--- title: Snowflake connector description: The Snowflake connector allows you to manage users, grant and revoke roles and database roles, and synchronize data between IDM or Advanced Identity Cloud and Snowflake. component: openicf page_id: openicf:connector-reference:snowflake canonical_url: https://docs.pingidentity.com/openicf/connector-reference/snowflake.html section_ids: snowflake-reqs: Snowflake requirements install_the_snowflake_connector: Install the Snowflake connector configure-snowflake-connector: Configure the Snowflake connector connection_details: Connection Details example_snowflake_configuration: Example Snowflake configuration Snowflake-UserMapping: Mapping test_the_snowflake_connector: Test the Snowflake connector snowflake_remote_connector: Snowflake remote connector config-connection-pooling-snowflake: Configure connection pooling use_the_snowflake_connector: Use the Snowflake connector snowflake-users: Users snowflake-roles: Roles snowflake-database-roles: Database Roles snowflake-search-filters: Supported search filters implemented-interfaces-org-forgerock-openicf-connectors-snowflake-SnowflakeConnector-1.5.20.34: OpenICF Interfaces Implemented by the Snowflake Connector config-properties-org-forgerock-openicf-connectors-snowflake-SnowflakeConnector-1.5.20.34: Snowflake Connector Configuration configuration-properties-org-forgerock-openicf-connectors-snowflake-SnowflakeConnector-1.5.20.34: Configuration properties basic-configuration-properties-org-forgerock-openicf-connectors-snowflake-SnowflakeConnector-1.5.20.34: Basic Configuration Properties --- # Snowflake connector | | | | - | ------------------------------------------------------------ | | | This is a [SaaS common connector](preface.html#saas-common). | The Snowflake connector allows you to manage users, grant and revoke roles and database roles, and synchronize data between IDM or Advanced Identity Cloud and Snowflake. ## Snowflake requirements To configure the connector, you need a Snowflake account with the `SYSADMIN` role. Complete the following steps to gather the required values, then use them to [configure the connector](#configure-snowflake-connector). 1. Generate an unencrypted RSA key pair using OpenSSL: 1. Generate a private key: ```bash openssl genrsa -out rsa_key.pem 2048 ``` 2. Extract the public key: ```bash openssl rsa -in rsa_key.pem -pubout -out rsa_key.pub ``` 2. In your Snowflake platform: 1. Set `SYSADMIN` as default role: ```sql ALTER USER YOUR_USERNAME SET DEFAULT_ROLE = 'SYSADMIN'; ``` 2. Set the public key for the user: ```sql ALTER USER YOUR_USERNAME SET RSA_PUBLIC_KEY='-----BEGIN PUBLIC KEY-----YOUR_PUBLIC_KEY-----END PUBLIC_KEY----'; ``` 3. Save the snowflake context URL subdomain: 1. Go to Nav > Session details. 2. In the Session Details modal, save the subdomain value of the Snowflake Context field. > **Collapse: Show Me** > > ![Show session details](_images/snowflake-get-details.png) 4. Define the claims: 1. Query and save the account locator: ```sql SELECT CURRENT_ORGANIZATION_NAME() || '-' || CURRENT_ACCOUNT_NAME(); ``` 2. Query and save the `RSA_PUBLIC_KEY_FP`: ```sql DESCRIBE USER YOUR_USERNAME; ``` 3. Construct the claims using the account locator and `RSA_PUBLIC_KEY_FP`: * Issuer: `account_locator.username.RSA_PUBLIC_KEY_FP` * Subject: `account_locator.username` ## Install the Snowflake connector | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To check for an Advanced Identity Cloud application for this connector, refer to:- [Application management](https://docs.pingidentity.com/pingoneaic/latest/app-management/applications.html) - [App catalog](https://docs.pingidentity.com/pingoneaic/latest/app-management/app-catalog.html) | You can download any connector from [Backstage](https://backstage.forgerock.com/downloads/browse/idm/featured/connectors), but some are included in the default deployment for Advanced Identity Cloud, IDM, or RCS. When using an included connector, you can skip installing it and move directly to configuration. **Connector included in default deployment** | Connector | IDM | RCS | | --------------------------- | ----------------------- | ----------------------- | | [Snowflake](snowflake.html) | [icon: