From 7742fc7e319521054012f5f39de849648a71190a Mon Sep 17 00:00:00 2001
From: Matt Shaver <60105315+matthewshaver@users.noreply.github.com>
Date: Mon, 30 Sep 2024 13:23:06 -0400
Subject: [PATCH] Editorial fixes
---
.../cloud/manage-access/external-oauth.md | 138 ++++++++++--------
1 file changed, 74 insertions(+), 64 deletions(-)
diff --git a/website/docs/docs/cloud/manage-access/external-oauth.md b/website/docs/docs/cloud/manage-access/external-oauth.md
index 1920eaddcbf..16534516f3f 100644
--- a/website/docs/docs/cloud/manage-access/external-oauth.md
+++ b/website/docs/docs/cloud/manage-access/external-oauth.md
@@ -60,35 +60,35 @@ Select a supported identity provider (IdP) for instructions on configuring exter
### 1. Initialize the dbt Cloud settings
-1. In your dbt Cloud account, navigate to **Account settings** —> **Integrations**.
+1. In your dbt Cloud account, navigate to **Account settings** —> **Integrations**.
2. Scroll down to **Custom integrations** and click **Add integrations**
-3. Leave this window open. You can set the **Integration type** to Okta and make a note of the **Redirect URI** at the bottom of the page. Copy this to your clipboard for use in the next steps.
+3. Leave this window open. You can set the **Integration type** to Okta and note the **Redirect URI** at the bottom of the page. Copy this to your clipboard for use in the next steps.
### 2. Create the Okta app
-1. From the Okta dashboard, expand the **Applications** section and click **Applications.** Click the **Create app integration** button.
+1. Expand the **Applications** section from the Okta dashboard and click **Applications.** Click the **Create app integration** button.
2. Select **OIDC** as the sign-in method and **Web applications** as the application type. Click **Next**.
-3. Give the application an appropriate name, something like “External Oauth app for dbt Cloud” that will make it easily identifiable.
+3. Give the application an appropriate name, something like “External Oauth app for dbt Cloud,” that will make it easily identifiable.
4. In the **Grant type** section, enable the **Refresh token** option.
-5. Scroll down to the **Sign-in redirect URIs** option. Here, you’ll need to paste the redirect URI you gathered from dbt Cloud in step 1.3.
+5. Scroll down to the **Sign-in redirect URIs** option. You’ll need to paste the redirect URI you gathered from dbt Cloud in step 1.3.
-
+
-6. Save the app configuration. You’ll come back to it, but for now move on to the next steps.
+6. Save the app configuration. You’ll come back to it, but move on to the next steps for now.
### 3. Create the Okta API
-1. From the Okta sidebar menu, expand the **Security** section and clicl **API**.
-2. On the API screen, click **Add authorization server**. Give the authorizations server a name (a nickname for your Snowflake account would be appropriate). For the **Audience** field, copy and paste your Snowflake login URL (for example, https://abdc-ef1234.snowflakecomputing.com). Give the server an appropriate description and click **Save**.
+1. Expand the **Security** section and click **API** from the Okta sidebar menu.
+2. On the API screen, click **Add authorization server**. Give the authorization server a name (a nickname for your Snowflake account would be appropriate). For the **Audience** field, copy and paste your Snowflake login URL (for example, https://abdc-ef1234.snowflakecomputing.com). Give the server an appropriate description and click **Save**.
-3. On the authorization server config screen, open the **Metadata URI** in a new tab. You’ll need information from this screen in later steps.
+3. On the authorization server config screen, open the **Metadata URI** in a new tab. You’ll need information from this screen in later steps.
@@ -98,7 +98,7 @@ Select a supported identity provider (IdP) for instructions on configuring exter
-5. Open the **Access policies** tab and click **Add policy**. Give the policy a **Name** and **Description** and set **Assign to** as **The following clients**. Start typing the name of the app you created in step 2.3 and you’ll see it autofill. Select the app and click **Create Policy**.
+5. Open the **Access policies** tab and click **Add policy**. Give the policy a **Name** and **Description** and set **Assign to** as **The following clients**. Start typing the name of the app you created in step 2.3, and you’ll see it autofill. Select the app and click **Create Policy**.
