Access Snowflake data using OAuth-based authentication in Amazon SageMaker Data Wrangler
AWS Machine Learning Blog
In this post, we show how to configure a new OAuth-based authentication feature for using Snowflake in Amazon SageMaker Data Wrangler. Snowflake is a cloud data platform that provides data solutions for data warehousing to data science. Snowflake is an AWS Partner with multiple AWS accreditations, including AWS competencies in machine learning (ML), retail, and data and analytics.
Data Wrangler simplifies the data preparation and feature engineering process, reducing the time it takes from weeks to minutes by providing a single visual interface for data scientists to select and clean data, create features, and automate data preparation in ML workflows without writing any code. You can import data from multiple data sources, such as Amazon Simple Storage Service (Amazon S3), Amazon Athena, Amazon Redshift, Amazon EMR, and Snowflake. With this new feature, you can use your own identity provider (IdP) such as Okta, Azure AD, or Ping Federate to connect to Snowflake via Data Wrangler.
Solution overview
In the following sections, we provide steps for an administrator to set up the IdP, Snowflake, and Studio. We also detail the steps that data scientists can take to configure the data flow, analyze the data quality, and add data transformations. Finally, we show how to export the data flow and train a model using SageMaker Autopilot.
Prerequisites
For this walkthrough, you should have the following prerequisites:
For admin:
A Snowflake user with permissions to create storage integrations, and security integrations in Snowflake.
An AWS account with permissions to create AWS Identity and Access Management (IAM) policies and roles.
Access and permissions to configure IDP to register Data Wrangler application and set up the authorization server or API.
For data scientist:
An S3 bucket that Data Wrangler can use to output transformed data.
Access to Amazon SageMaker, an instance of Amazon SageMaker Studio, and a user for Studio. For more information about prerequisites, see Get Started with Data Wrangler.
An IAM role used for Studio with permissions to create and update secrets in AWS Secrets Manager.
Administrator setup
Instead of having your users directly enter their Snowflake credentials into Data Wrangler, you can have them use an IdP to access Snowflake.
The following steps are involved to enable Data Wrangler OAuth access to Snowflake:
Configure the IdP.
Configure Snowflake.
Configure SageMaker Studio.
Configure the IdP
To set up your IdP, you must register the Data Wrangler application and set up your authorization server or API.
Register the Data Wrangler application within the IdP
Refer to the following documentation for the IdPs that Data Wrangler supports:
Azure AD
Okta
Ping Federate
Use the documentation provided by your IdP to register your Data Wrangler application. The information and procedures in this section help you understand how to properly use the documentation provided by your IdP.
Specific customizations in addition to the steps in the respective guides are called out in the subsections.
Select the configuration that starts the process of registering Data Wrangler as an application.
Provide the users within the IdP access to Data Wrangler.
Enable OAuth client authentication by storing the client credentials as a Secrets Manager secret.
Specify a redirect URL using the following format: https://domain-ID.studio.AWS Region.sagemaker.aws/jupyter/default/lab.
You’re specifying the SageMaker domain ID and AWS Region that you’re using to run Data Wrangler. You must register a URL for each domain and Region where you’re running Data Wrangler. Users from a domain and Region that don’t have redirect URLs set up for them won’t be able to authenticate with the IdP to access the Snowflake connection.
Make sure the authorization code and refresh token grant types are allowed for your Data Wrangler application.
Set up the authorization server or API within the IdP
Within your IdP, you must set up an authorization server or an application programming interface (API). For each user, the authorization server or the API sends tokens to Data Wrangler with Snowflake as the audience.
Snowflake uses the concept of roles that are distinct from IAM roles used in AWS. You must configure the IdP to use ANY Role to use the default role associated with the Snowflake account. For example, if a user has systems administrator as the default role in their Snowflake profile, the connection from Data Wrangler to Snowflake uses systems administrator as the role.
Use the following procedure to set up the authorization server or API within your IdP:
From your IdP, begin the process of setting up the server or API.