times, set=fa]No | [icon: times, set=fa]No | Download the connector .jar file from [Backstage](https://backstage.forgerock.com/downloads/browse/idm/featured/connectors). * If you're running the connector locally, place it in the `/path/to/openidm/connectors` directory, for example: ``` mv ~/Downloads/snowflake-connector-1.5.20.34.jar /path/to/openidm/connectors/ ``` * If you're using a remote connector server (RCS), place it in the `/path/to/openicf/connectors` directory on the RCS. ## Configure the Snowflake connector Create a connector configuration using the IDM admin UI: 1. From the navigation bar, click Configure > Connectors. 2. On the Connectors page, click New Connector. 3. On the New Connector page, type a Connector Name. 4. From the Connector Type list, select Snowflake Connector - 1.5.20.34. 5. Complete the Base Connector Details and any applicable Additional Options. | | | | - | ------------------------------------------------------------------------------------------------------------------------ | | | For a list of all configuration properties, refer to [Snowflake Connector Configuration](#snowflake-config-prop-ezLink). | 6. Click Save. When your connector is configured correctly, the connector displays as Active in the admin UI. Refer to [this procedure](configure-connector.html#connector-wiz-REST) to create a connector configuration over REST. ### Connection Details | Property | Description | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `serviceUri` | The service endpoint URI. | | `role` | The role for performing queries. | | `authenticationMethod` | The authentication method. Must be `JWT_TOKEN`. | | `jwtPem` | The private key generated during the [Snowflake requirements](#snowflake-reqs). | | `jwtExpiration` | The access token expiration time in seconds. | | `jwtAlgorithm` | The algorithm type. Must be `RS256`. | | `keyAlgorithm` | The key type. Must be `RSA`. | | `jwtClaims` | The claims to include in the payload to sign and get the access token. This object must contain the following keys:- `iss`: The issuer of the JWT, constructed from the account locator, username, and `RSA_PUBLIC_KEY_FP`. - `sub`: The subject of the JWT, constructed from the account locator and username.Example `jwtClaims````json "jwtClaims": { "iss": "acmecorp-prod_data_01.SVC_PING_PROVISIONING.SHA256:abc123def456ghi789jkl012mno345pqr815stu901v", "sub": "acmecorp-prod_data_01.SVC_PING_PROVISIONING" } ```Learn more about obtaining these values in [Snowflake requirements](#snowflake-reqs). | | `excludeDatabases` | A list of databases to exclude from operations. | | `warehouse` | The warehouse name that provides computing resources. | | `connectionTimeout` | The timeout for the underlying HTTPS connection in seconds. Defaults to `30`. | ### Example Snowflake configuration This excerpt shows a sample Snowflake connector configuration: ```json { "configurationProperties" : { "tokenExpiration" : null, "accessToken" : null, "serviceUri" : "https://your.tenant.snowflakecomputing.com/api/v2", "login" : null, "password" : null, "authenticationMethod" : "JWT_TOKEN", "tokenEndpoint" : null, "clientId" : null, "clientSecret" : null, "refreshToken" : null, "authToken" : null, "acceptSelfSignedCertificates" : false, "disableHostNameVerifier" : false, "disableHttpCompression" : false, "clientCertAlias" : null, "clientCertPassword" : null, "httpProxyHost" : null, "httpProxyPort" : null, "httpProxyUsername" : null, "httpProxyPassword" : null, "connectionTimeout" : "30", "grantType" : null, "scope" : null, "authorizationTokenPrefix" : "Bearer", "useBasicAuthForOauthTokenNeg" : true, "jwtKey" : null, "customGrantType" : null, "defaultHeader" : null, "keyAlgorithm" : "RSA", "jwtPem" : "MIIEvAIBADANB...", "jwtExpiration": 60, "jwtAlgorithm": "RS256", "jwtClaims": { "iss": "XXXXX-XXXXX.USERNAME.SHA256:RSA_PUBLIC_KEY_FP", "sub": "XXXXX-XXXXX.USERNAME" }, "excludeDatabases": [ "DATABASE NAME TO EXCLUDE" ], "role": "USERADMIN", "warehouse": null } } ``` ## Mapping > **Collapse: From Snowflake users to IDM or Advanced Identity Cloud users** > > Attributes Grid: