clientsfield.
- Add Check-in
-
Go to Token and click Create token.
-
This results in the following:
Issuer、たとえば、https://dev-11863425.okta.com/oauth2/aus15ca55wkdOxplJ5d7。- Auth
Tokenfor programmatic access to the Okta API. - Auth server metadata JSON (found in Settings > Metadata URI).
Okta API calls
```
title="Get current user"
curl --location --request GET 'https://
``` title="Revoke grant/consent"
curl --location --request DELETE 'https://<OKTA_ACCOUNT>.okta.com/api/v1/users/<USER_ID>/grants/<GRANT_ID>' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS <TOKEN>'
Register an application for Snowflake Resource in Azure AD:
- Go to MS Azure > Azure AD > App registrations.
-
Click New registration.
- Under Name, enter Snowflake Resource.
- Under Supported account types, select Accounts in this organizationl directory only.
- Under Redirect URI, select Web and enter
http://localhost/account/snowflake/snowflake_authz_return. - Click Register.
-
Expose the API.
- Set the Application ID URI to refer to the Snowflake URI (e.g.,
https://hl91180.us-east-2.aws.snowflakecomputing.com). - Add a scope to reference the existing Snowflake role; the scope is prefixed with the Application ID URI (e.g.,
https://hl91180.us-east-2.aws.snowflakecomputing.com/session:scope:public).
- Set the Application ID URI to refer to the Snowflake URI (e.g.,
Register an application for Snowflake Client App in Azure AD:
- Go to MS Azure > Azure AD > App registrations.
-
Click New registration.
- Under Name, enter Snowflake Resource.
- Under Supported account types, select Accounts in this organizationl directory only.
- Under Redirect URI, select Web and enter
http://localhost/account/snowflake/snowflake_authz_return. - Click Register.
-
Go to Client Credentials > New client secret and copy the value. Note that this value will not be available after this step.
- Go to
API Permission > Add Permission > My APIs > Snowflake Resourceand choose the scope created above for Snowflake Resource (session:scope:public). -
This results in the following:
- Snowflake Client App:
Client IDandClient secret -
Issuer URL (
<external_oauth_jws_keys_url>in Snowflake integration)- Go to Snowflake Client App > Overview > Endpoints > OpenID Connect metadata document, open the document in a browser, and search for
jwks_uri(e.g.,https://login.microsoftonline.com/6064c47c-80e4-4a2b-82ee-1fc5643b37a2/discovery/v2.0/keys).
- Go to Snowflake Client App > Overview > Endpoints > OpenID Connect metadata document, open the document in a browser, and search for
-
Entity ID (
<external_oauth_issuer>in Snowflake integration)- Go to Snowflake Client App > Overview > Endpoints > Federation metadata document, open the document in a browser, and search for
entityID(e.g.,https://sts.windows.net/6064c47c-80e4-4a2b-82ee-1fc5643b37a2/).
- Go to Snowflake Client App > Overview > Endpoints > Federation metadata document, open the document in a browser, and search for
- Snowflake Client App:
Snowflake setup¶
備考
This section uses example configurations for setting up an external IdP in Snowflake. For information on setting up an external IdP in Snowflake based on your specific environment and requirements, see the Snowflake documentation.
