When creating Snowflake to Foundry connections, how can I use a previously existing service account without the need to create a new one with the login name “ri.magritte…source…”?
I wonder if I can have a single account integration with multiple roles in Snowflake that I could use for all Snowflake data ingestion.
Also, regarding the connection, it doesn’t specify in the steps, but should I execute “ALTER USER [IF EXISTS] [] ADD DELEGATED AUTHORIZATION OF ROLE <role_name> TO SECURITY INTEGRATION <integration_name>” to grant the security integration to the created user? If so, how can I still utilize the benefits of external_oauth_any_role_mode = 'ENABLE' when the user has access to specific databases across many different roles in Snowflake?
Unfortunately, this won’t be possible at the moment. Our security model heavily relies on ensuring that the request comes from the correct source, which is identified by “ri.magritte…source…”.
I don’t believe you need to alter any of the DELEGATED_AUTHORIZATION. Once you have created the security integration, it should automatically allow all roles granted to the user (with the “ri.magritte…source…” login name). You can further customize this through the EXTERNAL_OAUTH_ALLOWED_ROLES_LIST and EXTERNAL_OAUTH_BLOCKED_ROLES_LIST properties on the security integration if you would like. But since we will always assume the same user (“ri.magritte…source…”), this shouldn’t be necessary, and you should only have to scope down the user itself.
The external_oauth_any_role_mode is so that we can assume the role configured on the source itself, as seen below. If this role is configured, we will assume that role; otherwise, we assume the user’s default role.