Where the columns represent the attribute name mapped from source to target and the necessary data transformation to synchronize successfully. > > | SOURCE | TARGET | TRANSFORMATION SCRIPT | > | ------------------------- | ------------------------- | --------------------- | > | `id` | `_id` | N/A | > | `__NAME__` | `__NAME__` | N/A | > | `email` | `email` | N/A | > | `last_name` | `sn` | N/A | > | `first_name` | `givenName` | N/A | > | `display_name` | `displayName` | N/A | > | `login_name` | `loginName` | N/A | > | `must_change_password` | `must_change_password` | N/A | > | `disabled` | `disabled` | N/A | > | `mins_to_unlock` | `mins_to_unlock` | N/A | > | `days_to_expiry` | `days_to_expiry` | N/A | > | `default_warehouse` | `default_warehouse` | N/A | > | `default_namespace` | `default_namespace` | N/A | > | `default_role` | `default_role` | N/A | > | `default_secondary_roles` | `default_secondary_roles` | N/A | > | `comment` | `comment` | N/A | > | `created_on` | `created_on` | N/A | > | `locked_until_time` | `locked_until_time` | N/A | > | `owner` | `owner` | N/A | > | `snowflake_lock` | `snowflake_lock` | N/A | > | `last_success_login` | `last_success_login` | N/A | > | `expires_at_time` | `expires_at_time` | N/A | > | `roles` | `roles` | N/A | > | `database_roles` | `database_roles` | N/A | > **Collapse: From IDM or Advanced Identity Cloud users to Snowflake users** > > Attributes Grid: Where the columns represent the attribute name mapped from source to target and the necessary data transformation to synchronize successfully. > > | SOURCE | TARGET | TRANSFORMATION SCRIPT | > | ------------------------- | ------------------------- | --------------------- | > | `__NAME__` | `__NAME__` | N/A | > | `email` | `email` | N/A | > | `sn` | `last_name` | N/A | > | `givenName` | `first_name` | N/A | > | `displayName` | `display_name` | N/A | > | `loginName` | `login_name` | N/A | > | `must_change_password` | `must_change_password` | N/A | > | `disabled` | `disabled` | N/A | > | `mins_to_unlock` | `mins_to_unlock` | N/A | > | `days_to_expiry` | `days_to_expiry` | N/A | > | `default_warehouse` | `default_warehouse` | N/A | > | `default_namespace` | `default_namespace` | N/A | > | `default_role` | `default_role` | N/A | > | `default_secondary_roles` | `default_secondary_roles` | N/A | > | `comment` | `comment` | N/A | > | `roles` | `roles` | N/A | > | `databases_roles` | `roles` | N/A | > **Collapse: From Snowflake roles to IDM or Advanced Identity Cloud roles** > > []()Attributes Grid: Where the columns represent the attribute name mapped from source to target and the necessary data transformation to synchronize successfully. > > | SOURCE | TARGET | TRANSFORMATION SCRIPT | > | ---------------- | ---------------- | --------------------- | > | `id` | `_id` | N/A | > | `__NAME__` | `__NAME__` | N/A | > | `comment` | `comment` | N/A | > | `owner` | `owner` | N/A | > | `created_on` | `created_on` | N/A | > | `is_default` | `is_default` | N/A | > | `is_current` | `is_current` | N/A | > | `is_inherited` | `is_inherited` | N/A | > | `roles` | `roles` | N/A | > | `database_roles` | `database_roles` | N/A | > | `privileges` | `privileges` | N/A | > **Collapse: From Snowflake database roles to IDM or Advanced Identity Cloud database roles** > > []()Attributes Grid: Where the columns represent the attribute name mapped from source to target and the necessary data transformation to synchronize successfully. > > | SOURCE | TARGET | TRANSFORMATION SCRIPT | > | ---------------- | ---------------- | --------------------- | > | `id` | `_id` | N/A | > | `__NAME__` | `__NAME__` | N/A | > | `owner` | `owner` | N/A | > | `created_on` | `created_on` | N/A | > | `comment` | `comment` | N/A | > | `is_inherited` | `is_inherited` | N/A | > | `is_current` | `is_current` | N/A | > | `is_default` | `is_default` | N/A | > | `database_roles` | `database_roles` | N/A | > | `privileges` | `privileges` | N/A | ### Test the Snowflake connector Test that the configuration is correct by running the following command: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/system/snowflake?