community Alteryx IO MyAlteryx
alteryx Community
Search
This Board
  • Global Community
  • This Category
  • This Board
  • Knowledge
  • Users
 cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Close
Free Trial

Alteryx Server Discussions

Find answers, ask questions, and share expertise about Alteryx Server.

Snowflake authentication method if running a workflow through the Server/Gallery?

JonathanAllenby
8 - Asteroid
‎09-07-2022 01:43 AM

When publishing a workflow to Alteryx Server which uses a Snowflake connection what is the recommended authentication method?

 

When set to externalBrowser, my understanding is that this will always require a user to authenticate by entering in their credentials in the browser pop-up.

Currently, the customer is getting a "Error SQLDriverConnect: [Simba][Snowflake] (38) Failed to authenticate a user by external browser: 31." error message when using a DSN with that Snowlfake authentication method.

 

JonathanAllenby_0-1662540173712.png

 

This theory is supported by the comment by @jonnyrask here:

 

The customer in this case is using Integrated Windows authentication with Kerberos for Alteryx and Snowflake is using the SSO login authentication.

 

I know the various Snowflake authentication methods are listed in the link below, and the Alteryx Snowflake documentation talks about a "Snowflake JWT" but unfortunately this area isn't my forte, so I'm trying to gather enough information to pass on to those with better practical experiencing using Snowflake.

 

Reply
0 Likes
7 REPLIES 7
dhechle
5 - Atom
‎11-25-2022 06:01 AM

Hi Jonathan, I'm interested in if you got anywhere with this as we have a similar scenario now and am looking at the best approach to take.

Reply
0 Likes
apathetichell
19 - Altair
‎11-30-2022 04:39 PM

externalbrowser is set up in the odbc 64 config for a single user. This is also true in manage in-db. 

 

This is not functional for Server where you do not have a single user who would be authenticating all Snowflake requests. Snowflake could potentially authenticate via Python (I haven't tried a POC - Snowflake system I'm on doesn't use Server) with the user name passed in as a variable to your python script  and externalbrowser set for authentication.

 

The better way to do this is to set up a Service Account/Robot User for Server and use that to query Snowflake. This means the dreaded JWT or username/token authentication.

 

 

 

Reply
JonathanAllenby
8 - Asteroid
‎12-07-2022 03:50 AM

Last update we had from the customer before the case went cold:

 

 

"We have asked Snowflake team regarding the advised solutions.

They have said that creating Standalone alone password won’t be possible with SSO login at organization level.

We have asked them if it will be possible to create service account, waiting for their response."

 

Sorry I can't provide any better news here.

Reply
apathetichell
19 - Altair
‎12-07-2022 08:52 AM

I can guarantee you that your client has a service account with Snowflake. The issue is can they get Alteryx a service account with Snowflake - and that's usually internal.

Reply
0 Likes
dhechle
5 - Atom
‎12-07-2022 11:32 AM

Thanks for the reply, next step is to test the keypair authentication with JWT, just waiting for firewall rules to be allowed to complete the testing so will report back when tested with a service account.  

Reply
0 Likes
JonathanAllenby
8 - Asteroid
‎02-16-2023 01:45 AM

Hello again!

They just got back to us to report that the issue is still ongoing for them.


Did you have any luck resolving this in your case?

Reply
0 Likes
apathetichell
19 - Altair
‎02-16-2023 10:32 AM

Alteryx now says that DCM supports Snowflake "Oauth" - which sounds to me like a shorthand for 3 legged oauth - which is what you want.

See this:

https://help.alteryx.com/20223/designer/dcm-supported-connectors-and-tools

 

You would have to set up Snowflake in your DCM.

Reply
0 Likes
server new user guide
Labels
Top Solution Authors
View All