Configure the authorization server to use the authorization code and refresh token grant types.
Specify the lifetime of the access token.
Set the refresh token idle timeout.
The idle timeout is the time that the refresh token expires if it’s not used. If you’re scheduling jobs in Data Wrangler, we recommend making the idle timeout time greater than the frequency of the processing job. Otherwise, some processing jobs might fail because the refresh token expired before they could run. When the refresh token expires, the user must re-authenticate by accessing the connection that they’ve made to Snowflake through Data Wrangler.
Note that Data Wrangler doesn’t support rotating refresh tokens. Using rotating refresh tokens might result in access failures or users needing to log in frequently.
If the refresh token expires, your users must reauthenticate by accessing the connection that they’ve made to Snowflake through Data Wrangler.
Specify session:role-any as the new scope.
For Azure AD, you must also specify a unique identifier for the scope.
After you’ve set up the OAuth provider, you provide Data Wrangler with the information it needs to connect to the provider. You can use the documentation from your IdP to get values for the following fields:
Token URL – The URL of the token that the IdP sends to Data Wrangler
Authorization URL – The URL of the authorization server of the IdP
Client ID – The ID of the IdP
Client secret – The secret that only the authorization server or API recognizes
OAuth scope – This is for Azure AD only
Configure Snowflake
To configure Snowflake, complete the instructions in Import data from Snowflake.
Use the Snowflake documentation for your IdP to set up an external OAuth integration in Snowflake. See the previous section Register the Data Wrangler application within the IdP for more information on how to set up an external OAuth integration.
When you’re setting up the security integration in Snowflake, make sure you activate external_oauth_any_role_mode.
Configure SageMaker Studio
You store the fields and values in a Secrets Manager secret and add it to the Studio Lifecycle Configuration that you’re using for Data Wrangler. A Lifecycle Configuration is a shell script that automatically loads the credentials stored in the secret when the user logs into Studio. For information about creating secrets, see Move hardcoded secrets to AWS Secrets Manager. For information about using Lifecycle Configurations in Studio, see Use Lifecycle Configurations with Amazon SageMaker Studio.
Create a secret for Snowflake credentials
To create your secret for Snowflake credentials, complete the following steps:
On the Secrets Manager console, choose Store a new secret.
For Secret type, select Other type of secret.
Specify the details of your secret as key-value pairs.
Key names require lowercase letters due to case sensitivity. Data Wrangler gives a warning if you enter any of these incorrectly. Input the secret values as key-value pairs Key/value if you’d like, or use the Plaintext option.
The following is the format of the secret used for Okta. If you are using Azure AD, you need to add the datasource_oauth_scope field.
{
“token_url”:”https://identityprovider.com/oauth2/example-portion-of-URL-path/v2/token”,
“client_id”:”example-client-id”,
“client_secret”:”example-client-secretsovfDSUoOKAiLe4V6DiZrCLpW44x”,
“identity_provider”:”OKTA”|”AZURE_AD”|”PING_FEDERATE”,
“authorization_url”:”https://identityprovider.com/oauth2/example-portion-of-URL-path/v2/authorize”
}
Update the preceding values with your choice of IdP and information gathered after application registration.
Choose Next.
For Secret name, add the prefix AmazonSageMaker (for example, our secret is AmazonSageMaker-DataWranglerSnowflakeCreds).
In the Tags section, add a tag with the key SageMaker and value true.
Choose Next.
The rest of the fields are optional; choose Next until you have the option to choose Store to store the secret.
After you store the secret, you’re returned to the Secrets Manager console.
Choose the secret you just created, then retrieve the secret ARN.
Store this in your preferred text editor for use later when you create the Data Wrangler data source.
Create a Studio Lifecycle Configuration
To create a Lifecycle Configuration in Studio, complete the following steps:
On the SageMaker console, choose Lifecycle configurations in the navigation pane.
Choose Create configuration.
