Okta Snowflake Role creation

L

2

5

I am new to this okta snowflake. I am using scim. After integration, I am trying to create the role in the okta, or at least assign the role to the user from the okta to the snowflake. In the documentation, it is mentioned via push groups. Not sure how to create role in okta. When I am assigning users in okta it is taking default role public in Snowflake. I created a manual role in Snowflake with okta provisioner as owner. When I assign user with that custom role in okta it is taking public role by default again. Is there anything I am missing regarding role here? Thanks.

Leede answered 30/9, 2021 at 10:49 Comment(0)

S

3

We advise that within Snowflake you have a Access Roles and external to Snowflake (like using Okta and SCIM) that you define Groups and these become Functional Roles in Snowflake --- don't worry about the Prefix I used a custom role is a custom role the prefix of (Access / Functional) is just a logical grouping of roles.

Once defined in Okta and pushed to Snowflake these Groups should appear as Custom Roles in Snowflake, but they will not have access to anything. Within Snowflake you will have to grant them to Access Roles.

Access Roles within Snowflake (again it is just a custom role) are the roles that contain the privileges to Snowflake objects, within Snowflake you have to link the Functional role to Access Roles. Once you've done that all new Users assigned the same Group (Functional Role) will no further management in the Snowflake platform.

You can create users and assign them a default role too, this is highlighted in the doc: https://docs.snowflake.com/en/user-guide/scim-intro.html#custom-attributes

Stoke answered 1/10, 2021 at 0:47 Comment(1)

Thank you. Thus really helped. And also is there are a way can we use terraform for okta snowflake sso integration, and also terraform for scim part like assigning users, groups. – Leede 4/10, 2021 at 5:12

H

4

You want to create the role/group from Okta so that Okta can manage it. Don't create the role manually in Snowflake. Even if you change the owner to okta_provisioner, it will likely still have problems since the updates are one-way from Okta to Snowflake.

So here's some general steps you can test:

Create a brand new group in Okta that doesn't exist in Snowflake
Create a brand new user in Okta that doesn't exist in Snowflake
Add that user to the group
In SCIM application for Snowflake, go to the Assignments tab > click Assign button > Assign to Groups
Assign your group to the application, optionally give it a default role/warehouse, and confirm it shows up in the list
Under the Push Group tab, push your group to Snowflake. You only need to do this once as its the initial group creation. Pushing it out again to Snowflake will cause it to error since it already exists.

At this point, Okta will send the request to create the user(s) in that group and additionally create the role on the Snowflake side. All your users who are in the group are granted that role which you can see in the UI or with a command like "show grants to user user_name;". And your user should also have whatever default role/warehouse you gave to the group.

Then you can add users to the group later as desired and Okta will automatically create those users similarly on the Snowflake side under the role.

I recommend creating groups and users from Okta always when testing. Again, the requests are one-way from Okta to Snowflake. Ideally, you are using Okta SCIM in the first place to do most of the user/role management, so it makes sense.

Haymow answered 30/9, 2021 at 23:4 Comment(2)

Thank you. This really helped. And also is there are a way can we use terraform for okta snowflake sso integration, and also terraform for scim part like assigning users, groups. – Leede 4/10, 2021 at 5:12

Can't say I have ever tried it and it wouldn't be supported by Snowflake since it's a 3rd party, but you are welcome to give it a try. In theory, it should work for some of these pieces. – Haymow 5/10, 2021 at 17:50

S

3