When publishing a workflow to Alteryx Server which uses a Snowflake connection what is the recommended authentication method? When set to externalBrowser, my understanding is that this will always require a user to authenticate by entering in their credentials in the browser pop-up. Currently, the customer is getting a "Error SQLDriverConnect: [Simba][Snowflake] (38) Failed to authenticate a user by external browser: 31." error message when using a DSN with that Snowlfake authentication method. This theory is supported by the comment by @jonnyrask here: * https://community.alteryx.com/t5/Alteryx-Designer-Discussions/Snowflake-SSO-and-Alteryx-Designer/td-p/919002 The customer in this case is using Integrated Windows authentication with Kerberos for Alteryx and Snowflake is using the SSO login authentication. I know the various Snowflake authentication methods are listed in the link below, and the Alteryx Snowflake documentation talks about a "Snowflake JWT" but unfortunately this area isn't my forte, so I'm trying to gather enough information to pass on to those with better practical experiencing using Snowflake. * https://docs.snowflake.com/en/user-guide/odbc-parameters.html#:~:text=SQLSetConnectAttr%20function.-,authenticator,-Specifies%20the%20authenticator

Hello again! They just got back to us to report that the issue is still ongoing for them. Did you have any luck resolving this in your case?

Snowflake authentication method if running a workflow through the Server/Gallery?

JonathanAllenby

When publishing a workflow to Alteryx Server which uses a Snowflake connection what is the recommended authentication method?

When set to externalBrowser, my understanding is that this will always require a user to authenticate by entering in their credentials in the browser pop-up.

Currently, the customer is getting a "Error SQLDriverConnect: [Simba][Snowflake] (38) Failed to authenticate a user by external browser: 31." error message when using a DSN with that Snowlfake authentication method.

This theory is supported by the comment by @jonnyrask here:

https://community.alteryx.com/t5/Alteryx-Designer-Discussions/Snowflake-SSO-and-Alteryx-Designer/td-p/919002

The customer in this case is using Integrated Windows authentication with Kerberos for Alteryx and Snowflake is using the SSO login authentication.

I know the various Snowflake authentication methods are listed in the link below, and the Alteryx Snowflake documentation talks about a "Snowflake JWT" but unfortunately this area isn't my forte, so I'm trying to gather enough information to pass on to those with better practical experiencing using Snowflake.

https://docs.snowflake.com/en/user-guide/odbc-parameters.html#:~:text=SQLSetConnectAttr%20function.-,authenticator,-Specifies%20the%20authenticator

Gallery

Input

Tips and Tricks

Connectors

Server

Best Practices

Database Connection

Accepted answers

All comments

dhechle

Hi Jonathan, I'm interested in if you got anywhere with this as we have a similar scenario now and am looking at the best approach to take.

apathetichell

externalbrowser is set up in the odbc 64 config for a single user. This is also true in manage in-db.

This is not functional for Server where you do not have a single user who would be authenticating all Snowflake requests. Snowflake could potentially authenticate via Python (I haven't tried a POC - Snowflake system I'm on doesn't use Server) with the user name passed in as a variable to your python script and externalbrowser set for authentication.

The better way to do this is to set up a Service Account/Robot User for Server and use that to query Snowflake. This means the dreaded JWT or username/token authentication.

JonathanAllenby

Last update we had from the customer before the case went cold:

"We have asked Snowflake team regarding the advised solutions.

They have said that creating Standalone alone password won’t be possible with SSO login at organization level.

We have asked them if it will be possible to create service account, waiting for their response."

Sorry I can't provide any better news here.

apathetichell

I can guarantee you that your client has a service account with Snowflake. The issue is can they get Alteryx a service account with Snowflake - and that's usually internal.

dhechle

Thanks for the reply, next step is to test the keypair authentication with JWT, just waiting for firewall rules to be allowed to complete the testing so will report back when tested with a service account.

apathetichell

Alteryx now says that DCM supports Snowflake "Oauth" - which sounds to me like a shorthand for 3 legged oauth - which is what you want.

See this:

https://help.alteryx.com/20223/designer/dcm-supported-connectors-and-tools

You would have to set up Snowflake in your DCM.

Quick Links

This months top contributors

atcodedog05 19458

Qiu 15866

binu_acs 15708

MarqueeCrew 13708

apathetichell 13703