How to authorize Toucan Toco for Snowflake¶
As the first user of Toucan Toco Instant Data Stories from Snowflake in your organization, you need to configure a secure authentication in just a few minutes:
- Create a dedicated role
- Create a dedicated security integration
- Retrieve secrets
- Authenticate in Toucan Toco
Instructions to create your Toucan app’s integration to Snowflake¶
To perform the task below you must be logged in as a sysadmin
From Snowflake’s UI, open a new worksheet.
Creation of a dedicated Role & User¶
To enhance security and limit the scope of accessible data, we recommend creating a dedicated role such as “TOUCANTOCO_IDS” as well as a dedicated user such as “TOUCANTOCO” with the listed queries below:
To allow access to the full list of warehouses & databases, you have to
run the
GRANT MONITOR on WAREHOUSE <WAREHOUSE_NAME> to role toucan_ids;
query for all warehouses.
Similarly run the
GRANT imported privileges on database snowflake to role toucan_ids;
This gives access to the monitoring database.
Creation of a dedicated security integration¶
As described in Snowflake’s documentation: https://docs.snowflake.com/en/user-guide/oauth-custom.html, you will have to create a custom OAuth integration.
The picture below list the query to run:
We made it easy for you by automatically generating the redirect-uri based on the smallapp name created for you. You can either, retrieve the redirect_uri from the commands shown in your app in the instructions for going to real data. Or by replacing snowflake-for-warehouse-monitoring-IDXXX by the name of the app created for you after the signup. It can be retrieved from the url like in the example below:
https://snowflake.toucantoco.com/snowflake-for-warehouse-monitoring-IDXXX?view=story1
The app ID is snowflake-for-warehouse-monitoring-IDXXX
.
Secrets retrieval¶
Once the security integration is created, run the query below
Results will show a document with OAUTH_CLIENT_ID
,
OAUTH_CLIENT_SECRET
and OAUTH_CLIENT_SECRET_2
, save them. In the
next step, you can use either OAUTH_CLIENT_SECRET
or
OAUTH_CLIENT_SECRET_2