Categories:

User & Security DDL (Third-Party Service Integrations)

ALTER SECURITY INTEGRATION

Modifies the properties for an existing security integration.

See also:

CREATE SECURITY INTEGRATION , DROP INTEGRATION , SHOW INTEGRATIONS

In this Topic:

Syntax

OAuth for partner applications

ALTER [ SECURITY ] INTEGRATION [ IF EXISTS ] <name> SET
  [ ENABLED = { TRUE | FALSE } ]
  [ OAUTH_ISSUE_REFRESH_TOKENS = TRUE | FALSE ]
  [ OAUTH_REFRESH_TOKEN_VALIDITY = <integer> ]
  [ BLOCKED_ROLES_LIST = ( '<role_name>' [ , '<role_name>' , ... ] ) ]
  [ COMMENT = '<string_literal>' ]

OAuth for custom clients

ALTER [ SECURITY ] INTEGRATION [ IF EXISTS ] <name> SET
  [ ENABLED = { TRUE | FALSE } ]
  [ OAUTH_REDIRECT_URI = '<uri>' ]
  [ OAUTH_ALLOW_NON_TLS_REDIRECT_URI = TRUE | FALSE ]
  [ OAUTH_ENFORCE_PKCE = TRUE | FALSE ]
  [ PRE_AUTHORIZED_ROLES_LIST = ( '<role_name>' [ , '<role_name>' , ... ] ) ]
  [ BLOCKED_ROLES_LIST = ( '<role_name>' [ , '<role_name>' , ... ] ) ]
  [ OAUTH_ISSUE_REFRESH_TOKENS = TRUE | FALSE ]
  [ OAUTH_REFRESH_TOKEN_VALIDITY = <integer> ]
  [ NETWORK_POLICY = '<network_policy>' ]
  [ OAUTH_CLIENT_RSA_PUBLIC_KEY = <public_key1> ]
  [ OAUTH_CLIENT_RSA_PUBLIC_KEY_2 = <public_key2> ]
  [ COMMENT = '<string_literal>' ]

Parameters

name

Identifier for the integration to alter. If the identifier contains spaces or special characters, the entire string must be enclosed in double quotes. Identifiers enclosed in double quotes are also case-sensitive.

OAuth Partner Application Parameters

Valid when OAUTH_CLIENT = <partner_application> (i.e. when creating an integration for a partner application)

SET ...

Specifies one (or more) properties/parameters to set for the integration (separated by blank spaces, commas, or new lines):

ENABLED = TRUE | FALSE Specifies whether to initiate operation of the integration or suspend it.

  • TRUE allows the integration to run based on the parameters specified in the pipe definition.

  • FALSE suspends the integration for maintenance. Any integration between Snowflake and a third-party service fails to work.

OAUTH_ISSUE_REFRESH_TOKENS = TRUE | FALSE

Boolean that specifies whether to allow the client to exchange a refresh token for an access token when the current access token has expired. If set to FALSE, a refresh token is not issued. User consent is revoked, and the user must confirm authorization again.

Default: TRUE

OAUTH_REFRESH_TOKEN_VALIDITY = integer

Integer that specifies how long refresh tokens should be valid (in seconds). This can be used to expire the refresh token periodically.

Note that if your organization would like the minimum or maximum values lowered or raised, respectively, ask your account administrator to send a request to Snowflake Support.

Values

86400 (1 day) to 7776000 (90 days)

Default

7776000

BLOCKED_ROLES_LIST = '( role_name' [ , 'role_name' , ... ] )

Comma-separated list of Snowflake roles that a user cannot explicitly consent to using after authenticating, e.g. 'custom_role1', 'custom_role2'. Note that the ACCOUNTADMIN and SECURITYADMIN roles are included in this list by default; however, if these roles should be removed for your account, ask your account administrator to send a request to Snowflake Support.

COMMENT = 'string_literal'

String (literal) that specifies a comment for the integration.

