-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support SSO authentication for Snowflake #1172
Comments
Thanks for the feature request @adriank-convoy. Some pointers if you want to try to tackle this issue: All snowflake connections are created here. I think this is where you'll want to add the From reading the
dbt has contracts for profile specifications, and you can find the Snowflake one here. I think you'll want to add I like the example profile you provided above! Happy to discuss in this thread (or a PR) if you have any questions about the implementation. Drop me a line on Slack if you have any issues getting set up with a dev environment. GLHF! |
Awesome, thanks for pointing me in the right direction. I'll try and take a crack at it sometime this week. |
Merged to the next dbt release (Stephen Girard). Thanks for the contribution @adriank-convoy ! |
@adriank-convoy have you figured out a way to get this working without a user present? e.g. with many SSO flows, you'd get a "refresh token" or some other key after the user authenticates for the first time that would allow to connect when the user is offline. Or are you just running this from the command line and authenticating in the browser every time? |
Hey @mike-seekwell, based on a conversation with one of the Snowflake devs (snowflakedb/snowflake-connector-python#140) we requested that they enable the id token cache feature for out account. Once that's enabled, users only need to authenticate through the browser once every 4 hours, and the rest of the requests will use the cached token to authenticate. For our Airflow jobs we've just created 'service' accounts in Snowflake that just have a username & password, and don't authenticate through Okta. These accounts have IP ACLs (via a Snowflake network policy) to make sure they can only authenticate from our machines. |
Got it, thanks @adriank-convoy ! |
I went through the process of enabling token caching this week and I would like to add some info (snowflakedb/snowflake-connector-python#140 (comment)):
Can someone confirm that with the current version requirements of DBT, token caching is not used? |
Hmm, @dmateusp I just excitedly tried this exact setup and no luck, i'm getting multiple popups, seemingly 1 per model when i do requirements.txt for reference
|
oh :( any chance you are using Linux ? https://docs.snowflake.com/en/user-guide/odbc-parameters.html#using-browser-based-sso-with-connection-caching-macos-and-windows-only |
Ah you're absolutely right, I didn't realise only Mac / Windows are supported (I wonder why?) |
Yeah no problem, on it now |
What would the password be? I have okta codes, but not passwords |
SSO Authentication for Snowflake
Feature description
Snowflake support SSO through SAML 2.0 compliant identity providers, allowing companies to manage access to Snowflake without provisioning accounts with passwords for each employee. The feature request is to enable the external browser authentication provided by the official Snowflake python connector when using dbt.
https://docs.snowflake.net/manuals/user-guide/python-connector-example.html#connecting-using-federated-authentication
Based on the options of the above Snowflake connector, the profile might look something like:
Who will this benefit?
Any company using SSO to manage employee access to resources, specifically Okta. We'd really like to avoid managing a separate set of credentials for Snowflake as our company grows. Having tried out the external browser authentication in a few python scripts, it's pretty slick.
The text was updated successfully, but these errors were encountered: