# Snowflake authentication

> Depending on the authentication type you select, you need one of
the following credentials:

## Prerequisites

Depending on the authentication type you select, you need one of
the following credentials:

* OAuth 2.0 Authorization code [Snowflake OAuth authorization flow](https://docs.snowflake.com/en/user-guide/oauth-snowflake-overview#snowflake-oauth-authorization-flow):
  + Client ID
  + Client secret
  + Database host
  + Warehouse
  + Database schema name
  + Database name
  + Role
* Custom authentication (deprecated JDBC authentication):
   + Database host
   + Username
   + Password
   + Warehouse
   + Database schema name
   + Database name
* RSA ([Key Pair Authentication & Key Pair Rotation](https://docs.snowflake.com/en/user-guide/key-pair-auth))
  + Database host
  + Username
  + RSA private key
  + Warehouse
  + Database schema name
  + Database name
+ Personal Access Token ([Using programmatic access tokens for authentication](https://docs.snowflake.com/user-guide/programmatic-access-tokens))
   + Username
   + Personal Access Token
   + Warehouse 
   + Database Schema Name
   + Database Name 
   + Role

   :::note
   Please review how administrators can configure policies to define the maximum lifetime for programmatic access tokens in Snowflake. See [Using programmatic access tokens for authentication](https://docs.snowflake.com/en/user-guide/programmatic-access-tokens#setting-the-maximum-expiration-time) for more details.
   :::

### Known limitations

* To authenticate using RSA, you must use an unencrypted RSA private key.
* Connections via AWS PrivateLink are not supported.
* Irrespective of the selected authentication method, if your Snowflake instance restricts access by IP, you must configure
an allow list for the IPs used by Integration Service. For details, refer to [Configuring the firewall](https://docs.uipath.com/automation-cloud/automation-cloud/latest/admin-guide/configuring-firewall#integration-service) in the Automation Cloud Admin guide.

## Retrieving your credentials from Snowflake

To retrieve the credentials from Snowflake, take the following steps:

1. The database host is available in the URL used to connect to your Snowflake app:
   Note: The **Database host** format may differ depending on your account identifier type. To learn more, refer to the section on Database Host available
   on this page, as well as the official [Snowflake documentation](https://docs.snowflake.com/en/user-guide/admin-account-identifier.html).

   ![docs image](https://dev-assets.cms.uipath.com/assets/images/integration-service/integration-service-docs-image-48971-a8a7cc91.webp)

   For example, for the following URL `https://app.snowflake.com/east-us-2.azure/za96341/dashboards`, the `accountID` is `za96341` and the `region` is `east-us-2.azure`.

   To construct a Database host you must use the format `accountID.region.snowflakecomputing.com`. So, for the previous URL, the constructed Database host would be `za96341.east-us-2.azure.snowflakecomputing.com`.
2. Once you are logged in, on the left-side menu, select **Data**, then **Databases**.
   * **Database name**: A list of databases is displayed:

     ![docs image](https://dev-assets.cms.uipath.com/assets/images/integration-service/integration-service-docs-image-49027-5420a380.webp)
   * **Database schema name** - Select a database to view the list of database schema names:

     ![docs image](https://dev-assets.cms.uipath.com/assets/images/integration-service/integration-service-docs-image-48883-c76cd003.webp)
3. To retrieve the **Warehouse**, on the left-side menu, go to **Admin \> Warehouses**:

   ![docs image](https://dev-assets.cms.uipath.com/assets/images/integration-service/integration-service-docs-image-48923-432f5d3f.webp)

## Using the OAuth 2.0 Authorization code authentication method

:::note
Only users with an ACCOUNTADMIN role can create OAuth2 credentials. By default, users with ACCOUNTADMIN, ORGADMIN, and SECURITYADMIN
roles are blocked from using OAuth 2.0 authentication to create a connection. For details, refer to [Snowflake OAuth authorization flow](https://docs.snowflake.com/en/user-guide/oauth-snowflake-overview#snowflake-oauth-authorization-flow).
:::

To create an OAuth 2.0 client for Snowflake, take the following steps:

1. Run the following query to create the OAuth integration.

   This query does not show the Client ID. You must run a second query to view the client details. Make sure to include the correct
   redirect URL in the query: `https://{baseURL}/provisioning_/callback` (for example, for Automation Cloud `https://cloud.uipath.com/provisioning_/callback`).

