In this article we will explore setting up Tableau to Snowflake OAuth, when to user it, and how to embed your OAuth credentials. Connecting Tableau to Snowflake historically was achieved with end user passwords or system users where credentials could be embedded.
In 2025 you will be required to use a federated login via Okta, Key Pairs, or OAuth. In this article we will explore the Snowflake OAuth process.
When should you use Snowflake OAuth in Tableau?
While Snowlake OAuth works well for interactive logins, it’s not ideal for embedded credentials because:
User-Specific Tokens: If an OAuth token is revoked or changed, every connection that used that OAuth identity needs updating.
Token Expiration: OAuth tokens expire and need periodic re-authentication.
Setup Tableau Desktop and Server Snowflake OAuth Connectivity
Tableau is a partner app for Snowflake, so there are standard commands to allow Tableau desktop, server, and cloud to connect.
Within Snowflake you will need AccountAdmin or SecurityAdmin permissions to add and execute the following SECURITY INTEGRATION code.
Tableau Desktop
CREATE SECURITY INTEGRATION td_oauth_int1
TYPE = OAUTH
ENABLED = TRUE
OAUTH_CLIENT = TABLEAU_DESKTOP;Tableau Cloud / Server
CREATE SECURITY INTEGRATION ts_oauth_int1
TYPE = OAUTH
ENABLED = TRUE
OAUTH_CLIENT = TABLEAU_SERVER;Create and Login a Snowflake Connection in Tableau
Add a new Snowflake connection or edit the authentication for an existing connection
Login with your Snowflake credentials
Upon successful login and and confirmation with multi-factor authentication you will see a confirmation screen to confirm and then if successful you will see the following screen:
If you see an error, please make sure to login and not let too much time pass before taking each step as the process will time out.
Publishing Workbook with Single User Oauth- Impersonation Mapping
First, we don’t recommend taking this approach for production or scaling beyond a few users in the system. For production, embedded credentials for enterprise-managed Tableau implementations, we recommend using Snowflake key pairs which is now supported for Tableau.
There are many small and medium enterprises where analytics data is made available and access control is implemented within the BI platform. Impersonation mapping (embedding credentials in workbooks) is something that has happened for a long time and will be completely shut off by Snowflake (maybe how you discovered this article).
In those scenarios where you want to implement a Snowflake user to take on the role of a service account without actually being a Snowflake Service account, you can do the following:
Important note: If you have elevated permissions in Snowflake with read, write and access and access to PII that is not masked (Snowflake masking policy), never use your elevated or admin credentials for impersonation mapping. Instead, create a person service account. If you don’t have a read-only reporting role, we recommend creating one and use principle of least privilege to grant this role to the data assets needed for reporting.
CREATE OR REPLACE USER REPORTING_SVC_USER
DEFAULT_ROLE = REPORTING
DEFAULT_WAREHOUSE = REPORTINGIf you attempt to set “embedded password” for OAuth connected Tableau report, you need to set your token on Tableau server. You will see something like this:
Setup Snowflake OAuth Credentials on Tableau Cloud for
Setting up your Snowflake credentials on Tableau cloud simplifies your login process and eliminates keeping track of basic connection strings when you are already authenticated to Tableau server.
Open Tableau server or Tableau cloud
Click “My Account Settings”
Authenticate and grant access for Tableau to connect to Snowflake.
Your Snowflake instance is now enabled for you to author and embed credentials
Now, when you return to Tableau desktop, if you go to enable embedded credentials it will embed as your user.
Changing a Connection with Snowflake OAuth User to Existing Connection
If you have previously published a data source to Tableau cloud that was set as user/pw you can not modify it to OAuth. Instead you need to download the connection, adjust it and re-publish
If you open an existing data source you can adjust and add-new connections. This is quite helpful for scenarios where employees are no longer working for your organization. This does create a lot of risk and work, which is why we recommend key pair authentication for embedded credentials.
