Change Snowflake OAuth to Private Link with Saved Credentials

By default, the Tableau Snowflake connector uses a managed keychain for OAuth tokens that are generated for Tableau Server by the provider and shared by all users in the same site. Starting with Tableau 2020.4, you can configure Tableau Server to use a new OAuth service. In this scenario, you do not have to safelist the IP addresses to run the OAuth flow in AWS PrivateLink or Azure Private Link VPCs.

You can convert the Tableau Server to support “private link” environments by configuring the Snowflake connector to use Saved Credentials with a new OAuth Service.

Step 1: Obtain a client ID with Snowflake

To register a custom OAuth client with Snowflake, follow the procedure at Configure Snowflake OAuth for Custom Clients(Link opens in a new window).

After you register, you will use the following Snowflake parameters to configure Tableau Server:

  • Account instance URL
  • Client ID
  • Client secret
  • Redirect URL

Step 2: Configure Tableau Server

  1. On the Tableau Server computer, run the following command to enable the Snowflake OAuth service:

    tsm configuration set -k native_api.enable_snowflake_privatelink_on_server -v true

  2. Copy, paste, and customize the following command in a text editor:

    tsm configuration set -k oauth.snowflake.clients -v "
    [{\"oauth.snowflake.instance_url\":\"https://account.snowflakecomputing.com\", 
    \"oauth.snowflake.client_id\":\"client_id_string\",
    \"oauth.snowflake.client_secret\":\"client_secret_string\",
    \"oauth.snowflake.redirect_uri\":\"http://your_server_url.com/auth/add_oauth_token\" }]"

    The oauth.snowflake.clients key takes an array of key pairs. Each element in the key pair must be encapsulated by double quotes. Double quotes must be escaped as \".

    Replace the values for each key as listed below:

    • Account instance URL:oauth.snowflake.instance_url
    • Client ID: oauth.snowflake.client_id
    • Client secret: oauth.snowflake.client_secret
    • Redirect URL: oauth.snowflake.redirect_uri

    Note: Before running the command, verify the syntax carefully. TSM will not validate this input.

    Copy the command into TSM CLI and run the command.

  3. Enter the following command to apply changes:

    tsm pending-changes apply

    If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

Thanks for your feedback!