@@ -106,13 +106,13 @@ Select a supported identity provider (IdP) for instructions on configuring exter
-7. Give the rule a descriptive name and scroll down to **token lifetimes**. Configure the **Access token lifetime is**, **Refresh token lifetime is**, and **but will expire if not used every** settings according to your organizational policies. We recommend the defaults of 1 hour and 90 days. Stricter rules increases the odds of your users having to re-authenticate.
+7. Give the rule a descriptive name and scroll down to **token lifetimes**. Configure the **Access token lifetime is**, **Refresh token lifetime is**, and **but will expire if not used every** settings according to your organizational policies. We recommend the defaults of 1 hour and 90 days. Stricter rules increase the odds of your users having to re-authenticate.
8. Navigate back to the **Settings** tab and leave it open in your browser. You’ll need some of the information in later steps.
-### 4. Create the Oauth settings in Snowflake
+### 4. Create the OAuth settings in Snowflake
1. Open up a Snowflake worksheet and copy/paste the following:
@@ -131,9 +131,9 @@ external_oauth_any_role_mode = 'ENABLE'
```
-2. Change `your_integration_name` to something appropriately descriptive. For example, `dev_OktaAccountNumber_okta`. Copy the `external_oauth_issuer` and `external_oauth_jws_keys_url` from the metadate URI in step 3.3. Use the same Snowflake URL that you entered in step 3.2 as the `external_oauth_audience_list`.
+2. Change `your_integration_name` to something appropriately descriptive. For example, `dev_OktaAccountNumber_okta`. Copy the `external_oauth_issuer` and `external_oauth_jws_keys_url` from the metadata URI in step 3.3. Use the same Snowflake URL you entered in step 3.2 as the `external_oauth_audience_list`.
-Adjust the other settings as needed to meet your organizations configurations in Okta and Snowflake.
+Adjust the other settings as needed to meet your organization's configurations in Okta and Snowflake.
@@ -141,27 +141,33 @@ Adjust the other settings as needed to meet your organizations configurations in
### 5. Configuring the integration in dbt Cloud
-1. Navigate back to the dbt Cloud **Account settings** —> **Integrations** page you were on at the beginning. It’s time to start filling out all of the fields.
- 1. `Integration name`: Give the integration a descriptive name that includes identifying information about the Okta environment so future users won’t have to guess where it belongs.
- 2. `Client ID` and `Client secrets`: Retrieve these from the Okta application page.
-
- 3. Authorize URL and Token URL: Found in the metadata URI.
-
+1. Navigate back to the dbt Cloud **Account settings** —> **Integrations** page you were on at the beginning. It’s time to start filling out all of the fields.
+ 1. `Integration name`: Give the integration a descriptive name that includes identifying information about the Okta environment so future users won’t have to guess where it belongs.
+ 2. `Client ID` and `Client secrets`: Retrieve these from the Okta application page.
+
+ 3. Authorize URL and Token URL: Found in the metadata URI.
+
2. **Save** the configuration
+
### 6. Create a new connection in dbt Cloud
-1. Navigate the **Account settings** and click **Connections** from the menu. Click **Add connection**.
-2. Configure the `Account`, `Database`, and `Warehouse` as you normally would and for the `Oauth method` select the external Oauth you just created.
+
+1. Navigate the **Account settings** and click **Connections** from the menu. Click **Add connection**.
+2. Configure the `Account`, `Database`, and `Warehouse` as you normally would, and for the `Oauth method`, select the external OAuth you just created.
+
+
3. Scroll down to the **External Oauth** configurations box and select the config from the list.
+
-4. **Save** the connection and you have now configured External Oauth with Okta and Snowflake!
+
+4. **Save** the connection, and you have now configured External Oauth with Okta and Snowflake!
@@ -169,13 +175,13 @@ Adjust the other settings as needed to meet your organizations configurations in
### 1. Initialize the dbt Cloud settings
-1. In your dbt Cloud account, navigate to **Account settings** —> **Integrations**.
+1. In your dbt Cloud account, navigate to **Account settings** —> **Integrations**.
2. Scroll down to **Custom integrations** and click **Add integrations**.
-3. Leave this window open. You can set the **Integration type** to Entra ID and make a note of the **Redirect URI** at the bottom of the page. Copy this to your clipboard for use in the next steps.
+3. Leave this window open. You can set the **Integration type** to Entra ID and note the **Redirect URI** at the bottom of the page. Copy this to your clipboard for use in the next steps.
### Entra ID
-You’ll create two different `apps` in the Azure portal — A resource server and a client app.
+You’ll create two apps in the Azure portal: A resource server and a client app.
:::important
@@ -190,70 +196,74 @@ In your Azure portal, open the **Entra ID** and click **App registrations** from
### 1. Create a resource server
1. From the app registrations screen, click **New registration**.
- 1. Give the app a name.
- 2. Ensure **Supported account types** are set to “Accounts in this organizational directory only (`Org name` - Single Tenant).”
- 3. Click **Register** and you will be taken to the apps overview.
+ 1. Give the app a name.
+ 2. Ensure **Supported account types** are set to “Accounts in this organizational directory only (`Org name` - Single Tenant).”
+ 3. Click **Register**to see the application’s overview.
2. From the app overview page, click **Expose an API** from the left menu.
-3. Click **Add** next to **Application ID URI**. The field will automatically populate. Click **Save**.
-4. Record the `value` field as it will be used in a future step. *This is only displayed once. Be sure to record it immediately. It will be hidden when you leave the page and come back.*
+3. Click **Add** next to **Application ID URI**. The field will automatically populate. Click **Save**.
+4. Record the `value` field for use in a future step. _This is only displayed once. Be sure to record it immediately. Microsoft hides the field when you leave the page and come back._
5. From the same screen, click **Add scope**.
- 1. Give the scope a name.
- 2. Set “Who can consent?” to **Admins and users**.
- 3. Set **Admin consent display name** session:role-any and give it a description.
- 4. Ensure **State** is set to **Enabled**.
- 5. Click **Add scope**.
+ 1. Give the scope a name.
+ 2. Set “Who can consent?” to **Admins and users**.
+ 3. Set **Admin consent display name** session:role-any and give it a description.
+ 4. Ensure **State** is set to **Enabled**.
+ 5. Click **Add scope**.
### 2. Create a client app
1. From the **App registration page**, click **New registration**.
- 1. Give the app a name that uniquely identifies it as the client app.
- 2. Ensure **Supported account types** are set to “Accounts in this organizational directory only (`Org name` - Single Tenant).”
- 3. Set the **Redirect URI** to **Web** and copy/paste the **Redirect URI** from dbt Cloud into the field.
- 4. Click **Register**.
+ 1. Give the app a name that uniquely identifies it as the client app.
+ 2. Ensure **Supported account types** are set to “Accounts in this organizational directory only (`Org name` - Single Tenant).”
+ 3. Set the **Redirect URI** to **Web** and copy/paste the **Redirect URI** from dbt Cloud into the field.
+ 4. Click **Register**.
2. From the app overview page, click **API permissions** from the left menu, and click **Add permission**.
3. From the pop-out screen, click **APIs my organization uses**, search for the resource server name from the previous steps, and click it.
4. Ensure the box for the **Permissions** `session:role-any` is enabled and click **Add permissions**.
5. Click **Grant admin consent** and from the popup modal click **Yes**.
-6. From the left menu, click **Certificates and secrets** and cllick **New client secret**. Name the secret, set an expiration, and click **Add**.
-**Note**: Microsoft does not allow “forever” as an expiration. The maximum time is two years. It’s essential to document the expiration date so that the secret can be refreshed before the expiration or user authorization will fail.
-7. Record the `value` for use in a future step and record it immediately.
-**Note**: This value will not be displayed again once you navigate away from this screen.
+6. From the left menu, click **Certificates and secrets** and click **New client secret**. Name the secret, set an expiration, and click **Add**.
+**Note**: Microsoft does not allow “forever” as an expiration date. The maximum time is two years. Documenting the expiration date so you can refresh the secret before the expiration or user authorization fails is essential.
+7. Record the `value` for use in a future step and record it immediately.
+**Note**: Entra ID will not display this value again once you navigate away from this screen.
### 3. Snowflake configuration
-You'll be switching between the Entra ID site and Snowflake. Keep your Entra ID account open for this process.
+You'll be switching between the Entra ID site and Snowflake. Keep your Entra ID account open for this process.
