Role Switching with Snowflake OAuth¶
Alation Cloud Service Applies to Alation Cloud Service instances of Alation
Customer Managed Applies to customer-managed instances of Alation
Snowflake Built-In OAuth¶
Role switching is not supported with Snowflake built-in OAuth. With built-in OAuth, Compose users can connect with either of the following:
The role they provided in the Connection URI
The role specified in the Default Scope in the OAuth configuration parameters in Alation
If neither of the above is specified, then the connection will be established with the default role assigned to them in Snowflake. If no default role is assigned, the connection uses the role
Snowflake External OAuth¶
Role switching is supported with the External OAuth configuration. This means the
USE ROLE statement in Compose can be used to switch to any role accessible to the Snowflake user.
Role switching needs the Default Scope to be set to
To apply the Default Scope
SESSION:ROLE-ANY, ensure that the
EXTERNAL_OAUTH_ANY_ROLE_MODEfield is set to
ENABLEin the Snowflake security integration used in the External OAuth configuration.
Even if the Default Scope for the data source includes
SESSION:ROLE-ANY, any role specified by the user in the connection URI will still validly result in additional scope specified in the authorization request. For example, Okta issues an access token valid for both scopes.
If the Default Scope for the data source includes a specific Snowflake role, the more permissive role is assigned as the current role when the connection is initiated even if the user’s default role is less permissive. In this case, role switching is not allowed as it is only enabled with the
SESSION:ROLE-ANY value specified in the Default Scope.
Case-Sensitive Roles or Roles with Special Characters¶
Applies from version 2021.3
Snowflake roles that are case-sensitive or contain special characters require double-quoted identifiers in order to be resolved. An example can be a role defined in Snowflake as
CREATE ROLE IF NOT EXISTS "role.name"
A user may have such a role assigned as their default role. If not, they should follow the recommendations below to switch to such a role.
Switch roles with the
USE ROLE statement and using the double-quoted identifiers.
Built-in Snowflake OAuth¶
Specify the role in the connection URI, using URL-encoding for the role name, for example: