Snowflake OAuth
Deepnote allows each user to authenticate to Snowflake using their own credentials.
Greater security with Snowflake OAuth
With Snowflake OAuth you can give every member of your Deepnote workspace their own set of credentials. You can ensure higher security by using short-lived tokens and enabling the use of multi-factor authentication. Follow the principle of least privilege and use granular access control for various Snowflake resources to ensure everyone can only access the data they need.
The integration leverages Snowflake's built-in OAuth service to provide the authentication using a custom client integration.
Creating the integration
This section provides step by step instructions for setting up Snowflake OAuth authentication for use in Deepnote.
-
Please navigate to the Snowflake console (i.e., Snowsight) and create a security integration by running this code:
create security integration oauth_deepnote type=oauth enabled=true oauth_client=CUSTOM oauth_client_type='CONFIDENTIAL' oauth_redirect_uri='https://deepnote.com/auth/snowflake/native-callback' oauth_issue_refresh_tokens=true oauth_refresh_token_validity=86400;
-
Run the following code and note the Client ID returned in the output. We will refer to it as
OAUTH_CLIENT_ID
in the following steps.describe security integration oauth_deepnote;
-
Run the following code to print the Client Secret. We will refer to it as
OAUTH_CLIENT_SECRET
in subsequent steps.select system$show_oauth_client_secrets('OAUTH_DEEPNOTE');
-
After heading back to Deepnote, create a Snowflake integration as described in our main Snowflake docs.
-
Select Snowflake OAuth as the authentication method and enter your
OAUTH_CLIENT_ID
andOAUTH_CLIENT_SECRET
into the Client ID and Client Secret fields, respectively. -
Lastly, click "Create integration".
AWS PrivateLink
If your Snowflake instance is configured to use AWS PrivateLink, add the suffix “.privatelink” to the account name. For example, in the Snowflake Deepnote integration settings, your account name would appear as abc12345.us-east-1.privatelink
.
Deepnote will use the private URL when redirecting users to the SSO screen and the standard URL (without the “.privatelink” suffix) when executing queries and exchanging tokens.
Using the the Snowflake OAuth integration
When you create an app from a notebook that uses the integration, every app user will need to authenticate with their own account. They will be prompted to sign in using Snowflake OAuth during the execution of the app. The results they see will depend on the permissions they have.