_action=test" { "name": "snowflake", "enabled": true, "config": "config/provisioner.openicf/snowflake", "connectorRef": { "bundleVersion": "1.5.20.34", "bundleName": "org.forgerock.openicf.connectors.snowflake-connector", "connectorName": "org.forgerock.openicf.connectors.snowflake.SnowflakeConnector" }, "displayName": "org.forgerock.openicf.connectors.snowflake.SnowflakeConnector", "objectTypes": [ "__DATABASE_ROLE__", "__ACCOUNT__", "__ALL__", "__ROLES__" ], "ok": true } ``` ### Snowflake remote connector If you want to run this connector outside of PingOne Advanced Identity Cloud or IDM, you can configure the Snowflake connector as a remote connector. Java Connectors installed remotely on a Java Connector Server function identically to those bundled locally within PingOne Advanced Identity Cloud or installed locally on IDM. You can download the Snowflake connector [from here](https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors). Refer to [Remote connectors](remote-connector.html) for configuring the Snowflake remote connector. ### Configure connection pooling The Snowflake connector supports [HTTP pooling](pooling.html#http-pooling), which can substantially improve the performance of the connector. Learn more about the basic connection pooling configuration and different pooling mechanisms described in [Connection pooling configuration](pooling.html). If the command returns `"ok": true`, your connector is configured correctly and can authenticate to the Snowflake environment. ## Use the Snowflake connector You can use the Snowflake connector to perform various actions on the following Snowflake resources: | Connector resource | Snowflake resource type | | ------------------- | ------------------------------------------- | | `__ACCOUNT__` | [Users](#snowflake-users) | | `__ROLES__` | [Roles](#snowflake-roles) | | `__DATABASE_ROLE__` | [Database Roles](#snowflake-database-roles) | ### Users > **Collapse: Create a Snowflake user** > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Content-Type: application/json" \ > --request POST \ > --data '{ > "__NAME__": "JOHNDOE", > "display_name": "john doe", > "first_name": "john", > "last_name": "doe", > "login_name": "john.doe", > "email": "john.doe@example.com", > "disabled" : true, > "mins_to_unlock" : 60, > "days_to_expiry": 99, > "default_warehouse" : "COMPUTE_WH", > "default_namespace" : "TEST", > "default_role" : "USERADMIN", > "comment": "This is a new user", > "roles" : [ > "ACCOUNTADMIN" > ], > "database_roles": [ > "SNOWFLAKE.ALERT_VIEWER" > ], > "default_secondary_roles": [ > "ALL" > ] > }'\ > 'http://localhost:8080/openidm/system/snowflake/__ACCOUNT__?_action=create' > { > "_id": "JOHNDOE", > "__NAME__": "JOHNDOE", > "owner": "USERADMIN", > "last_name": "doe", > "first_name": "john", > "email": "john.doe@example.com", > "default_warehouse": "COMPUTE_WH", > "default_namespace": "TEST", > "default_role": "USERADMIN", > "default_secondary_roles": [ > "ALL" > ], > "roles": [ > "ACCOUNTADMIN" > ], > "database_roles": [ > "SNOWFLAKE.ALERT_VIEWER" > ], > "snowflake_lock": false, > "last_success_login": null, > "must_change_password": false, > "disabled": true, > "display_name": "", > "mins_to_unlock": 60, > "days_to_expiry": 99, > "locked_until_time": "2026-01-20 14:22:10.196 UTC", > "created_on": "2026-01-20 14:17:10.184 UTC", > "expires_at_time": "2026-01-30 14:17:10.196 UTC", > "comment": "This is a new user" > } > ``` > > | | | > | - | --------------------------------------------------------------------------------- | > | | When you create a new user, you must specify *at least* the `__NAME__` attribute. | > **Collapse: Update a Snowflake user** > > The `PUT` operation replaces the entire user object. The request body must contain all modifiable attributes for the user. Any omitted attributes are removed or reset to their default values. > > The following user attributes can't be modified: > > * `created_on` > > * `__NAME__` > > * `snowflake_lock` > > * `owner` > > * `locked_until_time` > > * `last_success_login` > > * `expires_at_time` > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Content-Type: application/json" \ > --header "If-Match:*" \ > --request PUT \ > --data '{ > "display_name": "john doe", > "first_name": "john", > "last_name": "doe", > "login_name": "john.doe", > "email": "john.doe@example.com", > "disabled" : true, > "mins_to_unlock" : 120, > "days_to_expiry": 99, > "default_warehouse" : "COMPUTE_WH", > "default_namespace" : "TEST", > "default_role" : "USERADMIN", > "comment": "User updated", > "roles" : [ > "ACCOUNTADMIN", > "SYSADMIN" > ], > "database_roles": [ > "SNOWFLAKE.ALERT_VIEWER" > ], > "default_secondary_roles": [ > "ALL" > ] > }' \ > "http://localhost:8080/openidm/system/snowflake/__ACCOUNT__/JOHNDOE" > { > "_id": "JOHNDOE", > "__NAME__": "JOHNDOE", > "owner": "USERADMIN", > "last_name": "doe", > "first_name": "john", > "email": "john.doe@example.com", > "default_warehouse": "COMPUTE_WH", > "default_namespace": "TEST", > "default_role": "USERADMIN", > "default_secondary_roles": [ > "ALL" > ], > "roles": [ > "ACCOUNTADMIN", > "SYSADMIN" > ], > "database_roles": [ > "SNOWFLAKE.ALERT_VIEWER" > ], > "snowflake_lock": false, > "last_success_login": null, > "must_change_password": false, > "disabled": true, > "display_name": "", > "mins_to_unlock": 120, > "days_to_expiry": 99, > "locked_until_time": "2026-01-20 14:22:10.196 UTC", > "created_on": "2026-01-20 14:17:10.184 UTC", > "expires_at_time": "2026-01-30 14:17:10.196 UTC", > "comment": "User updated" > } > ``` > **Collapse: Query all Snowflake user IDs** > > The following example queries all Snowflake users: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Content-Type: application/json" \ > --request GET \ > "http://localhost:8080/openidm/system/snowflake/__ACCOUNT__?_queryId=query-all-ids" > { > "result": [ > { > "_id": "JOHNDOE" > }, > { > "_id": "JANEDOE" > }, > ... > ], > "resultCount": 999, > "pagedResultsCookie": "", > "totalPagedResultsPolicy": "NONE", > "totalPagedResults": -1, > "remainingPagedResults": -1 > } > ``` > **Collapse: Read Snowflake users** > > The following example reads all Snowflake users, by default 10.000: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Content-Type: application/json" \ > --request GET \ > "http://localhost:8080/openidm/system/snowflake/__ACCOUNT__?_queryFilter=true" > { > "result": [ > { > "_id": "JOHNDOE", > "__NAME__": "JOHNDOE", > "owner": "USERADMIN", > "comment": "John Doe user", > "email": "john.doe@example.com", > "last_name": "DOE", > "first_name": "JOHN", > "login_name": "JOHNDOE", > "display_name": "JOHN DOE", > "must_change_password": false, > "snowflake_lock": false, > "database_roles": [ > "SNOWFLAKE.ALERT_VIEWER" > ], > "roles": [ > "ACCOUNTADMIN" > ], > "default_secondary_roles": [ > "ALL" > ], > "default_role": "USERADMIN", > "default_namespace": "default_namespace", > "default_warehouse": "COMPUTE_WH", > "mins_to_unlock": null, > "last_success_login": null, > "disabled": true, > "locked_until_time": "2026-01-20 14:22:10.196 UTC", > "created_on": "2026-01-20 14:17:10.184 UTC", > "expires_at_time": "2026-01-30 14:17:10.196 UTC", > "days_to_expiry": 99 > }, > ... > { > "_id": "JANEDOE", > "__NAME__": "JANEDOE", > "owner": "USERADMIN", > "comment": "Jane Doe user", > "email": "jane.doe@example.com", > "last_name": "DOE", > "first_name": "JANE", > "login_name": "JANEDOE", > "display_name": "JANE DOE", > "must_change_password": false, > "snowflake_lock": false, > "database_roles": [ > "SNOWFLAKE.ALERT_VIEWER" > ], > "roles": [ > "SYSADMIN" > ], > "default_secondary_roles": [ > "ALL" > ], > "default_role": "SYSADMIN", > "default_namespace": "default_namespace", > "default_warehouse": "COMPUTE_WH", > "mins_to_unlock": null, > "last_success_login": null, > "disabled": true, > "locked_until_time": "2026-01-20 14:22:10.196 UTC", > "created_on": "2026-01-20 14:17:10.184 UTC", > "expires_at_time": "2026-01-30 14:17:10.196 UTC", > "days_to_expiry": 99 > } > ], > "resultCount": 999, > "pagedResultsCookie": "", > "totalPagedResultsPolicy": "NONE", > "totalPagedResults": -1, > "remainingPagedResults": -1 > } > ``` > **Collapse: Read a single Snowflake user** > > The following example reads Snowflake user `JOHNDOE`: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Content-Type: application/json" \ > --request GET \ > "http://localhost:8080/openidm/system/snowflake/__ACCOUNT__/JOHNDOE" > { > "_id": "JOHNDOE", > "__NAME__": "JOHNDOE", > "owner": "USERADMIN", > "last_name": "doe", > "first_name": "john", > "email": "john.doe@example.com", > "default_warehouse": "COMPUTE_WH", > "default_namespace": "TEST", > "default_role": "USERADMIN", > "default_secondary_roles": [ > "ALL" > ], > "roles": [ > "ACCOUNTADMIN" > ], > "database_roles": [ > "SNOWFLAKE.ALERT_VIEWER" > ], > "snowflake_lock": false, > "last_success_login": null, > "must_change_password": false, > "disabled": true, > "display_name": "", > "mins_to_unlock": 60, > "days_to_expiry": 99, > "locked_until_time": "2026-01-20 14:22:10.196 UTC", > "created_on": "2026-01-20 14:17:10.184 UTC", > "expires_at_time": "2026-01-30 14:17:10.196 UTC", > "comment": "This is a new user" > } > ``` > **Collapse: Delete a Snowflake user** > > The following example delete a Snowflake user `JOHNDOE`: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Content-Type: application/json" \ > --header "If-Match: *" \ > --request DELETE \ > "http://localhost:8080/openidm/system/snowflake/__ACCOUNT__/JOHNDOE" > { > "_id": "JOHNDOE", > "__NAME__": "JOHNDOE", > "owner": "USERADMIN", > "last_name": "doe", > "first_name": "john", > "email": "john.doe@example.com", > "default_warehouse": "COMPUTE_WH", > "default_namespace": "TEST", > "default_role": "USERADMIN", > "default_secondary_roles": [ > "ALL" > ], > "roles": [ > "ACCOUNTADMIN" > ], > "database_roles": [ > "SNOWFLAKE.ALERT_VIEWER" > ], > "snowflake_lock": false, > "last_success_login": null, > "must_change_password": false, > "disabled": true, > "display_name": "john doe", > "mins_to_unlock": 60, > "days_to_expiry": 99, > "locked_until_time": "2026-01-20 14:22:10.196 UTC", > "created_on": "2026-01-20 14:17:10.184 UTC", > "expires_at_time": "2026-01-30 14:17:10.196 UTC", > "comment": "This is a new user" > } > ``` ### Roles > **Collapse: Query all roles IDs** > > The following example queries all Snowflake roles IDs: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Content-Type: application/json" \ > --request GET \ > "http://localhost:8080/openidm/system/snowflake/__ROLES__?_queryId=query-all-ids" > { > "result": [ > { > "_id": "ACCOUNTADMIN" > }, > ... > { > "_id": "USERADMIN" > } > ], > "resultCount": 7, > "pagedResultsCookie": null, > "totalPagedResultsPolicy": "NONE", > "totalPagedResults": -1, > "remainingPagedResults": -1 > } > ``` > **Collapse: Query a specific role** > > The following example reads Snowflake role `ACCOUNTADMIN`: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Content-Type: application/json" \ > --request GET \ > "http://localhost:8080/openidm/system/snowflake/__ROLES__/ACCOUNTADMIN" > { > "_id": "ACCOUNTADMIN", > "owner": "", > "privileges": [ > { > "granted_on": "ACCOUNT", > "name": "AA92044", > "privilege": "APPLY AGGREGATION POLICY" > }, > { > "granted_on": "ACCOUNT", > "name": "AA92044", > "privilege": "APPLY BACKUP RETENTION LOCK" > } > ], > "is_inherited": "N", > "database_roles": [ > "SNOWFLAKE.ALERT_VIEWER", > "SNOWFLAKE.BUDGET_CREATOR" > ], > "created_on": "2026-01-16 12:53:41.879 UTC", > "roles": [ > "SECURITYADMIN", > "SNOWFLAKE_LEARNING_ROLE", > "SYSADMIN" > ], > "__NAME__": "ACCOUNTADMIN", > "comment": "Account administrator can manage all aspects of the account.", > "is_default": "N", > "is_current": "N" > } > ``` ### Database Roles > **Collapse: Read all Snowflake database roles Ids** > > The following example queries all Snowflake database roles IDs: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Content-Type: application/json" \ > --request GET \ > "http://localhost:8080/openidm/system/snowflake/__DATABASE_ROLE__?_queryId=query-all-ids" > { > "result": [ > { > "_id": "SNOWFLAKE.ALERT_VIEWER" > }, > ... > { > "_id": "SNOWFLAKE.CLASSIFICATION_ADMIN" > } > ], > "resultCount": 99, > "pagedResultsCookie": null, > "totalPagedResultsPolicy": "NONE", > "totalPagedResults": -1, > "remainingPagedResults": -1 > } > ``` > **Collapse: Read a single Snowflake database role** > > The following example reads Snowflake database role `SNOWFLAKE.ALERT_VIEWER`: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Content-Type: application/json" \ > --request GET \ > "http://localhost:8080/openidm/system/snowflake/__DATABASE_ROLE__/ID" > { > "_id": "SNOWFLAKE.ALERT_VIEWER", > "owner": "", > "privileges": [ > { > "granted_on": "DATABASE", > "name": "SNOWFLAKE", > "privilege": "USAGE" > }, > ... > { > "granted_on": "FUNCTION", > "name": "SNOWFLAKE.ALERT.