In Snowflake, create an integration for the appropriate external IdP:
create security integration external_oauth_okta_2
type = external_oauth
enabled = true
external_oauth_type = okta
external_oauth_issuer = '<OKTA_ISSUER>'
external_oauth_jws_keys_url = '<JWKS_URI>'
external_oauth_audience_list = ('<AUDIENCE>')
external_oauth_token_user_mapping_claim = 'sub'
external_oauth_snowflake_user_mapping_attribute = 'login_name';
CREATE OR REPLACE USER <user_name>
LOGIN_NAME = '<okta_user_name>';
alter user <user_name> set DEFAULT_ROLE = 'PUBLIC';
Reference values:
OKTA_ISSUER:https://dev-11863425.okta.com/oauth2/aus15ca55wkdOxplJ5d7AUDIENCE:https://hl91180.us-east-2.aws.snowflakecomputing.com/JWKS_URI:https://dev-11863425.okta.com/oauth2/aus15ca55wkdOxplJ5d7/v1/keys(retrieved from Okta Auth server Metadata JSON)okta_user_name(retrieved from Okta > Directory > People, select a user, and then go to Profile > Username/login )
create security integration external_oauth_azure_1
type = external_oauth
enabled = true
external_oauth_type = azure
external_oauth_issuer = 'https://sts.windows.net/6064c47c-80e4-4a2b-82ee-1fc5643b37a2/'
external_oauth_jws_keys_url = 'https://login.microsoftonline.com/6064c47c-80e4-4a2b-82ee-1fc5643b37a2/discovery/v2.0/keys'
external_oauth_audience_list = ('https://hl91180.us-east-2.aws.snowflakecomputing.com/')
external_oauth_token_user_mapping_claim = 'upn'
external_oauth_snowflake_user_mapping_attribute = 'login_name';
DataRobot setup¶
In DataRobot, add the external IdP credentials to set up the Snowflake data connection. There are two ways to do this: by testing a new data connection or on the Credentials Management page.
外部IdPパラメーターを使用して新しいSnowflakeデータ接続を作成するには:
- ユーザー設定 > データ接続に移動します。
- 新しいSnowflakeデータ接続を作成します。
- データ接続をテストします。
-
データ接続をテストウィンドウで、OktaまたはAzure ADのドロップダウンからOAuthプロバイダーを選択し、追加の必要なフィールドに入力します。
-
設定を完了するには、OAuthとのSnowflakeデータ接続の残りの手順を行います。
外部IdPに保存された資格情報を追加するには:
- ユーザー設定 > 資格情報管理に移動します。
- 新しい保存された資格情報を追加するには、新規を追加をクリックします。
-
資格情報を追加ウィンドウで、資格情報タイプとしてSnowflake OAuthを選択します。
-
OktaまたはAzure ADのドロップダウンからOAuthプロバイダーを選択し、追加の必要なフィールドに入力します。
Required parameters¶
In addition to the required fields listed below, you can learn about other available configuration options in the Snowflake documentation.
| 必須フィールド | 説明 | ドキュメンテーション |
|---|---|---|
| Required fields for data connection | ||
address |
A connection object that stores a secure connection URL to connect to Snowflake. Example: {account_name}.snowflakecomputing.com |
Snowflakeドキュメント |
warehouse |
A unique identifier for your virtual warehouse. | Snowflakeドキュメント |
db |
A unique identifier for your database. | Snowflakeドキュメント |
| Required fields for credentials | ||
| クライアントID | The public identifier for your application. In the Okta Admin console, go to Applications > Applications > Your OpenID Connect web app > Sign On tab > Sign On Methods. In Azure AD, this is also known as the applicationID. |
Okta or Azure AD documentation |
| クライアントのシークレット | A confidential identifier used to authenticate your application. In the Okta Admin console, go to Applications > Applications > Your OpenID Connect web app > Sign On tab > Sign On Methods. In Azure AD, this is also known as the application secret. |
Okta or Azure AD documentation |
| Snowflakeアカウント名 | A unique identifier for your Snowflake account within an organization. | Snowflakeドキュメント |
| 発行者URL | A URL that uniquely identifies your SAML identity provider. "Issuer" refers to the Entity ID of your identity provider. Examples:
|
Okta or Azure AD documentation |
| スコープ | Contains the name of your Snowflake role. Examples: Parameters for a Snowflake Analyst.
|
Snowflakeドキュメント |
これらのフィールドに適切な値については管理者にお問い合わせください。
Related reading¶
- How to: Create External OAuth Token Using Azure AD On Behalf Of The User
- Configure Microsoft Azure AD for External OAuth