CREATE SECURITY INTEGRATION(外部 API 身份验证)

为账户中的外部 API 身份验证创建新的安全集成或替换现有集成。

For information about creating other types of security integrations (e.g. External OAuth), see CREATE SECURITY INTEGRATION.

See also:

ALTER SECURITY INTEGRATION (External API Authentication) , DESCRIBE INTEGRATION , DROP INTEGRATION , SHOW INTEGRATIONS

语法

OAuth:客户端凭据

CREATE SECURITY INTEGRATION <name>
  TYPE = API_AUTHENTICATION
  AUTH_TYPE = OAUTH2
  ENABLED = { TRUE | FALSE }
  [ OAUTH_TOKEN_ENDPOINT = '<string_literal>' ]
  [ OAUTH_CLIENT_AUTH_METHOD = { CLIENT_SECRET_BASIC | CLIENT_SECRET_POST } ]
  [ OAUTH_CLIENT_ID = '<string_literal>' ]
  [ OAUTH_CLIENT_SECRET = '<string_literal>' ]
  [ OAUTH_GRANT = 'CLIENT_CREDENTIALS']
  [ OAUTH_ACCESS_TOKEN_VALIDITY = <integer> ]
  [ OAUTH_ALLOWED_SCOPES = ( '<scope_1>' [ , '<scope_2>' ... ] ) ]
  [ COMMENT = '<string_literal>' ]

OAuth:授权代码授予流程

CREATE SECURITY INTEGRATION <name>
  TYPE = API_AUTHENTICATION
  AUTH_TYPE = OAUTH2
  ENABLED = { TRUE | FALSE }
  [ OAUTH_AUTHORIZATION_ENDPOINT = '<string_literal>' ]
  [ OAUTH_TOKEN_ENDPOINT = '<string_literal>' ]
  [ OAUTH_CLIENT_AUTH_METHOD = { CLIENT_SECRET_BASIC | CLIENT_SECRET_POST } ]
  [ OAUTH_CLIENT_ID = '<string_literal>' ]
  [ OAUTH_CLIENT_SECRET = '<string_literal>' ]
  [ OAUTH_GRANT = 'AUTHORIZATION_CODE']
  [ OAUTH_ACCESS_TOKEN_VALIDITY = <integer> ]
  [ OAUTH_REFRESH_TOKEN_VALIDITY = <integer> ]
  [ COMMENT = '<string_literal>' ]

OAuth:JWT Bearer Flow

CREATE SECURITY INTEGRATION <name>
  TYPE = API_AUTHENTICATION
  AUTH_TYPE = OAUTH2
  ENABLED = { TRUE | FALSE }
  [ OAUTH_AUTHORIZATION_ENDPOINT = '<string_literal>' ]
  [ OAUTH_TOKEN_ENDPOINT = '<string_literal>' ]
  [ OAUTH_CLIENT_AUTH_METHOD = { CLIENT_SECRET_BASIC | CLIENT_SECRET_POST } ]
  [ OAUTH_CLIENT_ID = '<string_literal>' ]
  [ OAUTH_CLIENT_SECRET = '<string_literal>' ]
  [ OAUTH_GRANT = 'JWT_BEARER']
  [ OAUTH_ACCESS_TOKEN_VALIDITY = <integer> ]
  [ OAUTH_REFRESH_TOKEN_VALIDITY = <integer> ]
  [ COMMENT = '<string_literal>' ]

必填参数

name

指定集成的标识符(即名称)。此值在您的账户中必须唯一。

此外,标识符必须以字母字符开头,且不能包含空格或特殊字符,除非整个标识符字符串放在双引号内(例如,”My object”)。放在双引号内的标识符也区分大小写。

For more details, see Identifier requirements.

TYPE = API_AUTHENTICATION

指定您正在 Snowflake 和使用 OAuth 2.0 及外部 API 身份验证的外部服务之间创建安全接口。

AUTH_TYPE = OAUTH2

指定集成使用 OAuth 2.0 对外部服务进行身份验证。

ENABLED = { TRUE | FALSE }

指定是启用还是禁用此安全集成。

TRUE

允许集成基于集成定义中指定的参数运行。

FALSE

Suspends the integration for maintenance. Any integration between Snowflake and a third-party service fails to work.

The value is case-insensitive.

The default is TRUE.

可选参数

Note that this is an exhaustive list of parameters that you can configure. Configure the parameters in the integration to match the parameters that you configure when creating a secret based on the OAuth flow that you choose.

OAUTH_AUTHORIZATION_ENDPOINT = 'string_literal'

指定用于对外部服务进行身份验证的 URL。例如,要连接到 ServiceNow 实例,URL 应采用以下格式:

https://<instance_name>.service-now.com/oauth_token

Where instance_name is the name of your ServiceNow instance.

