Configure External OAuth for Snowflake: Client Credentials Flow
OAuth client credentials authentication enables machine-to-machine connections to Snowflake
without user interaction. This method is ideal for:
-
Service accounts for automated data refreshes
-
Scheduled extract jobs
-
CI/CD pipelines
-
Published data sources that require embedded credentials
Unlike standard OAuth (which uses the authorization code flow), client credentials flow does not
prompt users to sign in. Instead, Tableau authenticates directly with your identity provider using a
client ID and secret.
Note: Client credentials flow requires Snowflake's External OAuth feature with a supported identity provider. This is different from Snowflake's native OAuth.
Before you begin
To use OAuth client credentials with Snowflake you need:
| Requirement | Description |
|---|---|
| Identity provider | Okta, Azure AD, or Ping Federate configured for client credentials grant |
| Snowflake account | Enterprise edition or higher with ACCOUNTADMIN access |
| OAuth application | API Services (Okta), App Registration (Azure AD), or equivalent |
| Custom scopes | Scopes for Snowflake role assignment (e.g., `session:role:SYSADMIN` ) |
Configure your identity provider
The following steps use Okta as an example. For other providers, consult their documentation for client credentials configuration.
Step 1: Create an API Services Application
-
Sign in to your Okta Admin Console.
-
Go to **Applications > Applications.
-
Select **Create App Integration.
-
Choose **API Services** and select **Next.
-
Enter an application name (for example,
snowflake-tableau-service). -
Select Save.
-
Copy the Client ID and Client Secret. You will need these values later.
Step 2: Disable DPoP (if enabled)
Demonstrating Proof of Possession (DPoP) must be disabled for client credentials flow.
-
In your application settings, go to General > Client Credentials.
-
Clear the Require Demonstrating Proof of Possession (DPoP) header in token requests checkbox.
-
Select Save.
Step 3: Add Custom Scopes
Snowflake requires custom scopes to assign roles to the authenticated session.
-
Go to Security > API > Authorization Servers.
-
Select the default authorization server (or your custom server).
-
Select the Scopes tab, then Add Scope.
-
Add these scopes:
Scope Name Description snowflake General access scope for Snowflake session:role:SYSADMIN Assigns the SYSADMIN role (adjust for your role) Note: Create additional scopes for any other roles your service account needs.
Step 4: Configure an Access Policy
-
Select the Access Policies tab.
-
Select an existing policy or create a new one.
-
Add a rule with these settings:
-
Grant type: Client Credentials
-
Scopes: Any scopes (or select specific scopes)
-
-
Select Create Rule or Save.
Configure Snowflake
Run the following SQL statements in Snowflake as ACCOUNTADMIN. Replace the placeholder values with your configuration.
Step 1: Create the External OAuth Integration
USE ROLE ACCOUNTADMIN;
CREATE OR REPLACE SECURITY INTEGRATION okta_oauth_integration
TYPE = EXTERNAL_OAUTH
ENABLED = TRUE
EXTERNAL_OAUTH_TYPE = OKTA
EXTERNAL_OAUTH_ISSUER = 'https://<your-okta-domain>.okta.com/oauth2/default'
EXTERNAL_OAUTH_JWS_KEYS_URL = 'https://<your-okta-domain>.okta.com/oauth2/
default/v1/keys'
EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'sub'
EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'login_name'
EXTERNAL_OAUTH_AUDIENCE_LIST = ('api://default', 'snowflake')
EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE';
| Parameter | Description |
|---|---|
EXTERNAL_OAUTH_TYPE
|
Your identity provider: OKTA , AZURE , or
PING_FEDERATE |
EXTERNAL_OAUTH_ISSUER |
The issuer URL from your authorization server |
EXTERNAL_OAUTH_JWS_KEYS_URL
|
The JWKS endpoint for token validation |
EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLA
IM
|
The JWT claim that identifies the user. Use
sub for Okta. |
EXTERNAL_OAUTH_ANY_ROLE_MODE
|
Set to ENABLE to allow role assignment via
scopes |
Step 2: Create a Service User
Create a Snowflake user with a LOGIN_NAME that matches the OAuth client ID.