Choose Jupyter server app.
Create a new lifecycle configuration or append an existing one with the following content:
#!/bin/bash
set -eux
## Script Body
cat > ~/.snowflake_identity_provider_oauth_config
Go to Source
29/03/2023 – 10:42 /Ajjay Govindaram
Twitter: @hoffeldtcom
You May Also Like
Transform customer engagement with no-code LLM fine-tuning using Amazon SageMaker Canvas and SageMaker JumpStart
Unleashing the power of generative AI: Verisk’s journey to an Instant Insight Engine for enhanced customer support
How Dialog Axiata used Amazon SageMaker to scale ML models in production with AI Factory and reduced customer churn within 3 months
Boost employee productivity with automated meeting summaries using Amazon Transcribe, Amazon SageMaker, and LLMs from Hugging Face
How Veritone uses Amazon Bedrock, Amazon Rekognition, Amazon Transcribe, and information retrieval to update their video search pipeline
AWS Inferentia and AWS Trainium deliver lowest cost to deploy Llama 3 models in Amazon SageMaker JumpStart
Revolutionize Customer Satisfaction with tailored reward models for your business on Amazon SageMaker
Get started with Amazon Titan Text Embeddings V2: A new state-of-the-art embeddings model on Amazon Bedrock
Improving inclusion and accessibility through automated document translation with an open source app using Amazon Translate
Build private and secure enterprise generative AI apps with Amazon Q Business and AWS IAM Identity Center
Enhance customer service efficiency with AI-powered summarization using Amazon Transcribe Call Analytics
Accelerate software development and leverage your business data with generative AI assistance from Amazon Q
Amazon Q Business and Amazon Q in QuickSight empowers employees to be more data-driven and make better, faster decisions using company knowledge
Significant new capabilities make it easier to use Amazon Bedrock to build and scale generative AI applications – and achieve impressive results
Talk to your slide deck using multimodal foundation models hosted on Amazon Bedrock and Amazon SageMaker – Part 2
Use Kubernetes Operators for new inference capabilities in Amazon SageMaker that reduce LLM deployment costs by 50% on average
Live Meeting Assistant with Amazon Transcribe, Amazon Bedrock, and Knowledge Bases for Amazon Bedrock
Distributed training and efficient scaling with the Amazon SageMaker Model Parallel and Data Parallel Libraries
Knowledge Bases for Amazon Bedrock now supports custom prompts for the RetrieveAndGenerate API and configuration of the maximum number of retrieved results
Understanding and predicting urban heat islands at Gramener using Amazon SageMaker geospatial capabilities
Nielsen Sports sees 75% cost reduction in video analysis with Amazon SageMaker multi-model endpoints
Build a contextual text and image search engine for product recommendations using Amazon Bedrock and Amazon OpenSearch Serverless
Provide live agent assistance for your chatbot users with Amazon Lex and Talkdesk cloud contact center
Second round of seed grants awarded to MIT scholars studying the impact and applications of generative AI
Optimize price-performance of LLM inference on NVIDIA GPUs using the Amazon SageMaker integration with NVIDIA NIM Microservices
Set up cross-account Amazon S3 access for Amazon SageMaker notebooks in VPC-only mode using Amazon S3 Access Points
Build a robust text-to-SQL solution generating complex queries, self-correcting, and querying diverse data sources
Announcing support for Llama 2 and Mistral models and streaming responses in Amazon SageMaker Canvas
How HSR.health is limiting risks of disease spillover from animals to humans using Amazon SageMaker geospatial capabilities
Reduce inference time for BERT models using neural architecture search and SageMaker Automated Model Tuning
Build generative AI agents with Amazon Bedrock, Amazon DynamoDB, Amazon Kendra, Amazon Lex, and LangChain
Driving advanced analytics outcomes at scale using Amazon SageMaker powered PwC’s Machine Learning Ops Accelerator
Boost productivity on Amazon SageMaker Studio: Introducing JupyterLab Spaces and generative AI tools
Mitigate hallucinations through Retrieval Augmented Generation using Pinecone vector database & Llama-2 from Amazon SageMaker JumpStart
How Q4 Inc. used Amazon Bedrock, RAG, and SQLDatabaseChain to address numerical and structured dataset challenges building their Q&A chatbot
Package and deploy classical ML and LLMs easily with Amazon SageMaker, part 2: Interactive User Experiences in SageMaker Studio
How SnapLogic built a text-to-pipeline application with Amazon Bedrock to translate business intent into action
Amazon EC2 DL2q instance for cost-efficient, high-performance AI inference is now generally available
Build a contextual chatbot for financial services using Amazon SageMaker JumpStart, Llama 2 and Amazon OpenSearch Serverless with Vector Engine
Amazon Textract’s new Layout feature introduces efficiencies in general purpose and generative AI document processing tasks
Use Amazon SageMaker Studio to build a RAG question answering solution with Llama 2, LangChain, and Pinecone for fast experimentation
Retrieval-Augmented Generation with LangChain, Amazon SageMaker JumpStart, and MongoDB Atlas semantic search
Philips accelerates development of AI-enabled healthcare solutions with an MLOps platform built on Amazon SageMaker
Principal Financial Group uses AWS Post Call Analytics solution to extract omnichannel customer insights
Explore advanced techniques for hyperparameter optimization with Amazon SageMaker Automatic Model Tuning
Promote pipelines in a multi-environment setup using Amazon SageMaker Model Registry, HashiCorp Terraform, GitHub, and Jenkins CI/CD
Harnessing the power of enterprise data with generative AI: Insights from Amazon Kendra, LangChain, and large language models
How Reveal’s Logikcull used Amazon Comprehend to detect and redact PII from legal documents at scale
Schneider Electric leverages Retrieval Augmented LLMs on SageMaker to ensure real-time updates in their ERP systems
Empower your business users to extract insights from company documents using Amazon SageMaker Canvas Generative AI
T-Mobile US, Inc. uses artificial intelligence through Amazon Transcribe and Amazon Translate to deliver voicemail in the language of their customers’ choice
Announcing Rekogniton Custom Moderation: Enhance accuracy of pre-trained Rekognition moderation models with your data
Optimize pet profiles for Purina’s Petfinder application using Amazon Rekognition Custom Labels and AWS Step Functions
Use no-code machine learning to derive insights from product reviews using Amazon SageMaker Canvas sentiment analysis and text analysis models
Build a crop segmentation machine learning model with Planet data and Amazon SageMaker geospatial capabilities
Speed up your time series forecasting by up to 50 percent with Amazon SageMaker Canvas UI and AutoML APIs
Best practices and design patterns for building machine learning workflows with Amazon SageMaker Pipelines
Optimize deployment cost of Amazon SageMaker JumpStart foundation models with Amazon SageMaker asynchronous endpoints
MLOps for batch inference with model monitoring and retraining using Amazon SageMaker, HashiCorp Terraform, and GitLab CI/CD
Announcing the Preview of Amazon SageMaker Profiler: Track and visualize detailed hardware performance data for your model training workloads
How Thomson Reuters developed Open Arena, an enterprise-grade large language model playground, in under 6 weeks
How Amazon Shopping uses Amazon Rekognition Content Moderation to review harmful images in product reviews
Build production-ready generative AI applications for enterprise search using Haystack pipelines and Amazon SageMaker JumpStart with LLMs
Deploy thousands of model ensembles with Amazon SageMaker multi-model endpoints on GPU to minimize your hosting costs
Use the Amazon SageMaker and Salesforce Data Cloud integration to power your Salesforce apps with AI/ML
Accelerate business outcomes with 70% performance improvements to data processing, training, and inference with Amazon SageMaker Canvas
Build and train computer vision models to detect car positions in images using Amazon SageMaker and Amazon Rekognition
Automate caption creation and search for images at enterprise scale using generative AI and Amazon Kendra
