Skip to main content

Set up external OAuth enteprise

note

This feature is currently only available for the Okta and Entra ID identity providers and Snowflake connections.

dbt Cloud Enterprise supports external OAuth authentication with external providers. When External OAuth is enabled, users can authorize their Development credentials using single sign-on (SSO) via the identity provider (IdP). This grants users authorization to access multiple applications, including dbt Cloud, without their credentials being shared with the service. Not only does this make the process of authenticating for development environments easier on the user, it provides an additional layer of security to your dbt Cloud account.

Getting started

The process of setting up external OAuth will require a little bit of back-and-forth between your dbt Cloud, IdP, and Snowflake accounts, and having them open in multiple browser tabs will help speed up the configuration process:

  • dbt Cloud: You’ll primarily be working in the Account Settings —> Integrations page. You will need proper permission to set up the integration and create the connections.
  • Snowflake: Open a worksheet in an account that has permissions to create a security integration.
  • Okta: You’ll be working in multiple areas of the Okta account, but you can start in the Applications section. You will need permissions to create an application and an authorization server.
  • Entra ID An admin with access to create Entra ID apps who is also a user in Snowflake is required.

If the admins that handle these products are all different people, it’s better to have them coordinating simultaneously to reduce friction.

Snowflake commands

The following is a template for creating the OAuth configurations in the Snowflake environment:


create security integration your_integration_name
type = external_oauth
enabled = true
external_oauth_type = okta
external_oauth_issuer = ''
external_oauth_jws_keys_url = ''
external_oauth_audience_list = ('')
external_oauth_token_user_mapping_claim = 'sub'
external_oauth_snowflake_user_mapping_attribute = 'email_address'
external_oauth_any_role_mode = 'ENABLE'

The external_oauth_token_user_mapping_claim and external_oauth_snowflake_user_mapping_attribute can be modified based on the your organizations needs. These values point to the claim in the users’ token. In the example, Snowflake will look up the Snowflake user whose email matches the value in the sub claim.

Note: The Snowflake default roles ACCOUNTADMIN, ORGADMIN, or SECURITYADMIN, are blocked from external OAuth by default and they will likely fail to authenticate. See the Snowflake documentation for more information.

Identity provider configuration

Select a supported identity provider (IdP) for instructions on configuring external OAuth in their environment and completing the integration in dbt Cloud.

 Okta
 Entra ID

Troubleshooting

Errors when connecting to Snowflake via external Oauth:

Failed to connect to DB: xxxxxxx.snowflakecomputing.com:443. The role requested in the connection or the default role if none was requested in the connection ('xxxxx') is not listed in the Access Token or was filtered. Please specify another role, or contact your OAuth Authorization server administrator.

Snowflake has some guidance on this error here: https://community.snowflake.com/s/article/external-custom-oauth-error-the-role-requested-in-the-connection-is-not-listed-in-the-access-token

To resolve this issue, you should alter your OAuth Security Integration and explicitly specify the Scope mapping attribute:

ALTER INTEGRATION <my_int_name> SET EXTERNAL_OAUTH_SCOPE_MAPPING_ATTRIBUTE = 'scp';
0