How to authorize Toucan Toco for Snowflake

As the first user of Toucan Toco Instant Data Stories from Snowflake in your organization, you need to configure a secure authentication in just a few minutes:

  1. Create a dedicated role
  2. Create a dedicated security integration
  3. Retrieve secrets
  4. Authenticate in Toucan Toco

Instructions to create your Toucan app’s integration to Snowflake

To perform the task below you must be logged in as a sysadmin

From Snowflake’s UI, open a new worksheet.

Creation of a dedicated Role & User

To enhance security and limit the scope of accessible data, we recommend creating a dedicated role such as “TOUCANTOCO_IDS” as well as a dedicated user such as “TOUCANTOCO” with the listed queries below:

Snowflake role

To allow access to the full list of warehouses & databases, you have to run the GRANT MONITOR on WAREHOUSE <WAREHOUSE_NAME> to role toucan_ids; query for all warehouses.

Similarly run the GRANT imported privileges on database snowflake to role toucan_ids; This gives access to the monitoring database.

Creation of a dedicated security integration

As described in Snowflake’s documentation: https://docs.snowflake.com/en/user-guide/oauth-custom.html, you will have to create a custom OAuth integration.

The picture below list the query to run:

Snowflake integration

We made it easy for you by automatically generating the redirect-uri based on the smallapp name created for you. You can either, retrieve the redirect_uri from the commands shown in your app in the instructions for going to real data. Or by replacing snowflake-for-warehouse-monitoring-IDXXX by the name of the app created for you after the signup. It can be retrieved from the url like in the example below:

https://snowflake.toucantoco.com/snowflake-for-warehouse-monitoring-IDXXX?view=story1

The app ID is snowflake-for-warehouse-monitoring-IDXXX.

Secrets retrieval

Once the security integration is created, run the query below

Snowflake integration

Results will show a document with OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET and OAUTH_CLIENT_SECRET_2, save them. In the next step, you can use either OAUTH_CLIENT_SECRET or OAUTH_CLIENT_SECRET_2

Authentication in Toucan Toco.