QuickSight Support for Snowflake Service User Type Authentication?

Hi,

How does QuickSight currently or when will QuickSight support Snowflake’s upcoming changes to how service users for tools like QuickSight authenticate with Snowflake?

Later this year Snowflake will enforce users with type of service to require key/value authentication instead of the less secure username password. This type of Snowflake user is allowed to authenticate with key/value and does not require MFA. Currently our QuickSight <> Snowflake data sources use the original username/password authentication, which will become problematic soon if we cannot switch our auth to a Snowflake user that is type=service.

Based on Snowflake’s reported timelines, November will be when Snowflake will require key/value auth for service users.

Does QuickSight currently support key/value auth for a Snowflake data source currently? If not, when will this be supported this year, prior to November?

Hi @bkasen,
Here’s an article to explore for potential work arounds, let me know if this helps for your case or if you have any additional questions:

Hi @Brett
I have been able to create the Security Integration in our Snowflake account.
I am able to use the client_id and client_secret from this integration.
So, with this command SYSTEM$SHOW_OAUTH_CLIENT_SECRETS(‘QUICKSIGHT_OAUTH’) I am able to get the values of the following variables:

1. OAUTH_CLIENT_ID -
2. OAUTH_REDIRECT_URI - https://signin.aws.amazon.com/oauth
3. OAUTH_AUTHORIZATION_ENDPOINT - https://account-name.snowflakecomputing.com/oauth/authorize
4. OAUTH_TOKEN_ENDPOINT - https://account-name.snowflakecomputing.com/oauth/token-request

I URL encoded OAUTH_CLIENT_ID and OAUTH_REDIRECT_URI

prepared the Authorization URL -

https://account-name.snowflakecomputing.com/oauth/authorize?response_type=code&client_id=<url_encoded_ OAUTH_CLIENT_ID>&redirect_uri=https%3A%2F%2Fsignin.aws.amazon.com%2Foauth

POST request to the above URL with the username and pwd of the Quicksight User created in Snowflake.

Screenshot 2025-04-04 at 3.36.55 PM436×455 16.1 KB

After successful authentication, the redirect_uri showed up with a code
like this

Screenshot 2025-04-04 at 3.40.10 PM955×145 10 KB

used that code to generate an access token using

curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
--user "<OAUTH_CLIENT_ID not encoded>:<OAUTH_CLIENT_SECRET>" \
--data-urlencode "grant_type=authorization_code" \
--data-urlencode "code=<code>" \
--data-urlencode "redirect_uri=<OAUTH_REDIRECT_URI not encoded>" \
<OAUTH_TOKEN_ENDPOINT>

I can confirm I am able to use the refresh token in the response to generate new access_tokens and use it in snowsql like -
snowsql -a account name -u quicksightuser --rolename role-name --authenticator oauth --token "access_token"

I guess the next step is to be able to pass these values in the CreateDataSource API payload, right ? The documentation I am following is this -

Here are my input parameters -

1. DataSourceParameters -

         {
  "SnowflakeParameters": {
    "Host": "accountname.snowflakecomputing.com",
    "Database": "db_name",
    "Warehouse": "wh_name",
    "AuthenticationType": "TOKEN",
    "OAuthParameters": {
      "TokenProviderUrl": "https://account-name.snowflakecomputing.com/oauth/token-request"
    }
  }
}

2. Credentials - This is the secret ARN, the QuickSight service role has been granted access to read this Secret. (The Secret contains the username of the Quicksight user, client_id and client_secret as advised here

{
        "SecretArn": "arn:aws:secretsmanager:region:account-id:secret:Snowflake-NonProd-C9sZBF"
}

4. API call

aws quicksight create-data-source --aws-account-id account-id --data-source-id "snowflake-oauth" --name "Snowflake-Oauth-test" --type "SNOWFLAKE" --data-source-parameters file://data-source-parameters.json --credentials file://credentials.json

5. I see this error when I try to describe the data-source

{
    "Status": 200,
    "DataSource": {
        "Arn": "arn:aws:quicksight:region:id:datasource/snowflake-oauth",
        "DataSourceId": "snowflake-oauth",
        "Name": "Snowflake-Oauth-test",
        "Type": "SNOWFLAKE",
        "Status": "CREATION_FAILED",
        "CreatedTime": "2025-04-04T16:15:00.258000+05:30",
        "LastUpdatedTime": "2025-04-04T16:15:01.767000+05:30",
        "DataSourceParameters": {
            "SnowflakeParameters": {
                "Host": "redacted",
                "Database": "redacted",
                "Warehouse": "redacted",
                "AuthenticationType": "TOKEN",
                "DatabaseAccessControlRole": "redacted",
                "OAuthParameters": {
                    "TokenProviderUrl": "https://accountname.snowflakecomputing.com/oauth/token"
                }
            }
        },
        "SslProperties": {
            "DisableSsl": false
        },
        "ErrorInfo": {
            "Type": "GENERIC_SQL_FAILURE",
            "Message": "A JSONObject text must begin with '{' at 1 [character 2 line 1]"
        },
        "SecretArn": "arn:aws:secretsmanager:region:id:secret:Snowflake-NonProd"
    },
    "RequestId": ""
}

I must be missing to provide some values in the CreateDataSource API call. Like the OAuthParameters etc.

Please advise!

Hi @Abhra,
Apologies for missing your last response. I have seen a couple similar community posts regarding snowflake support and authentication; it seems to be a larger issue for many. I would suggest creating a support ticket so that you can get more direct, personalized assistance from the AWS team!

Hi @Abhra,
Following up here as it’s been awhile since we last heard from you; did you have any additional questions regarding your post?

If we do not hear back within the next 3 business days, I’ll close out this topic.

Thank you!

Hi @Abhra,
Since we have not heard back, I’ll go ahead and close out this topic. However, if you have any additional questions, feel free to create a new post in the community and link this discussion for relevant information if needed.

Thank you!