Creating an Amazon QuickSight data source connection to Snowflake with OAuth client credentials

You can use OAuth client credentials to connect your QuickSight account with Snowflake through the QuickSight APIs. OAuth is a standard authorization protocol that is often utilized for applications that have advanced security requirements. When you connect to Snowflake with OAuth client credentials, you can create datasets that contain Snowflake data with the QuickSight APIs and in the QuickSight UI. For more information about configuring OAuth in Snowflake, see Snowflake OAuth overview.

QuickSight supports the client credentials OAuth grant type. OAuth client credentials is used to obtain an access token for machine-to-machine communication. This method is suitable for scenarios where a client needs to access resources that are hosted on a server without the involvement of a user.

In the client credentials flow of OAuth 2.0, there are several client authentication mechanisms that can be used to authenticate the client application with the authorization server. QuickSight supports client credentials based OAuth for Snowflake for the following two mechanisms:

Token (Client secrets-based OAuth): The secret-based client authentication mechanism is used with the client credentials to grant flow in order to authenticate with authorization server. This authentication scheme requires the client_id and client_secret of the OAuth client app to be stored in Secrets Manager.
X509 (Client private key JWT-based OAuth): The X509 certificate key-based solution provides an additional security layer to the OAuth mechanism with client certificates that are used to authenticate instead of client secrets. This method is primarily used by private clients who use this method to authenticate with the authorization server with strong trust between the two services.

QuickSight has validated OAuth connections with the following Identity providers:

OKTA
PingFederate

Storing OAuth credentials in Secrets Manager

OAuth client credentials are meant for machine-to-machine use cases and are not designed to be interactive. To create a datasource connection between QuickSight and Snowflake, create a new secret in Secrets Manager that contains your credentials for the OAuth client app. The secret ARN that is created with the new secret can be used to create datasets that contain Snowflake data in QuickSight. For more information about using Secrets Manager keys in QuickSight, see Using AWS Secrets Manager secrets instead of database credentials in Amazon QuickSight.

The credentials that you need to store in Secrets Manager are determined by the OAuth mechanism that you use. The following key/value pairs are required for X509-based OAuth secrets:

username: The Snowflake account username to be used when connecting to Snowflake
client_id: The OAuth client ID
client_private_key: The OAuth client private key
client_public_key: The OAuth client certificate public key and its encrypted algorithm (for example, {"alg": "RS256", "kid", "cert_kid"})

The following key/value pairs are required for token-based OAuth secrets:

username: The Snowflake account username to be used when connecting to Snowflake
client_id: The OAuth client ID
client_secret: the OAuth client secret

Creating a Snowflake OAuth connection with the QuickSight APIs

After you create a secret in Secrets Manager that contains your Snowflake OAuth credentials and havve connected your QuickSight account to Secrets Manager, you can establish a data source connection between QuickSight and Snowflake with the QuickSight APIs and SDK. The following example creates a Sonwflake data source connection using token OAuth client credentials.



{
    "AwsAccountId": "AWSACCOUNTID",
    "DataSourceId": "UNIQUEDATASOURCEID",
    "Name": "NAME",
    "Type": "SNOWFLAKE",
    "DataSourceParameters": {
        "SnowflakeParameters": {
            "Host": "HOSTNAME",
            "Database": "DATABASENAME",
            "Warehouse": "WAREHOUSENAME",
            "AuthenticationType": "TOKEN",
            "DatabaseAccessControlRole": "snowflake-db-access-role-name",
            "OAuthParameters": {
              "TokenProviderUrl": "oauth-access-token-endpoint", 
              "OAuthScope": "oauth-scope",
              "IdentityProviderResourceUri" : "resource-uri",
              "IdentityProviderVpcConnectionProperties" : {
                "VpcConnectionArn": "IdP-VPC-connection-ARN" 
             }
        }
    },
    "VpcConnectionProperties": {
        "VpcConnectionArn": "VPC-connection-ARN-for-Snowflake"
    }
    "Credentials": {
        "SecretArn": "oauth-client-secret-ARN"
    }
}

For more information about the CreateDatasource API operation, see CreateDataSource.

Once the connection between QuickSight and Snowflake is established and a data source is created with the QuickSight APIs or SDK, the new data source is displayed in QuickSight. QuickSight authors can use this data source to create datasets that contain Snowflake data. Tables are displayed based on the role used in the DatabaseAccessControlRole parameter that is passed in a CreateDataSource API call. If this parameter is not defined when the data source connection is created, the default Snowflake role is used.

After you have successfully created a data source connection between your QuickSight and Snowflake accounts, you can begin creating QuickSight datasets that contain Snowflake data.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Connecting with login credentials

Starburst