\"GET_CONDITION_QUERY_UUID():VARCHAR(16777216)\"", > "privilege": "USAGE" > } > ], > "is_inherited": "Y", > "created_on": "2023-04-10 21:28:01.698 UTC", > "__NAME__": "SNOWFLAKE.ALERT_VIEWER", > "comment": "", > "is_default": "N", > "is_current": "N" > } > ``` ## Supported search filters The Snowflake connector for users and roles via the \_\_NAME\_\_ field supports equals, contains, startswith, and endswith filters. ## OpenICF Interfaces Implemented by the Snowflake Connector The Snowflake Connector implements the following OpenICF interfaces. For additional details, see [ICF interfaces](interfaces.html): * Create Creates an object and its `uid`. * Delete Deletes an object, referenced by its `uid`. * Schema Describes the object types, operations, and options that the connector supports. * Script on Connector Enables an application to run a script in the context of the connector. Any script that runs on the connector has the following characteristics: * The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access. * The script has access to a `connector` variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration. * The script has access to any script arguments passed in by the application. * Search Searches the target resource for all objects that match the specified object class and filter. * Test Tests the connector configuration. Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid. This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out). You can invoke the test operation before a connector configuration has been validated. * Update Updates (modifies or replaces) objects on a target resource. []() ## Snowflake Connector Configuration The Snowflake Connector has the following configurable properties: ### Configuration properties | Property | Type | Default | Encrypted(1) | Required(2) | | ---------------------------- | -------- | ------- | ------------ | ------------------------ | | `tokenExpiration` | `Long` | `null` | | [icon: times, set=fas]No | | Description is not available | | | | | | `accessToken` | `String` | `null` | | [icon: times, set=fas]No | | Description is not available | | | | | (1) Whether the property value is considered confidential, and is therefore encrypted in IDM. (2) A list of operations in this column indicates that the property is required for those operations. ### Basic Configuration Properties | Property | Type | Default | Encrypted(1) | Required(2) | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- | -------- | ------------------------ | ------------------------- | | `excludeDatabases` | `String[]` | `null` | | [icon: times, set=fas]No | | Databases to exclude. | | | | | | `serviceUri` | `String` | `null` | | [icon: check, set=fas]Yes | | The service endpoint URI. | | | | | | `role` | `String` | `null` | | [icon: check, set=fas]Yes | | Specifies the security role that defines the access privileges and context for the request. | | | | | | `login` | `String` | `null` | | [icon: check, set=fas]Yes | | The service login name. | | | | | | `password` | `GuardedString` | `null` | [icon: lock, set=fas]Yes | [icon: times, set=fas]No | | The service user password. | | | | | | `warehouse` | `String` | `null` | | [icon: check, set=fas]Yes | | Define the computer engine. | | | | | | `authenticationMethod` | `String` | `OAUTH` | | [icon: check, set=fas]Yes | | Defines which method is to be used to authenticate on the remote server. Options are `BASIC` (username/password), `OAUTH` (Client id/secret), `JWT_TOKEN` (jwt token), or `TOKEN` (static token). | | | | | | `tokenEndpoint` | `String` | `null` | | [icon: times, set=fas]No | | When using OAUTH as authentication method, this property defines the endpoint where a new access token should be queried for (). | | | | | | `clientId` | `String` | `null` | | [icon: