Merge pull request #215966 from jess-hu-340/1026-update-OAuth-Basic

prmerger-automator[bot] · web-flow · commit f9bc3ff843f3 · 2022-11-15T07:11:56.000Z
[New feature] Add OAuth2 authentication to Snowflake
diff --git a/articles/data-factory/connector-snowflake.md b/articles/data-factory/connector-snowflake.md
@@ -8,7 +8,7 @@ ms.service: data-factory
 ms.subservice: data-movement
 ms.topic: conceptual
 ms.custom: synapse
-ms.date: 08/24/2022
+ms.date: 10/26/2022
 ---
 
 # Copy and transform data in Snowflake using Azure Data Factory or Azure Synapse Analytics
@@ -85,12 +85,22 @@ The following sections provide details about properties that define entities spe
 
 ## Linked service properties
 
-The following properties are supported for a Snowflake-linked service.
+This Snowflake connector supports the following authentication types. See the corresponding sections for details. 
+
+ 
+
+- [Basic authentication](#basic-authentication)
+- [OAuth authentication](#oauth-authentication) 
+
+### Basic authentication 
+
+The following properties are supported for a Snowflake linked service when using **Basic** authentication. 
 
 | Property         | Description                                                  | Required |
 | :--------------- | :----------------------------------------------------------- | :------- |
 | type             | The type property must be set to **Snowflake**.              | Yes      |
-| connectionString | Specifies the information needed to connect to the Snowflake instance. You can choose to put password or entire connection string in Azure Key Vault. Refer to the examples below the table, as well as the [Store credentials in Azure Key Vault](store-credentials-in-key-vault.md) article, for more details.<br><br>Some typical settings:<br>- **Account name:** The  [full account name](https://docs.snowflake.net/manuals/user-guide/connecting.html#your-snowflake-account-name) of your Snowflake account (including additional segments that identify the region and cloud platform), e.g. xy12345.east-us-2.azure.<br/>- **User name:** The login name of the user for the connection.<br>- **Password:** The password for the user.<br>- **Database:** The default database to use once connected. It should be an existing database for which the specified role has privileges.<br>- **Warehouse:** The virtual warehouse to use once connected. It should be an existing warehouse for which the specified role has privileges.<br>- **Role:** The default access control role to use in the Snowflake session. The specified role should be an existing role that has already been assigned to the specified user. The default role is PUBLIC. | Yes      |
+| connectionString | Specifies the information needed to connect to the Snowflake instance. You can choose to put password or entire connection string in Azure Key Vault. Refer to the examples below the table, and the [Store credentials in Azure Key Vault](store-credentials-in-key-vault.md) article, for more details.<br><br>Some typical settings:<br>- **Account name:** The  [full account name](https://docs.snowflake.net/manuals/user-guide/connecting.html#your-snowflake-account-name) of your Snowflake account (including additional segments that identify the region and cloud platform), e.g. xy12345.east-us-2.azure.<br/>- **User name:** The login name of the user for the connection.<br>- **Password:** The password for the user.<br>- **Database:** The default database to use once connected. It should be an existing database for which the specified role has privileges.<br>- **Warehouse:** The virtual warehouse to use once connected. It should be an existing warehouse for which the specified role has privileges.<br>- **Role:** The default access control role to use in the Snowflake session. The specified role should be an existing role that has already been assigned to the specified user. The default role is PUBLIC. | Yes      |
+| authenticationType  | Set this property to **Basic**. | Yes    | 
 | connectVia       | The [integration runtime](concepts-integration-runtime.md) that is used to connect to the data store. You can use the Azure integration runtime or a self-hosted integration runtime (if your data store is located in a private network). If not specified, it uses the default Azure integration runtime. | No       |
 
