ThoughtSpot supports Snowflake’s internal OAuth for a Snowflake connection. With OAuth, each ThoughtSpot user authenticates with Snowflake and authorizes ThoughtSpot to query the database using their Snowflake user account.
For Snowflake connections that use internal OAuth, users must log in when their OAuth tokens expire. The amount of time that Snowflake OAuth tokens are valid is set in Snowflake.
Configuring a Snowflake database for internal OAuth with ThoughtSpot
To add a Snowflake connection to ThoughtSpot using internal OAuth, you must set up the OAuth integration in Snowflake. This requires a Snowflake user account with ACCOUNTADMIN permission.
In your Snowflake database, do the following:
- In the worksheet view, enter the following commands, and click Run:
SHOW USERS; SHOW SECURITY INTEGRATIONS; CREATE OR REPLACE SECURITY INTEGRATION <enter a name for your security role> TYPE = OAUTH OAUTH_CLIENT = CUSTOM OAUTH_CLIENT_TYPE = <enter a client type> OAUTH_REDIRECT_URI = 'https://<public url of your ThoughtSpot instance>/callosum/v1/connection/generateTokens' ENABLED = TRUE COMMENT = '<enter a description of your security profile>' - At the bottom of what you entered in step 1, add an empty line, and then enter the following to describe your security integration:
DESCRIBE SECURITY INTEGRATION <enter description of your security integration>; SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('<enter same description of your security integration as previous line');Example of a full query:
SHOW USERS; SHOW SECURITY INTEGRATIONS; CREATE OR REPLACE SECURITY INTEGRATION OAUTH_CONFIG TYPE = OAUTH OAUTH_CLIENT = CUSTOM OAUTH_CLIENT_TYPE = 'CONFIDENTIAL' OAUTH_REDIRECT_URI = 'https://177.122.45.2/callosum/v1/connection/generateTokens' ENABLED = TRUE COMMENT = 'Profile for passthrough' DESCRIBE SECURITY INTEGRATION OAUTH_CONFIG; SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('OAUTH_CONFIG'); -
Click the Run button to run the full query.
The Details window appears displaying a JSON object.
-
Copy the JSON object and click Done to close the window.
-
Paste the contents into a text editor.
Example:
{"OAUTH_CLIENT_SECRET_2":"KqKBu0xOxPtmk+RKvNP0+eIAMlFxMsu8rRh6s5q1qLY", "OAUTH_CLIENT_SECRET":"KdKBb0aOxPzml+RJvMP1/eIEMlFxM/su6rPh2wLZ", "OAUTH_CLIENT_ID":"aOxPzmlRJvCP5eIUMlFxMbu6rJh7mTO="} -
For OAUTH_CLIENT_ID, copy the information between quotes after the colon (:).
Example:
aOxPzmlRJvCP5eIUMlFxMbu6rJh7mTO=Note: Make sure you include the equals sign (=), if it exists. -
In the Snowflake connection details page in ThoughtSpot, paste the OAuth client ID in the OAuth Client ID field.
-
For OAUTH_CLIENT_SECRET, copy the information between quotes after the colon (:).
Example:
KdKBb0aOxPzml+RJvMP1/eIEMlFxM/su6rPh2wLZ -
In the Snowflake connection details page in ThoughtSpot, paste the OAuth client ID in the OAuth Client Secret field.
Note: Once a connection is created the token associated with the user login credentials for the connection is stored in ThoughtSpot for 90 days.
Sharing a worksheet built from tables in a Snowflake connection that uses OAuth
When you share a ThoughtSpot object (worksheet, Liveboard, or answer) that references a Snowflake connection that uses OAuth authentication, the user is prompted to log in to Snowflake before they can view any data. When viewing the Liveboard, answer, or running a search on the worksheet, ThoughtSpot displays a message telling the user to log in with a button to initiate the login process.