check, set=fas]Yes | | The client identifier for OAuth2. | | | | | | `clientSecret` | `GuardedString` | `null` | [icon: lock, set=fas]Yes | [icon: times, set=fas]No | | Secure client secret for OAuth2. | | | | | | `authToken` | `GuardedString` | `null` | [icon: lock, set=fas]Yes | [icon: times, set=fas]No | | Static authentication token. | | | | | | `acceptSelfSignedCertificates` | `boolean` | `false` | | [icon: check, set=fas]Yes | | To be used for debug/test purposes. To be avoided in production. | | | | | | `disableHostNameVerifier` | `boolean` | `false` | | [icon: check, set=fas]Yes | | To be used for debug/test purposes. To be avoided in production. | | | | | | `disableHttpCompression` | `boolean` | `false` | | [icon: check, set=fas]Yes | | Set this property to `true` to disable content compression. | | | | | | `clientCertAlias` | `String` | `null` | | [icon: check, set=fas]Yes | | If TLS Mutual Auth is needed, set this to the certificate alias from the keystore. | | | | | | `clientCertPassword` | `GuardedString` | `null` | [icon: lock, set=fas]Yes | [icon: check, set=fas]Yes | | If TLS Mutual Auth is needed and the client certificate (private key) password is different from the keystore password, set this to the client private key password. | | | | | | `maximumConnections` | `Integer` | `10` | | [icon: check, set=fas]Yes | | Defines the max size of the HTTP connection pool used. | | | | | | `httpProxyHost` | `String` | `null` | | [icon: check, set=fas]Yes | | Defines the Hostname if an HTTP proxy is used between the connector and the service. | | | | | | `httpProxyPort` | `Integer` | `null` | | [icon: check, set=fas]Yes | | Defines the Port if an HTTP proxy is used between the connector and the service. | | | | | | `httpProxyUsername` | `String` | `null` | | [icon: check, set=fas]Yes | | Defines Proxy Username if an HTTP proxy is used between the connector and the service. | | | | | | `httpProxyPassword` | `GuardedString` | `null` | [icon: lock, set=fas]Yes | [icon: check, set=fas]Yes | | Defines Proxy Password if an HTTP proxy is used between the connector and the service. | | | | | | `connectionTimeout` | `int` | `30` | | [icon: times, set=fas]No | | Defines a timeout for the underlying HTTP connection in seconds. | | | | | | `refreshToken` | `GuardedString` | `null` | | [icon: times, set=fas]No | | Used by the refresh\_token grant type. | | | | | | `grantType` | `String` | `null` | | [icon: times, set=fas]No | | The OAuth2 grant type to use (`client_credentials`, `refresh_token`, or `jwt_bearer`). | | | | | | `scope` | `String` | `null` | | [icon: times, set=fas]No | | The OAuth2 scope to use. | | | | | | `authorizationTokenPrefix` | `String` | `Bearer` | | [icon: times, set=fas]No | | The prefix to be used in the Authorization HTTP header for Token authentication. | | | | | | `useBasicAuthForOauthTokenNeg` | `boolean` | `true` | | [icon: check, set=fas]Yes | | The Authentication method for refresh token (Basic Authentication or Sending the ClientId and Client Secret in the Header). | | | | | | `jwtKey` | `String` | `null` | | [icon: times, set=fas]No | | The JWT data structure that represents a cryptographic key. | | | | | | `jwtExpiration` | `Integer` | `null` | | [icon: times, set=fas]No | | Defines the JWT expiration time in seconds. | | | | | | `jwtAlgorithm` | `String` | `null` | | [icon: times, set=fas]No | | The Algorithm type to sign payload. | | | | | | `jwtClaims` | `Map` | `null` | | [icon: times, set=fas]No | | JWT Claims to be included in the payload | | | | | | `jwtPem` | `String` | `null` | | [icon: times, set=fas]No | | The contents of the private key of the PEM file | | | | | | `jwtCert` | `String` | `null` | | [icon: times, set=fas]No | | The contents of the certificate of the PEM file | | | | | | `keyAlgorithm` | `String` | `null` | | [icon: times, set=fas]No | | Indicates the type of key (such as RSA, DSA or EC) used to sign from the PEM. | | | | | (1) Whether the property value is considered confidential, and is therefore encrypted in IDM. (2) A list of operations in this column indicates that the property is required for those operations.