Snowflake Setup

Snowflake Setup

App to App API Access in the Same Snowflake Account

  • You need to create a Native App that has an SPCS service running inside it. This can be any long-running service or a Service Job in Snowflake.

  • This service can call all the embedded APIs as usual — for example, using the requests library in Python.

  • The base URL for the APIs will follow this format:

http://{madconnect_service_name}.{madconnect_service_dns}:{madconnect_port}

  • This should be provided to the client app, along with the Client ID, Client Secret, and the Bearer Token (to be passed in the Authorization header).

  • To access the APIs, both the MadConnect App and the Client App should be installed in the same Snowflake account.

  • Once the client app is installed (let’s say its name is ClientApp), execute the following command:

USE ROLE ACCOUNTADMIN;
GRANT APPLICATION ROLE MADCONNECT.MADCONNECT_APP_SERVICE_ROLE TO APPLICATION ClientApp;

  • After executing the above command, the MadConnect APIs can be accessed seamlessly.

External access of APIs

For accessing MadConnect APIs from outside, you will need two tokens — one for Snowflake authentication and another for the MadConnect Embedded API. You need to pass the Snowflake token in the Authorization header and the MadConnect bearer token in the es-auth header.

For generating the Snowflake token, you need to follow the below mentioned Snowflake documentation:

  1. Tutorial 1 has a new (optional) Step 5 that provides step-by-step instructions to test programmatic access.

  2. Public endpoint access from outside Snowflake and authentication is updated with some conceptual information.

  3. The Token Exchange endpoint has also been added as another Authorization Endpoint. This is the endpoint where you send requests to exchange a JWT for an OAuth token.

  4. A Postman example is also provided.

As per the above Snowflake documentation, you need to create a service user and set it up with a public key; the corresponding private key should be used to generate the token.

Next, the service user should be granted the MADCONNECT_APP_USER_ROLE. This role must be assigned to the user that will be used for authentication. For example, if the user for authentication is USER1, then the following command needs to be executed to grant the MADCONNECT_APP_USER_ROLE to USER1

GRANT ROLE MADCONNECT_APP_USER_ROLE TO USER USER1;

Once all the setup is completed as mentioned in the documentation and the steps above, you can generate the Snowflake token and use it in the Authorization header, and use the MadConnect token in the es-auth header, along with the MadConnect application URL as the host for the API calls.

PreviousAppendicesNextConfiguration Form Fields

Last updated