OAUTH_TOKEN_ENDPOINT = 'string_literal'

指定客户端用于获取访问令牌的令牌端点,方法是提供其授权授予或刷新令牌。令牌端点用于每个授权授予,但隐式授权类型除外(因为访问令牌是直接颁发的)。

OAUTH_CLIENT_AUTH_METHOD = { CLIENT_SECRET_BASIC | CLIENT_SECRET_POST }

Controls how client credentials are sent to the external service.

CLIENT_SECRET_BASIC

Specifies that client credentials are sent using the HTTP Basic Authentication Scheme.

CLIENT_SECRET_POST

Specifies that client credentials are sent in the HTTP request body of a POST request.

Default: CLIENT_SECRET_BASIC

OAUTH_CLIENT_ID = 'string_literal'

指定外部服务中 OAuth 应用程序的客户端 ID。

OAUTH_CLIENT_SECRET = 'string_literal'

Specifies the client secret for the OAuth application in the external service.

OAUTH_GRANT = 'string_literal'

指定 OAuth 流的类型。以下其中一项:

  • 'CLIENT_CREDENTIALS' when the integration will use client credentials.
  • 'AUTHORIZATION_CODE' when the integration will use an authorization code.
  • 'JWT_BEARER' when the integration will use a JWT bearer token.
OAUTH_ACCESS_TOKEN_VALIDITY = integer

指定由 OAuth 服务器颁发的 OAuth 访问令牌的默认生命周期(以秒为单位)。

如果访问令牌生命周期未作为 OAuth 令牌响应的一部分返回,则使用此属性中设置的值。当两个值都可用时,两者中较小的值将用于刷新访问令牌。

OAUTH_REFRESH_TOKEN_VALIDITY = integer

指定用于确定从 OAuth 服务器获取的刷新令牌有效性的值。

OAUTH_ALLOWED_SCOPES = ( 'scope_1' [ , 'scope_2' ... ] )

指定以逗号分隔的范围列表,每个范围放在单引号内,在 OAuth 客户端凭证流期间由集成中具备 USAGE 的角色通过 OAuth 发出请求时使用。

This list must be a subset of the scopes defined in the OAUTH_ALLOWED_SCOPES property of the security integration. If the OAUTH_SCOPES property values are not specified, the secret inherits all of the scopes that are specified in the security integration.

For the ServiceNow connector, the only possible scope value is 'useraccount'.

Default: Empty list (i.e. []).

COMMENT = 'string_literal'

指定集成的注释。

默认:无值

访问控制要求

A role used to execute this operation must have the following privileges at a minimum:

权限对象备注
CREATE INTEGRATION账户Only the ACCOUNTADMIN role has this privilege by default. The privilege can be granted to additional roles as needed.
CREATE SECURITY INTEGRATION账户授予创建 API_AUTHENTICATION 类型的外部安全集成的能力。此权限不授予创建其他类型的安全集成的能力。

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

使用说明

  • 关于元数据:

    Attention

    Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata fields in Snowflake.

  • CREATE OR REPLACE <object> statements are atomic. That is, when an object is replaced, the old object is deleted and the new object is created in a single transaction.

示例

Create a security integration named servicenow_oauth to connect Snowflake to the ServiceNow instance named myinstance using OAuth with the code grant flow:

CREATE SECURITY INTEGRATION servicenow_oauth
  TYPE = API_AUTHENTICATION
  AUTH_TYPE = OAUTH2
  OAUTH_CLIENT_AUTH_METHOD = CLIENT_SECRET_POST
  OAUTH_CLIENT_ID = 'sn-oauth-134o9erqfedlc'
  OAUTH_CLIENT_SECRET = 'eb9vaXsrcEvrFdfcvCaoijhilj4fc'
  OAUTH_TOKEN_ENDPOINT = 'https://myinstance.service-now.com/oauth_token.do'
  ENABLED = TRUE;

Create a security integration named sharepoint_security_integration to connect Snowflake to Microsoft Sharepoint using OAuth with client credentials:

CREATE SECURITY INTEGRATION sharepoint_security_integration
  TYPE = API_AUTHENTICATION
  AUTH_TYPE = OAUTH2
  OAUTH_CLIENT_AUTH_METHOD = CLIENT_SECRET_POST
  OAUTH_CLIENT_ID = 'YOUR_CLIENT_ID'
  OAUTH_CLIENT_SECRET = 'YOUR_CLIENT_SECRET'
  OAUTH_GRANT = 'CLIENT_CREDENTIALS'
  OAUTH_TOKEN_ENDPOINT = 'https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token'
  OAUTH_ALLOWED_SCOPES = ('https://graph.microsoft.com/.default')
  ENABLED = TRUE;