Configuring OAuth authentication for Google Cloud Platform (GCP)¶
About customer-provided OAuth client authentication¶
An application that authenticates to Google using OAuth 2.0 must provide two objects in GCP:
OAuth consent screen that tells users who is requesting access to their data and what kind of data users are allowing your application to access.
OAuth Client ID used to authenticate an application to Google. It is necessary when you want to access resources owned by your end user.
You must provide your own OAuth consent screen and client ID to authenticate.
To provide the OAuth consent screen and OAuth client ID, you must first create a Google Cloud Platform (GCP) project. Refer to the GCP documentation for information on creating GCP projects.
If possible, create an OAuth consent screen in a GCP project that belongs to an organization. Ensure that the connector users are members of the same organization.
If your project does not belong to an organization, you must renew authentication every seven days.
Configuring the OAuth consent screen¶
To configure the OAuth Consent Screen, do the following:
To open the OAuth consent screen creator, select APIs & Services » OAuth consent screen in your GCP project.
Select the user type.
You can select the Internal user type only if the GCP project belongs to an organization and the connector users are members of the same organization.
The External user type causes the authentication to expire in seven days. If you choose this type, you need to renew authentication weekly.
Provide the following information:
App name: Snowflake Connector for Google Analytics Aggregate Data
User support email: your email address
Developer contact information: your email address
Select Save and continue.
Select Add or remove scopes » Manually add scopes. Copy the following address:
To add the scopes, paste address in a dialog and select Add to table.
For External user type:
Select Test users » Add users.
Enter the email addresses of users that are allowed to use the connector.
To finish configuration, select Save and continue » Back to dashboard.
Configuring the OAuth client ID¶
To configure the OAuth Client ID, do the following:
To open the OAuth consent screen creator, select APIs & Services » Credentials in your GCP project.
Select Create credentials » OAuth client ID.
In the Application type dropdown list, select Web application.
In the Name box, enter the following name: Snowflake Connector for Google Analytics Aggregate Data ID.
Select Authorized redirect URIs » Add URI.
Now you will need the redirect URL that is displayed in the user interface of the connector. Go to the Snowsight and start Snowflake Connector for Google Analytics Aggregate Data configuration wizard. Go to the third step of the connector configuration: Authenticate Google Cloud Platform. Copy the value from the Redirect URL section.
Go back to the GCP interface, and paste the value to the URI box.
Copy the Your Client ID and Your Client Secret values.
Paste the values into the corresponding boxes in the Snowflake Connector for Google Analytics Aggregate Data interface.
Select Sign in.
Preventing session expiration for OAuth consent screen¶
To prevent session expiration for OAuth Consent Screen, do the following:
In the Google Admin Console menu, select Security » Access and data control » Google Cloud session control.
In the Reauthentication policy section, select the Exempt Trusted apps checkbox.
In the Google Admin Console menu, select Security » API Controls » App Access Control.
In the Configured apps section, select Add app » OAuth App Name Or Client ID.
Copy the client ID created in Configuring the OAuth Client ID, and paste it into the box.
Select Snowflake Connector for Google Analytics Aggregate Data application name.
Select the created OAuth Client ID checkbox, and click Select.
In the Scope section, select All users.
In the Access to Google Data section, select Trusted.
On the Review screen, select Finish.