This page provides a guide to Establishing a Connection to Snowflake in CData Cloud, as well as information on the available resources, and a reference to the available connection properties.

Connecting to Snowflake

Establishing a Connection shows how to authenticate to Snowflake and configure any necessary connection properties to create a database in CData Cloud

Accessing Data from CData Cloud Services

Accessing data from Snowflake through the available standard services and CData Cloud administration is documented in further details in the CData Cloud Documentation.

Connect to Snowflake by selecting the corresponding icon in the Database tab. Required properties are listed under Settings. The Advanced tab lists connection properties that are not typically required.

Connecting to Snowflake

In addition to providing authentication, set the following properties to connect to a Snowflake database:

• Url: Your Snowflake URL, such as https://orgname-myaccount.snowflakecomputing.com.
  • If using a Legacy URL: https://myaccount.region.snowflakecomputing.com
  • To find your URL:
    1. Click on your name in the lower left-hand corner of your Snowflake UI.
    2. Hover over your Account ID.
    3. Click the Copy Account URL icon to copy your account URL.
• Database (optional): Restrict the tables and views exposed by the Cloud to those from a specific Snowflake database.
• Schema (optional): Restrict the tables and views exposed by the Cloud to those from a specific Snowflake database schema.

Authenticating to Snowflake

The Cloud supports Snowflake user authentication, federated authentication, and SSL client authentication. To authenticate, set User and Password, and select the authentication method in the AuthScheme property.

Passwords

Set User and Password to a Snowflake user and set AuthScheme to PASSWORD.

Note: Starting with accounts created using Snowflake’s bundle 2024_08 (October 2024), password-based authentication is no longer supported due to security concerns. Instead, use alternative authentication methods such as OAuth or Private Key authentication.

Key Pairs

The Cloud allows you to authenticate using key pair authentication by creating a secure token with the private key defined for your user account. To connect with this method, set AuthScheme to PRIVATEKEY and set the following values:

• User: The user account to authenticate as.
• PrivateKey: The private key used for the user such as the path to the .pem file containing the private key.
• PrivateKeyType: The type of key store containing the private key such as PEMKEY_FILE, PFXFILE, etc.
• PrivateKeyPassword: The password for the specified private key.

Okta

Set the AuthScheme to OKTA. The following connection properties are used to connect to Okta:

• User: Set this to the Okta user.
• Password: Set this to Okta password for the user.
• MFAPasscode (optional): Set this to the OTP code that was sent to your device. This property should be used only when the MFA is required for OKTA sign on.

The following SSOProperties are needed to authenticate to Okta:

• Domain: Set this to the OKTA org domain name.
• MFAType (optional): Set this to the multi-factor type. This property should be used only when the MFA is required for OKTA sign on. This property accepts one of the following values:
  • OKTAVerify
  • Email
  • SMS
• APIToken (optional): Set this to the API Token that the customer created from the Okta organization. You should specify this when authenticating a user via a trusted application or proxy that overrides OKTA client request context. In most contexts, it is not needed.

The following is an example connection string:

AuthScheme=OKTA;User=username;Password=password;Url='https://myaccount.region.snowflakecomputing.com';Warehouse=My_warehouse;SSO Properties='Domain=https://cdata-okta.okta.com';

The following is an example connection string for OKTA MFA:

AuthScheme=OKTA;User=username;Password=password;MFAPasscode=8111461;Url='https://myaccount.region.snowflakecomputing.com';Warehouse=My_warehouse;SSO Properties='Domain=https://cdata-okta.okta.com;MFAType=OktaVerify;';

AzureAD

Set the AuthScheme to AzureAD and set User to your AD user. When connecting, your browser opens, allowing you to login to Azure AD to complete the authentication. The following is an example connection string for AzureAD:

AuthScheme=AzureAD;Url=https://myaccount.region.snowflakecomputing.com;[email protected];

PingFederate

Set the AuthScheme to PingFederate. Set the following connection properties to connect to PingFederate:

• User: Set this to your PingFederate user. You must also add the user to PingFederate Data Stores. When connecting, your browser opens allowing you to login to PingFederate to complete the authentication.
• Password: Set this to the user password.
• ProofKey (optional): You must specify this if you want to connect without using a browser. In a browser setting, this value is autogenerated.
• ExternalToken (optional): