Skip to main content

Tableau to Snowflake OAuth Security Setup

In this article we will explore setting up Tableau to Snowflake OAuth, when to user it, and how to embed your OAuth credentials. Connecting Tableau to Snowflake historically was achieved with end user passwords or system users where credentials could be embedded.

In 2025 you will be required to use a federated login via Okta, Key Pairs, or OAuth. In this article we will explore the Snowflake OAuth process.

When should you use Snowflake OAuth in Tableau?

While Snowlake OAuth works well for interactive logins, it’s not ideal for embedded credentials because:

User-Specific Tokens: If an OAuth token is revoked or changed, every connection that used that OAuth identity needs updating.

Token Expiration: OAuth tokens expire and need periodic re-authentication.

Setup Tableau Desktop and Server Snowflake OAuth Connectivity

Tableau is a partner app for Snowflake, so there are standard commands to allow Tableau desktop, server, and cloud to connect.

Within Snowflake you will need AccountAdmin or SecurityAdmin permissions to add and execute the following SECURITY INTEGRATION code.

Tableau Desktop

CREATE SECURITY INTEGRATION td_oauth_int1
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = TABLEAU_DESKTOP;

Tableau Cloud / Server

CREATE SECURITY INTEGRATION ts_oauth_int1
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = TABLEAU_SERVER;

Create and Login a Snowflake Connection in Tableau

Add a new Snowflake connection or edit the authentication for an existing connection

Tableau Snowflake Auth Screen

Login with your Snowflake credentials

Snowflake OAuth Confirmation

Upon successful login and and confirmation with multi-factor authentication you will see a confirmation screen to confirm and then if successful you will see the following screen:

If you see an error, please make sure to login and not let too much time pass before taking each step as the process will time out.

Publishing Workbook with Single User Oauth- Impersonation Mapping

First, we don’t recommend taking this approach for production or scaling beyond a few users in the system. For production, embedded credentials for enterprise-managed Tableau implementations, we recommend using Snowflake key pairs which is now supported for Tableau.

There are many small and medium enterprises where analytics data is made available and access control is implemented within the BI platform. Impersonation mapping (embedding credentials in workbooks) is something that has happened for a long time and will be completely shut off by Snowflake (maybe how you discovered this article).

In those scenarios where you want to implement a Snowflake user to take on the role of a service account without actually being a Snowflake Service account, you can do the following:

Important note: If you have elevated permissions in Snowflake with read, write and access and access to PII that is not masked (Snowflake masking policy), never use your elevated or admin credentials for impersonation mapping. Instead, create a person service account. If you don’t have a read-only reporting role, we recommend creating one and use principle of least privilege to grant this role to the data assets needed for reporting.

CREATE OR REPLACE USER REPORTING_SVC_USER
  DEFAULT_ROLE = REPORTING
  DEFAULT_WAREHOUSE = REPORTING

If you attempt to set “embedded password” for OAuth connected Tableau report, you need to set your token on Tableau server. You will see something like this:

Setup Snowflake OAuth Credentials on Tableau Cloud for

Setting up your Snowflake credentials on Tableau cloud simplifies your login process and eliminates keeping track of basic connection strings when you are already authenticated to Tableau server.

Open Tableau server or Tableau cloud

Click “My Account Settings”

Tableau Snowflake my account settings

Authenticate and grant access for Tableau to connect to Snowflake.

Tableau grant to Snowflake

Your Snowflake instance is now enabled for you to author and embed credentials

Tableau server Snowflake credentials

Now, when you return to Tableau desktop, if you go to enable embedded credentials it will embed as your user.

Embed Snowflake OAuth

Changing a Connection with Snowflake OAuth User to Existing Connection

If you have previously published a data source to Tableau cloud that was set as user/pw you can not modify it to OAuth. Instead you need to download the connection, adjust it and re-publish

If you open an existing data source you can adjust and add-new connections. This is quite helpful for scenarios where employees are no longer working for your organization. This does create a lot of risk and work, which is why we recommend key pair authentication for embedded credentials.

Change Snowflake OAuth

Did this article help? Help spread the work and share