Copy and paste the following as a template in a Snowflake worksheet:
```sql
+
create or replace security integration
- type = external_oauth
- enabled = true
- external_oauth_type = azure
- external_oauth_issuer = ''
- external_oauth_jws_keys_url = ''
- external_oauth_audience_list = ('')
- external_oauth_token_user_mapping_claim = 'upn'
- external_oauth_any_role_mode = 'ENABLE'
- external_oauth_snowflake_user_mapping_attribute = 'login_name';
+ type = external_oauth
+ enabled = true
+ external_oauth_type = azure
+ external_oauth_issuer = ''
+ external_oauth_jws_keys_url = ''
+ external_oauth_audience_list = ('')
+ external_oauth_token_user_mapping_claim = 'upn'
+ external_oauth_any_role_mode = 'ENABLE'
+ external_oauth_snowflake_user_mapping_attribute = 'login_name';
+
```
+
On the Entra ID site:
-1. From the Client ID app in Entra ID, click **Endpoints** and open the **Federation metadata document** in a new tab.
- - The **entity ID** on this page maps to the `external_oauth_issuer` field in the Snowflake config.
+1. From the Client ID
+app in Entra ID, click **Endpoints** and open the **Federation metadata document** in a new tab.
+ - The **entity ID** on this page maps to the `external_oauth_issuer` field in the Snowflake config.
2. Back on the list of endpoints, open the **OpenID Connect metadata document** in a new tab.
- - The **jwks_uri** field maps to the `external_oauth_jws_keys_url` field in Snowflake.
+ - The **jwks_uri** field maps to the `external_oauth_jws_keys_url` field in Snowflake.
3. Navigate to the resource server in previous steps.
- - The **Application ID URI** maps to teh `external_oauth_audience_list` field in Snowflake.
-4. Run the configurations. Be sure the admin who created the Microsoft apps is also a user in Snowflake, or the configuration will fail.
+ - The **Application ID URI** maps to teh `external_oauth_audience_list` field in Snowflake.
+4. Run the configurations. Be sure the admin who created the Microsoft apps is also a user in Snowflake, or the configuration will fail.
### 4. Configuring the integration in dbt Cloud
-1. Navigate back to the dbt Cloud **Account settings** —> **Integrations** page you were on at the beginning. It’s time to start filling out all of the fields. There will be some back-and-forth between the Entra ID account and dbt Cloud.
-2. `Integration name`: Give the integration a descriptive name that includes identifying information about the Entra ID environment so future users won’t have to guess where it belongs.
-3. `Client secrets`: These are found in the Client ID from the **Certificates and secrets** page. `Value` is the `Client secret` . Note that it only appears when created; if you return later, it will be hidden, and you must recreate the secret.
+1. Navigate back to the dbt Cloud **Account settings** —> **Integrations** page you were on at the beginning. It’s time to start filling out all of the fields. There will be some back-and-forth between the Entra ID account and dbt Cloud.
+2. `Integration name`: Give the integration a descriptive name that includes identifying information about the Entra ID environment so future users won’t have to guess where it belongs.
+3. `Client secrets`: Found in the Client ID from the **Certificates and secrets** page. `Value` is the `Client secret`. Note that it only appears when created; _Microsoft hides the secret if you return later, and you must recreate it._
4. `Client ID`: Copy the’ Application (client) ID’ on the overview page for the client ID app.
-5. `Authorization URL` and `Token URL`: From the client ID app, open the `Endpoints` tab. The `Oauth 2.0 authorization endpoint (v2)` and `Oauth 2.0 token endpoint (v2)` fields map to these. *You must use v2 of the `Oauth 2.0 authorization endpoint`. Do not use V1.* You can use either version of the `Oauth 2.0 token endpoint`.
+5. `Authorization URL` and `Token URL`: From the client ID app, open the `Endpoints` tab. These URLs map to the `Oauth 2.0 authorization endpoint (v2)` and `Oauth 2.0 token endpoint (v2)` fields. *You must use v2 of the `Oauth 2.0 authorization endpoint`. Do not use V1.* You can use either version of the `Oauth 2.0 token endpoint`.
6. `Application ID URI`: Copy the `Application ID URI` field from the resource server’s Overview screen.
\ No newline at end of file