Unknown's avatar Pete 3:43 am on April 24, 2025  

Rotating Client Secrets

Rotating Snowflake OAuth Client Secrets: Why and How

If you’re using OAuth to connect applications to Snowflake, you’re likely storing a client ID and secret in your app or a secure store. But here’s the kicker—OAuth secrets aren’t forever. Whether it’s a security best practice or a compliance mandate, rotating these secrets regularly is essential.

In this post, I’ll walk you through why rotating Snowflake OAuth client secrets matters and how to do it without causing downtime or breaking your integration.

Why Rotate OAuth Secrets?

OAuth secrets are like passwords for applications. If compromised, attackers can impersonate your app. Common reasons to rotate:

  • Secrets are long-lived and may have leaked.
  • You’re transferring ownership of the app.
  • Compliance requires periodic rotation (ISO 27001, SOC2, etc.).
  • You want to tighten the blast radius of any potential breach.

Where OAuth Secrets Live in Snowflake

When you register an OAuth integration in Snowflake, you use a SQL command like:

CREATE SECURITY INTEGRATION my_oauth_integration
  TYPE=OAUTH
  ENABLED=TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE='CONFIDENTIAL'
  OAUTH_CLIENT_SECRET='your-secret-here'
  ...

That OAUTH_CLIENT_SECRET is stored inside Snowflake and used during token validation. You can update it anytime using ALTER SECURITY INTEGRATION.

Rotation Strategy: Dual Phase

Here’s a safe process to rotate the OAuth secret without downtime:

Step 1: Generate a New Secret

Use your IdP (e.g., Okta, Azure AD, Ping) or OAuth provider to generate a new client secret. Make sure the new one doesn’t override the old one just yet—many providers support multiple active secrets.

Step 2: Update the Snowflake Integration

Run:

ALTER SECURITY INTEGRATION my_oauth_integration
  SET OAUTH_CLIENT_SECRET = 'new-secret';

Tip: Do this before expiring the old secret at your IdP.

Step 3: Update Client Applications

Update your apps or middleware to use the new client secret. This may involve:

  • Updating secrets in a vault (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault)
  • Redeploying apps that store secrets in environment variables

Step 4: Remove the Old Secret from the IdP

Once everything is working and tokens are being issued with the new secret, revoke the old secret from your OAuth provider.

Automate It

If you’re using infrastructure-as-code or secret rotation tools, consider automating the process:

  • Use a CI/CD pipeline with secure variables
  • Trigger secret regeneration from your IdP API
  • Use Vault’s dynamic secrets or Secrets Manager rotation logic
StepAction
1Generate new client secret
2Update Snowflake integration
3Update applications to use new secret
4Revoke the old secret from your IdP

.