Unlocking creativity: How generative AI and Amazon SageMaker help businesses produce ad creatives for marketing campaigns with AWS
AWS offers new artificial intelligence, machine learning, and generative AI guides to plan your AI strategy
Democratize computer vision defect detection for manufacturing quality using no-code machine learning with Amazon SageMaker Canvas
Capture public health insights more quickly with no-code machine learning using Amazon SageMaker Canvas
Accelerate time to business insights with the Amazon SageMaker Data Wrangler direct connection to Snowflake
Deploy a serverless ML inference endpoint of large language models using FastAPI, AWS Lambda, and AWS CDK
Exploring Generative AI in conversational experiences: An Introduction with Amazon Lex, Langchain, and SageMaker Jumpstart
Technology Innovation Institute trains the state-of-the-art Falcon LLM 40B foundation model on Amazon SageMaker
Amazon SageMaker Automatic Model Tuning now automatically chooses tuning configurations to improve usability and cost efficiency
Accelerate your learning towards AWS Certification exams with automated quiz generation using Amazon SageMaker foundations models
Analyze Amazon SageMaker spend and determine cost optimization opportunities based on usage, Part 5: Hosting
Create high-quality images with Stable Diffusion models and deploy them cost-efficiently with Amazon SageMaker
How OCX Cognition reduced ML model development time from weeks to days and model update time from days to real time using AWS Step Functions and Amazon SageMaker
Accelerate machine learning time to value with Amazon SageMaker JumpStart and PwC’s MLOps accelerator
Build a serverless meeting summarization backend with large language models on Amazon SageMaker JumpStart
Prepare training and validation dataset for facies classification using Snowflake integration and train using Amazon SageMaker Canvas
GPT-NeoXT-Chat-Base-20B foundation model for chatbot applications is now available on Amazon SageMaker
AI-powered code suggestions and security scans in Amazon SageMaker notebooks using Amazon CodeWhisperer and Amazon CodeGuru
Operationalize ML models built in Amazon SageMaker Canvas to production using the Amazon SageMaker Model Registry
Publish predictive dashboards in Amazon QuickSight using ML predictions from Amazon SageMaker Canvas
Schedule your notebooks from any JupyterLab environment using the Amazon SageMaker JupyterLab extension
Achieve high performance with lowest cost for generative AI inference using AWS Inferentia2 and AWS Trainium on Amazon SageMaker
Quickly build high-accuracy Generative AI applications on enterprise data using Amazon Kendra, LangChain, and large language models
Question answering using Retrieval Augmented Generation with foundation models in Amazon SageMaker JumpStart
Use streaming ingestion with Amazon SageMaker Feature Store and Amazon MSK to make ML-backed decisions in near-real time
Financial text generation using a domain-adapted fine-tuned large language model in Amazon SageMaker JumpStart
Generate actionable insights for predictive maintenance management with Amazon Monitron and Amazon Kinesis
Generate a counterfactual analysis of corn response to nitrogen with Amazon SageMaker JumpStart solutions
Reduce call hold time and improve customer experience with self-service virtual agents using Amazon Connect and Amazon Lex
Bundesliga Match Fact Keeper Efficiency: Comparing keepers’ performances objectively using machine learning on AWS
HAYAT HOLDING uses Amazon SageMaker to increase product quality and optimize manufacturing output, saving $300,000 annually
CMU Researchers Introduce Zeno: A Framework for Behavioral Evaluation of Machine Learning (ML) Models
How the UNDP Independent Evaluation Office is using AWS AI/ML services to enhance the use of evaluation to support progress toward the Sustainable Development Goals
Databricks Open-Sources Dolly: A ChatGPT like Generative AI Model that is Easier and Faster to Train
Can Artificial Intelligence Match Human Creativity? A New Study Compares The Generation Of Original Ideas Between Humans and Generative Artificial Intelligence Chatbots