Skip to main content
ACCOUNTADMIN role (or a role with the global CREATE INTEGRATION privilege) is required to create the OAuth security integration. Note: ACCOUNTADMIN, SECURITYADMIN, ORGADMIN, and GLOBALORGADMIN are blocked from OAuth by default and cannot be used as the Snowflake Role.

Create an OAuth security integration

A custom OAuth security integration registers StackOne as an OAuth client in your Snowflake account and pre-authorizes the role your users will connect with.

1

Sign in to Snowflake

Sign in to your Snowflake account.

  • In the left sidebar, go to Projects > Workspaces.
  • Click + Add new to create a new SQL worksheet.
2

Create the security integration

Run the following SQL, replacing <integration_name> with a name of your choice (e.g., STACKONE_OAUTH) and <role_name> with the Snowflake role your users will authorize with.

CREATE SECURITY INTEGRATION <integration_name>
  TYPE = OAUTH
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = 'https://api.stackone.com/connect/oauth2/snowflake/callback'
  ENABLED = TRUE
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 7776000
  PRE_AUTHORIZED_ROLES_LIST = ('<role_name>');
  • OAUTH_REFRESH_TOKEN_VALIDITY is in seconds — 7776000 equals 90 days
  • The role in PRE_AUTHORIZED_ROLES_LIST must exactly match the Snowflake Role field.
  • Example: if your users connect with the SYSADMIN role, use PRE_AUTHORIZED_ROLES_LIST = ('SYSADMIN') and enter SYSADMIN as the Snowflake Role
  • To find a role: your current role is shown next to your username in the bottom-left corner of Snowsight (e.g., ACCOUNTADMIN). Note that ACCOUNTADMIN, SECURITYADMIN, ORGADMIN, and GLOBALORGADMIN are blocked for OAuth — pick a non-blocked role such as SYSADMIN

Retrieve your OAuth client credentials

Snowflake generates the client credentials when the integration is created; they are retrieved with a system function rather than shown in the UI.

1

Fetch the client credentials

In the same worksheet, run the following SQL, replacing <INTEGRATION_NAME> with your integration name in uppercase, wrapped in single quotes.

SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('<INTEGRATION_NAME>');
2

Copy your credentials

The result is a JSON object containing your client credentials. Store them securely for use later.

  • oauth_client_id is your OAuth Client ID
  • oauth_client_secret is your OAuth Client Secret

Creating the StackOne Connector Profile

To create the Connector Profile in StackOne for Snowflake:
1

Navigate to Connector Profiles

Login to StackOne and navigate to Connector Profiles
2

Create New Connector Profile

  • Click + Connector Profile
  • Search for and select Snowflake
  • Select Type as OAuth 2.0
  • Fill out the fields using details retrieved from your provider:
    • OAuth Client ID
    • OAuth Client Secret
    • Snowflake Role
  • (Optional) Select Actions to be enabled for this Connector Profile
  • Click Create profile
Congratulations! The new Connector Profile will now show up in your project ready to be used. You can now continue to Link Accounts for Snowflake.