 **Example:**
@@ -101,6 +111,7 @@ The following properties are supported for a Snowflake-linked service.
     "properties": {
         "type": "Snowflake",
         "typeProperties": {
+            "authenticationType": "Basic",
             "connectionString": "jdbc:snowflake://<accountname>.snowflakecomputing.com/?user=<username>&password=<password>&db=<database>&warehouse=<warehouse>&role=<myRole>"
         },
         "connectVia": {
@@ -119,6 +130,7 @@ The following properties are supported for a Snowflake-linked service.
     "properties": {
         "type": "Snowflake",
         "typeProperties": {
+            "authenticationType": "Basic",
             "connectionString": "jdbc:snowflake://<accountname>.snowflakecomputing.com/?user=<username>&db=<database>&warehouse=<warehouse>&role=<myRole>",
             "password": {
                 "type": "AzureKeyVaultSecret",
@@ -137,6 +149,68 @@ The following properties are supported for a Snowflake-linked service.
 }
 ```
 
+### OAuth authentication 
+
+The following properties are supported for a Snowflake linked service when using **OAuth** authenticaition. 
+
+| Property         | Description                                                  | Required | 
+| :--------------- | :----------------------------------------------------------- | :------- | 
+| type             | The type property must be set to **Snowflake**.              | Yes      | 
+| connectionString | Specifies the information needed to connect to the Snowflake instance. You can choose to put password or entire connection string in Azure Key Vault. Refer to the examples below the table, as well as the [Store credentials in Azure Key Vault](store-credentials-in-key-vault.md) article, for more details.<br><br>Some typical settings:<br>- **Account name:** The  [full account name](https://docs.snowflake.net/manuals/user-guide/connecting.html#your-snowflake-account-name) of your Snowflake account (including additional segments that identify the region and cloud platform), e.g. xy12345.east-us-2.Azure.<br/>- **User name:** The login name of the user for the connection.<br>- **Database:** The default database to use once connected. It should be an existing database for which the specified role has privileges.<br>- **Warehouse:** The virtual warehouse to use once connected. It should be an existing warehouse for which the specified role has privileges.<br>- **Role:** The default access control role to use in the Snowflake session. The specified role should be an existing role that has already been assigned to the specified user. The default role is PUBLIC. | Yes      | 
+| authenticationType | Set this property to **Oauth**.<br>It supports External OAuth for Microsoft Azure AD. To learn more about this, see this [article](https://docs.snowflake.com/en/user-guide/oauth-ext-overview.html).| Yes      | 
+| oauthTokenEndpoint        | The Azure AD OAuth token endpoint. Sample: `https://login.microsoftonline.com/<tenant ID>/discovery/v2.0/keys`  | Yes       | 
+| clientId  | The application client ID supplied by Azure AD . | Yes      | 
+| clientSecret  | The client secret corresponds to the client ID.  | Yes      | 
+| oauthUserName  | The name of the Azure user.  | Yes      | 
+| oauthPassword   | The password for the Azure user. | Yes      | 
+| scope   | The OAuth scope. Sample: `api://<application (client) ID>/session:scope:MYROLE` | Yes      |
+| connectVia       | The [integration runtime](concepts-integration-runtime.md) that is used to connect to the data store. You can use the Azure integration runtime or a self-hosted integration runtime (if your data store is located in a private network). If not specified, it uses the default Azure integration runtime. | No       |
+
+**Example:** 
+
+```json 
+{ 
+    "name": "SnowflakeLinkedService", 
+    "type": "Microsoft.DataFactory/factories/linkedservices", 
+    "properties": { 
+        "annotations": [], 
+        "type": "Snowflake", 
+        "typeProperties": { 
+            "connectionString": "jdbc:snowflake://<accountname>.snowflakecomputing.com/?user=<username>&db=<database>&warehouse=<warehouse>&role=<myRole>", 
+            "authenticationType": "Oauth", 
+            "oauthTokenEndpoint": "https://login.microsoftonline.com/<tenant ID>/discovery/v2.0/keys", 
+            "clientId": "<client Id>", 
+            "clientSecret": { 
+                "type": "AzureKeyVaultSecret", 
+                "store": { 
+                    "referenceName": "<Azure Key Vault linked service name>", 
+                    "type": "LinkedServiceReference" 
+                }, 
+                "secretName": "<secret name>", 
+            }, 
+            "oauthUserName": "<user name>", 
+            "oauthPassword": { 
+                "type": "AzureKeyVaultSecret", 
+                "store": { 
+                    "referenceName": "<Azure Key Vault linked service name>", 
+                    "type": "LinkedServiceReference" 
+                }, 
+                "secretName": "<secret name>", 
+            }, 
+            "scope": "api://<application (client) ID>/session:scope:MYROLE", 
+        }, 
+        "connectVia": { 
+            "referenceName": "<name of Integration Runtime>", 
+            "type": "IntegrationRuntimeReference" 
+        } 
+    } 
+} 
+
+``` 
+
+>[!Note] 
+>Currently, the OAuth authentication is not supported in mapping data flow and script activity. 
+
 ## Dataset properties
 
 For a full list of sections and properties available for defining datasets, see the [Datasets](concepts-datasets-linked-services.md) article. 