CREATE USER IF NOT EXISTS service_account_user
LOGIN_NAME = '<your-okta-client-id>'
DISPLAY_NAME = 'OAuth Service Account'
MUST_CHANGE_PASSWORD = FALSE
DISABLED = FALSE;
-- Grant role to the service user
GRANT ROLE SYSADMIN TO USER service_account_user;
-- Set the default role
ALTER USER service_account_user SET DEFAULT_ROLE = 'SYSADMIN';
-- Grant warehouse access
GRANT USAGE ON WAREHOUSE <your-warehouse> TO USER service_account_user;
-- Grant database and schema access
GRANT USAGE ON DATABASE <your-database> TO USER service_account_user;
GRANT USAGE ON SCHEMA <your-database>.<your-schema> TO USER
service_account_user;
GRANT SELECT ON ALL TABLES IN SCHEMA <your-database>.<your-schema> TO USER
service_account_user;
Important: The LOGIN_NAME must exactly match the sub claim in the OAuth token. For Okta API Services applications, this is the Client ID.
Connect from Tableau Desktop
-
In Tableau Desktop, select Connect > Snowflake.
-
Enter your connection details:
Field Value Server Your Snowflake account URL (e.g., account.snowflakecomputing.com)Role The role to use (e.g., SYSADMIN)Warehouse Your Snowflake warehouse Authentication OAuth Client Credentials -
Enter the OAuth configuration:
Field Value OAuth Token Request URL https://<your-okta-domain>.okta.com/oauth2/default/ v1/tokenUsername Your OAuth Client ID Password Your OAuth Client Secret OAuth Scope snowflake session:role:SYSADMINNote: The OAuth Scope must include any custom scopes you configured for role assignment.
-
Select Sign In.
Publish to Tableau Cloud or Tableau Server
When publishing a workbook or data source that uses OAuth client credentials:
-
In the Publish dialog, select Edit next to Data Sources.
-
For Authentication, select Embedded password.
-
The client credentials are embedded in the published content.
Important: Unlike standard OAuth, client credentials are treated as embedded passwords. Users accessing the published content use the service account credentials, not their own identity.
Credential Rotation
When your OAuth client secret rotates, update the embedded credentials on Tableau Cloud:
-
Sign in to Tableau Cloud.
-
Navigate to the published data source.
-
Select Connections.
-
Update the connection with the new client secret.
For automated rotation, use the Tableau REST API to update connection credentials programmatically.
Frequently Asked Questions
When should I use OAuth client credentials instead of standard OAuth?
Use client credentials when you need unattended, machine-to-machine authentication. Standard
OAuth requires user interaction for the initial sign-in and periodic reauthentication. Client credentials
use a service account identity and do not require user interaction.
Can I use client credentials with Snowflake's native OAuth?
No. Snowflake's native OAuth only supports the authorization code flow. Client credentials require External OAuth with a supported identity provider (Okta, Azure AD, or Ping Federate).
How do I handle secret rotation for published content?
When your OAuth client secret rotates, you must update the embedded credentials in Tableau Cloud. You can do this manually through the Tableau Cloud UI or programmatically using the Tableau REST API. Consider automating this process as part of your secret rotation workflow.
Why does my connection fail with a role error even though EXTERNAL_OAUTH_ANY_ROLE_MODE is enabled?
Snowflake requires role information in the OAuth token. Add a custom scope (e.g., session:role:SYSADMIN) to your authorization server and include it in the OAuth Scope field when connecting from Tableau.
Troubleshooting
| Error message | Cause | Solution |
|---|---|---|
| "User does not exist or not authorized" | Snowflake user LOGIN_NAME
does not match OAuth client
ID |
Set the user's LOGIN_NAME
to match the sub claim
(client ID for Okta) |
| "The role requested is not listed in the Access Token" | Missing role scope in token | Add session:role:<ROLE>
scope to your authorization
server and include it in
OAuth Scope |
| "Invalid DPoP proof" | DPoP is enabled in Okta | Disable "Require Demonstrating Proof of Possession (DPoP)" in your Okta app |
| "Invalid scope" | Custom scopes not configured | Add required scopes to your
authorization server; do not
include openid |
| Token validation failure | Incorrect JWKS URL or issuer | Verify
EXTERNAL_OAUTH_JWS_KEYS
_URL and
EXTERNAL_OAUTH_ISSUER
match your authorization
server |
See Also
-
Configure OAuth for Snowflake Connections on Tableau Server(Link opens in a new window) - Learn about standard OAuth authentication with Snowflake.
-
External OAuth Security Integrations(Link opens in a new window) - Snowflake documentation for configuring external OAuth providers.
-
Okta Client Credentials Flow(Link opens in a new window) - Okta documentation for implementing client credentials.
-
Update Data Source Connection(Link opens in a new window) - Tableau REST API reference for credential updates.
