With this resource, we're starting a series of posts published by Alteryx Data Connectors team covering required configuration of Azure Active Directory with Snowflake, Databricks and Microsoft Exchange Online.
Alteryx 2022.3 release introduced Azure Active Directory (Azure AD) authentication support, Single Sign-On (SSO), for Snowflake. This update allows users to authenticate to Snowflake with Azure AD accounts. Alteryx Designer 2022.3 release enables users leverage two types of Azure AD application configurations to access Snowflake data: single-tenant and multi-tenant application. This post covers multi-tenant application configuration.
To access Snowflake data with Azure AD accounts, users are required to have the following configuration in place:
Have the latest version of Snowflake ODBC driver installed on users' machines. The latest version can be downloaded from Alteryx Data sources page: Data Sources | Alteryx Help
Security integration, also known as Trust, configured between organisation’s Azure AD tenant and Snowflake instance;
Obtain authentication details required to setup a new connection between Alteryx Designer and Snowflake.
Multi-tenant application setup
In this post we will cover how to:
Create a security integration between Azure AD and Snowflake,
Connect to Snowflake using Azure AD account from Alteryx Designer.
Important: Please note, the following example is intended for demonstration purposes only. We recommend engaging your systems team to help you with the configuration. This example covers multi-tenant OAuth implementation.
To allow users access Snowflake using Azure Active Directory identities organisations first need to setup a security integration between Snowflake and Azure AD. To establish this trust, make sure that users exist and are identified by the same user principal names (UPNs) in both Snowflake and Azure AD. Snowflake recommends using user email address as UPN. You can refer to the official Snowflake documentation for details.
Once the above requirement is satisfied, obtain the following details from your Azure Active Directory account:
external_oauth_issuer,
external_oauth_jws_keys_url,
external_oauth_audience_list.
External_oauth_issuer - is logon tokens issuer identifier. This value is automatically assigned to each Azure AD tenant and can be compiled by replacing tenant_id with id of your Azure AD tenant:
https://sts.windows.net/{{tenant_id}}/
External_oauth_jws_keys_url - is the uri of your tenant jws keys. It is used to validate authenticity of access tokens issued by your Azure AD tenant. This value is automatically assigned to each Azure AD tenant and can be compiled by replacing tenant_id with id of your Azure AD tenant:
https://login.microsoftonline.com/{{tenant_id}}/discovery/v2.0/keys
External_oauth_audience_list - is static audience value assigned to all tokens issued by Alteryx Azure Active Directory OAuth application. This OAuth application is used when you create a connection using Azure OAuth with Alteryx Application authentication method. The value of this parameter is https://ayxdev.onmicrosoft.com
Now that you have collected these details, you can finally go ahead and create the security integration. Log in to your Snowflake instance and run the following query providing values collected above:
Important: To execute below query you need to be signed in with ACCOUNTADMIN role
This SQL establishes trust between Snowflake and Azure AD and makes Snowflake trust access tokens issued by this specific issuer, the Azure AD tenant.
Access Snowflake data with Azure AD accountNow that you have established trust, you can access your data in Snowflake from Alteryx Designer using your Azure AD account. Add input or output tool, check “Use Data Connection Manager (DCM)” box and select Snowflake from the list of available data sources in Alteryx Designer.
Next, select Quick Connect option, provide your Snowflake instance details.
Create new credential and select Azure AD authentication method:
After filling out above details and clicking connect, you will be redirected to the Azure AD login page. You will be prompted to login with your Azure AD account, grant this application required permissions, and you will be able to read you Snowflake data using Azure AD account.
Related documentation
Please refer to the following documentation to learn more about Azure Active Directory and Snowflake integration.
Configure Microsoft Azure AD for External OAuth | Snowflake Documentation
Common issues
Depending on your Azure AD configuration, individual users might not be able to grant required consent to Azure AD application. In this case you might be presented with one of the following cases:
Approval request submitted to account admin. You are presented with the following prompt asking you to submit approval request to your account admin who would need to approve and grant required access to this application.
Upon submitting request, your account admin receives a notification and needs to approve your request. Once approval is granted, you can reset the connection and be able to access your Snowflake data.
Need admin approval. This screen appears when your Azure AD settings don’t allow individual users grant consent to applications. In this specific case, accounts setting doesn’t allow users to submit approval requests to your directory admin. To resolve this problem, you should ask your account admin to use his/her credentials when first setting up connection from Alteryx Designer and provide consent to this app on behalf of the organisation. Upon completing these steps, all further Azure AD tenant users will be able to grant consent without further approvals. Alternatively, you might want to ask your Azure AD admin to update your tenant consent policy to allow users submit approval requests to account admin.
Is it possible to use this with In-DB connections?
Hi @TonyAdam , absolutely. Azure-AD based authentication is enabled for Input/Output and InDB connections.