Setting up Snowflake OAuth

dbt Cloud Enterprise supports OAuth authentication with Snowflake. When Snowflake OAuth is enabled, users can authorize their Development credentials using Single Sign On (SSO) via Snowflake rather than submitting a username and password to dbt Cloud.

Configuring a security integration

To enable Snowflake OAuth, you will need to create a security integration in Snowflake to manage the OAuth connection between dbt Cloud and Snowflake.

Create a security integration

In Snowflake, execute a query to create a security integration. Please find the complete documentation on creating a security integration for custom clients here. You can find a sample create or replace security integration query below.

CREATE OR REPLACE SECURITY INTEGRATION DBT_CLOUD_<PROJECT_NAME>
TYPE = OAUTH
ENABLED = TRUE
OAUTH_CLIENT = CUSTOM
OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
OAUTH_REDIRECT_URI = 'https://cloud.getdbt.com/complete/snowflake'
OAUTH_ISSUE_REFRESH_TOKENS = TRUE
OAUTH_REFRESH_TOKEN_VALIDITY = 7776000;
FieldDescription
TYPERequired
ENABLEDRequired
OAUTH_CLIENTRequired
OAUTH_CLIENT_TYPERequired
OAUTH_REDIRECT_URIRequired. If dbt Cloud is deployed on-premises, use the domain name of your application instead of cloud.getdbt.com
OAUTH_ISSUE_REFRESH_TOKENSRequired
OAUTH_REFRESH_TOKEN_VALIDITYRequired. This configuration dictates the number of seconds that a refresh token is valid for. Use a smaller value to force users to re-authenticate with Snowflake more frequently.

Additional configuration options may be specified for the security integration as needed.

Configure a Connection in dbt Cloud

When configuring a Connection in dbt Cloud, select the "Allow SSO Login" checkbox. Once this checkbox is selected, you will be prompted to enter an OAuth Client ID and OAuth Client Secret. These values can be determined by running the following query in Snowflake:

select SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('DBT_CLOUD_<PROJECT_NAME>');

This query should return a single variant column containing three fields:

  • OAUTH_CLIENT_ID
  • OAUTH_CLIENT_SECRET
  • OAUTH_CLIENT_SECRET_2

Enter the Client ID and Client Secret into dbt Cloud to complete the creation of your Connection. Note that the OAUTH_CLIENT_SECRET_2 field is unused in dbt Cloud configuration.

Configuring OAuth credentials in the dbt Cloud UI
Configuring OAuth credentials in the dbt Cloud UI

Authorize Developer Credentials

Once Snowflake SSO is enabled, users on the project will be able to configure their credentials in their Profiles. By clicking the "Connect to Snowflake Account" button, users will be redirected to Snowflake to authorize with the configured SSO provider, then back to dbt Cloud to complete the setup process. At this point, users should now be able to use the dbt IDE with their development credentials.