OAuth Custom Client Parameters

Valid when OAUTH_CLIENT = CUSTOM (i.e. when creating an integration for a custom client)

SET ...

Specifies one (or more) properties/parameters to set for the integration (separated by blank spaces, commas, or new lines):

ENABLED = TRUE | FALSE Specifies whether to initiate operation of the integration or suspend it.

  • TRUE allows the integration to run based on the parameters specified in the pipe definition.

  • FALSE suspends the integration for maintenance. Any integration between Snowflake and a third-party service fails to work.

OAUTH_REDIRECT_URI = 'uri'

Specifies the client URI. After a user is authenticated, the web browser is redirected to this URI. The URI must be protected by TLS (Transport Layer Security) unless the optional OAUTH_ALLOW_NON_TLS_REDIRECT_URI parameter is set to TRUE.

OAUTH_ALLOW_NON_TLS_REDIRECT_URI = TRUE | FALSE

If TRUE, allows setting OAUTH_REDIRECT_URI to a URI not protected by TLS. We highly recommend use of TLS to prevent man-in-the-middle OAuth redirects for use in phishing attacks.

Default: FALSE

OAUTH_ENFORCE_PKCE = TRUE | FALSE

Boolean that specifies whether Proof Key for Code Exchange (PKCE) should be required for the integration.

Default: FALSE

PRE_AUTHORIZED_ROLES_LIST = '( role_name' [ , 'role_name , ... ] ')

Comma-separated list of Snowflake roles that a user does not need to explicitly consent to using after authenticating, e.g. 'custom_role1', 'custom_role2'. Note that the ACCOUNTADMIN and SECURITYADMIN roles cannot be included in this list.

Note

This parameter is supported for confidential clients only.

BLOCKED_ROLES_LIST = '(role_name', 'role_name')

Comma-separated list of Snowflake roles that a user cannot explicitly consent to using after authenticating, e.g. 'custom_role1', 'custom_role2'. Note that the ACCOUNTADMIN and SECURITYADMIN roles are included in this list by default; however, if these roles should be removed for your account, ask your account administrator to send a request to Snowflake Support.

OAUTH_ISSUE_REFRESH_TOKENS = TRUE | FALSE

Boolean that specifies whether to allow the client to exchange a refresh token for an access token when the current access token has expired. If set to FALSE, a refresh token is not issued. User consent is revoked, and the user must confirm authorization again.

Default: TRUE

OAUTH_REFRESH_TOKEN_VALIDITY = integer

Integer that specifies how long refresh tokens should be valid (in seconds). This can be used to expire the refresh token periodically.

When a refresh token expires, the application will need to direct the user through the authorization flow again to obtain a new refresh token.

The supported minimum, maximum, and default values are as follows:

Application

Minimum

Maximum

Default

Tableau Desktop

60 (1 minute)

36000 (10 hours)

36000 (10 hours)

Tableau Server or Tableau Online

60 (1 minute)

7776000 (90 days)

7776000 (90 days)

Custom client

86400 (1 day)

7776000 (90 days)

7776000 (90 days)

If you have a business need to lower the minimum value or raise the maximum value, ask your account administrator to send a request to Snowflake Support.

NETWORK_POLICY = 'network_policy'

Specifies an existing network policy active for your account. The network policy restricts the list of user IP addresses when exchanging an authorization code for an access or refresh token and when using a refresh token to obtain a new access token. If this parameter is not set, the network policy for the account (if any) is used instead.

OAUTH_CLIENT_RSA_PUBLIC_KEY = public_key1

Specifies an RSA public key. For more information, see OAuth.

OAUTH_CLIENT_RSA_PUBLIC_KEY_2 = public_key2

Specifies a second RSA public key. Used for key rotation.

COMMENT = 'string_literal'

String (literal) that specifies a comment for the integration.

Examples

The following example initiates operation of a suspended integration:

ALTER SECURITY INTEGRATION myint SET ENABLED = TRUE;