Change Snowflake OAuth to Saved Credentials

The Tableau Snowflake connector uses a managed keychain for OAuth tokens that are generated for Tableau Server by the provider and shared by all users in the same site. Starting with Tableau 2020.4, you can configure Tableau Server to use a new OAuth service. In this scenario, you don't have to safe list the IP addresses to run the OAuth flow in AWS PrivateLink or Azure Private Link VPCs.

You can convert Tableau Server to support “private link” environments by configuring the Snowflake connector to use Saved Credentials with a new OAuth Service.

Step 1: Obtain a client ID with Snowflake

To register a custom OAuth client with Snowflake, follow the procedure at Configure Snowflake OAuth for Custom Clients(Link opens in a new window).

After you register, you’ll use the following Snowflake parameters to configure Tableau Server:

  • Account instance URL
  • Client ID
  • Client secret
  • Redirect URL

Step 2: Configure Tableau Server for Snowflake OAuth

  1. On the Tableau Server computer, run the following command to enable the Snowflake OAuth service:

    tsm configuration set -k native_api.enable_snowflake_privatelink_on_server -v true

  2. Copy, paste, and customize the following command in a text editor:

    Note: If you're making these configuration changes in Tableau Server 2021.1 and later, refer to Step 2: Configure Tableau Server because the format of oauth.snowflake.client value has changed.

    tsm configuration set -k oauth.snowflake.clients -v " [{\"oauth.snowflake.instance_url\":\"https://account.snowflakecomputing.com\", \"oauth.snowflake.client_id\":\"client_id_string\", \"oauth.snowflake.client_secret\":\"client_secret_string\", \"oauth.snowflake.redirect_uri\":\"http://your_server_url.com/auth/add_oauth_token\" }]"

    The oauth.snowflake.clients key takes an array of key pairs. Each element in the key pair must be encapsulated by double quotes. Double quotes must be escaped as \".

    To specify multiple account instance URLs, separate each additional OAuth client wrapped in braces ({}) with a comma (,), as in this example:

    tsm configuration set -k oauth.snowflake.clients -v " [{\"oauth.snowflake.instance_url1\":\"https://account.snowflakecomputing.com\", \"oauth.snowflake.client_id\":\"client_id_string\", \"oauth.snowflake.client_secret\":\"client_secret_string\", \"oauth.snowflake.redirect_uri\":\"http://your_server_url.com/auth/add_oauth_token\" }]"

    Replace the values for each key:

    • Account instance URL:oauth.snowflake.instance_url
    • Client ID: oauth.snowflake.client_id
    • Client secret: oauth.snowflake.client_secret
    • Redirect URL: oauth.snowflake.redirect_uri

    Note: Before running the command, verify the syntax carefully. TSM won’t validate this input.

    Copy the command into TSM CLI and run the command.

  3. Enter the following command to apply changes:

    tsm pending-changes apply

    If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

Configure custom OAuth for a site

You can configure a custom Snowflake OAuth client for a site.

Consider configuring a custom OAuth client to 1) override an OAuth client if configured for the server or 2) enable support for securely connecting to data that requires unique OAuth clients.

When a custom OAuth client is configured, the site-level configuration takes precedence over any server-side configuration and all new OAuth credentials created use the site-level OAuth client by default. No Tableau Server restart is required for the configurations to take effect.

Important: Existing OAuth credentials established before the custom OAuth client is configured are temporarily usable but both server administrators and users must update their saved credentials to help ensure uninterrupted data access.

Step 1: Prepare the OAuth client ID, client secret, and redirect URL

Before you can configure the custom OAuth client, you need the information listed below. After you have this information prepared, you can register the custom OAuth client for the site.

  • OAuth client ID and client secret: First register the OAuth client with the data provider (connector) to retrieve the client ID and secret generated for Tableau Server.

  • Redirect URL: Note the correct redirect URL. You will need this during the registration process in Step 2 below.

    https://<your_server_name>.com/auth/add_oauth_token

    For example, https://example.com/auth/add_oauth_token

Step 2: Register the OAuth client ID and client secret

Follow the procedure described below to register the custom OAuth client to the site.

  1. Sign in to your Tableau Server site using your admin credentials and navigate to the Settings page.

  2. Under OAuth Clients Registry, click the Add OAuth Client button.

  3. Enter the required information, including the information from Step 1 above:

    1. For Connection Type, select the connector whose custom OAuth client you want to configure.

    2. For Client ID, Client Secret, and Redirect URL, enter the information you prepared in Step 1 above.

    3. Click the Add OAuth Client button to complete the registration process.

  4. (Optional) Repeat step 3 for all supported connectors.

  5. Click the Save button at the bottom or top of the Settings page to save changes.

Step 3: Validate and update saved credentials

To help ensure uninterrupted data access, you (and your site users) must delete the previous saved credentials and add it again to use the custom OAuth client for the site.

  1. Navigate to your My Account Settings page.

  2. Under Saved Credentials for Data Sources, do the following:

    1. Click Delete next to the existing saved credentials for the connector whose custom OAuth client you configured in Step 2 above.

    2. Next to connector name, click Add and follow the prompts to 1) connect to the custom OAuth client configured in Step 2 above and 2) save the latest credentials.

Step 4: Notify users to update their saved credentials

Make sure you notify your site users to update their saved credentials for the connector whose custom OAuth client you configured in Step 2 above. Site users can use the procedure described in Update saved credentials to update their saved credentials.

Forward proxy for OAuth authentication

For more information about setting up a forward proxy with OAuth authentication for Tableau Server (Windows only), see Configure a Forward Proxy for OAuth Authentication(Link opens in a new window) in the Tableau Help.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!