   ```
   CREATE SECURITY INTEGRATION my_oauth_integration_uipath

      TYPE=OAUTH
      OAUTH_CLIENT= CUSTOM
      OAUTH_REDIRECT_URI='https://cloud.uipath.com/provisioning_/callback'
      OAUTH_CLIENT_TYPE='CONFIDENTIAL'
      OAUTH_ISSUE_REFRESH_TOKENS=true
      OAUTH_REFRESH_TOKEN_VALIDITY= 86400
      ENABLED=true;CREATE SECURITY INTEGRATION my_oauth_integration_uipath

      TYPE=OAUTH
      OAUTH_CLIENT= CUSTOM
      OAUTH_REDIRECT_URI='https://cloud.uipath.com/provisioning_/callback'
      OAUTH_CLIENT_TYPE='CONFIDENTIAL'
      OAUTH_ISSUE_REFRESH_TOKENS=true
      OAUTH_REFRESH_TOKEN_VALIDITY= 86400
      ENABLED=true;
   ```
2. Run the following query to view the client details. Copy the `OAUTH_CLIENT_ID`.

   ```
   DESCRIBE SECURITY INTEGRATION my_oauth_integration_uipathDESCRIBE SECURITY INTEGRATION my_oauth_integration_uipath
   ```
3. Run the following query to view the client secret. Copy the `OAUTH_CLIENT_SECRET`.

   This query outputs two items: `OAUTH_CLIENT_SECRET` and `OAUTH_CLIENT_SECRET_2`. You must use `OAUTH_CLIENT_SECRET`.

   ```
   select system$show_oauth_client_secrets('MY_OAUTH_INTEGRATION_UIPATH');select system$show_oauth_client_secrets('MY_OAUTH_INTEGRATION_UIPATH');
   ```

For details, refer to [Configure Snowflake OAuth for custom clients](https://docs.snowflake.com/en/user-guide/oauth-custom).

## Adding the Snowflake connection

1. Select Orchestrator from the product launcher.
2. Select a folder, and then navigate to the **Connections** tab.
3. Select **Add connection**.
4. To open the connection creation page, select the connector from the list. You can use the search bar to find the connector.
5. Enter your required Snowflake credentials and select **Connect**.

   For any secret-type field, you can select the menu next to the field and choose **Use credential asset** to reference an Orchestrator credential asset linked to an external vault instead of entering the value directly. For more information, see [Use credential assets for connections](credential-store-connections.md).

## Permissions

Connecting allows UiPath to read, write, modify, and delete Snowflake data on your behalf.

## Required roles for connecting to Snowflake

While creating a connection for Snowflake from Integration Service, the connector always selects the default role of the user,
as shown in the following image.  
![docs image](https://dev-assets.cms.uipath.com/assets/images/integration-service/integration-service-docs-image-290548-ec20d9e4.webp)

Snowflake administrators can set up custom roles for users, because not everyone is granted administrator roles for security
reasons.

The following example shows what exactly is needed in Snowflake for the Integration Service connection process to work smoothly.
In this example, you create a connection using the DEAL\\_AMOUNT database schema and JULY\\_DEMO database.

![docs image](https://dev-assets.cms.uipath.com/assets/images/integration-service/integration-service-docs-image-290555-75bfca44.webp)

The first step is to make sure that the default role, in this case **SAMRAT**, has **USAGE** privilege on both the Database (**JULY\\_DEMO**) and Database schema (**DEAL\\_AMOUNT**) in Snowflake.  
![docs image](https://dev-assets.cms.uipath.com/assets/images/integration-service/integration-service-docs-image-290559-96da7614.webp)  
  
![docs image](https://dev-assets.cms.uipath.com/assets/images/integration-service/integration-service-docs-image-290563-d8725559.webp)

A successful authentication to Snowflake is dependent on these settings. A role can always have additional privileges assigned
to it by an Administrator.

For details, refer to [Access control privileges](https://docs.snowflake.com/en/user-guide/security-access-control-privileges) in the Snowflake documentation.