Snowsight Cloud
Last modified on November 9, 2024
This guide explains how to connect Snowsight, Snowflake’s administrative user interface, as a cloud resource to StrongDM. Note that the configuration allows single sign-on (SSO).
Limitations
- For the configuration to work, you must be able to connect to your Snowflake interface via SnowSQL. An admin or web interface does not work.
- Due to the limitations of this resource type, StrongDM does not log user interactions after authentication occurs. StrongDM logs activities such as setup or modification of the resource within StrongDM, or authentication of a user to the resource, but StrongDM does not log the queries performed by the user on the resource itself. We recommend the use of the Snowsight Activity area for logging further interactions with the resource once a user is authenticated.
- Similarly, some organization-level behaviors are also different for this resource type:
- Inactivity timeouts are not enforced.
- Current connections to resources are not severed instantly when access is revoked.
- StrongDM must be the only identity provider (IdP) configured for authentication to this resource.
Prerequisites
- Before enabling this resource, ensure the Login Name for each Snowflake user (that is, not Username or Email) is set to match a StrongDM email. An email address serves as the ID StrongDM sends to Snowflake to log in a user. The following process disables identity provider (IdP) logins via any other method. Password logins still work.
- We recommend that you reach out to Snowflake support and request that users are not allowed to change their own passwords. Otherwise, once a user logs in to Snowflake via StrongDM, they may change their password and retain access to Snowflake even after their access is revoked in StrongDM.
Get StrongDM’s IdP Metadata
StrongDM’s IdP metadata is required for creating an integration account with Snowsight.
- Go to
app.strongdm.com/saml/idp_metadata
. This is a public URL that returns a XML blob. Within this output, note the value of the X509Certificate. The value is present twice. Both instances should have the same value. - Copy the certificate value. You will need it to create a StrongDM integration account.
Create a StrongDM Integration Account
This integration account sets StrongDM information, including the IdP certificate.
Note your Snowflake account identifier, which identifies your Snowflake account within your organization, Snowflake-supported cloud platforms, and cloud regions. The account identifier may consist of your Snowflake organization name and account name, in the format
<ORGANIZATION_NAME>-<ACCOUNT_NAME>
(for example,myorg-account123
). Alternatively, the account identifier may consist of your account locator, region ID, and cloud, and be in the format<ACCOUNT_LOCATOR>.<CLOUD_REGION_ID>.<CLOUD>
(for example,xy12345.us-east-2.aws
). The account identifier makes up part of your Snowflake base URL (for example,https://myorg-account123.snowflakecomputing.com
orhttps://xy12345.us-east-2.aws.snowflakecomputing.com
).In SnowSQL, execute the following command, being sure to replace the placeholders with your own values.
create security integration strongdm_idp type = saml2 enabled = true saml2_issuer = 'https://app.strongdm.com/saml/idp_metadata' saml2_sso_url = '<ANY_STRING_IN_URL_FORMAT>' saml2_provider = 'Custom' saml2_x509_cert='<STRONGDM_IDP_X509_CERTIFICATE>' saml2_sp_initiated_login_page_label = '<ANY_STRING>' saml2_enable_sp_initiated = true saml2_force_authn = false saml2_requested_nameid_format = 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' saml2_snowflake_issuer_url = 'https://<ACCOUNT_IDENTIFIER>.snowflakecomputing.com' saml2_snowflake_acs_url = 'https://<ACCOUNT_IDENTIFIER>.snowflakecomputing.com/fed/login';
saml2_sso_url
and saml2_sp_initiated_login_page_label
can be any URL or string, respectively. Note that the URL entered for saml2_sso_url
becomes a hot link that users can click when accessing the resource. If clicked, the user is taken away from the resource they intend to access.https://<ACCOUNT_IDENTIFIER>.snowflakecomputing.com
). If you run into 403 errors when adding Snowsight as a cloud resource, it is likely because the wrong URLs were set. If the URLs are wrong, Snowflake could generate metadata with an incorrect URL.Get the Snowsight Metadata XML Blob
The Snowsight metadata XML blob allows connection to StrongDM.
- Run
desc security integration strongdm_idp;
in SnowSQL. - Copy the
SAML2_SNOWFLAKE_METADATA
value. You will need it to configure the Snowsight cloud resource.
Configure the Snowsight Cloud Resource
When you configure this cloud resource in the Admin UI, you use the Snowsight metadata XML blob to allow connection between Snowsight and StrongDM.
- Log into the Admin UI.
- Go to Resources > Clouds.
- Click the Add cloud button.
- For Cloud Type, select Snowsight (Snowflake Web Console) and set the other resource properties.
After configuration is complete, you can access a Snowsight resource using StrongDM. Note that when you do, you must use the Snowsight web interface, not the Snowflake classic web interface. You cannot switch to the Snowflake classic web interface.
Moreover, the first time that you access this resource, you may be presented with an option to use either Snowsight or the Snowflake classic web interface. You must choose Snowsight or else you won’t be able to switch to Snowsight later without admin help.
Resource properties
Configuration properties are visible when you add a cloud resource or when you click to view its settings. The following table describes the settings available for Snowsight (Snowflake Web Console).
Property | Requirement | Description |
---|---|---|
Display Name | Required | Meaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >) |
Datasource Type | Required | Select Snowsight (Snowflake Web Console) |
Secret Store | Optional | Credential store location; defaults to Strong Vault; learn more about Secret Store options |
SAML Metadata | Required | Metadata XML blob from your Snowflake IdP integration |
Healthcheck Username | Required | In order for healthchecks to be successful, must be the email of a StrongDM user who has access to this resource, and must also match your Snowflake Login Name (that is, not Username or Email) |
Subdomain | Required | Value to use for your local DNS address (for example, app-prod1 turns into http://app-prod1.<ORGANIZATION_NAME>.sdm.network/ ; note that this subdomain should be unique and not used by any other resource) |
Resource Tags | Optional | Datasource tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev ) |
Secret store options
By default, resource credentials are stored in the Strong Vault. However, these credentials also can be saved in a third-party secrets management tool.
Non-StrongDM options appear in the Secret Store dropdown if they are configured for your organization. For more details, see Configure Secret Store Integrations.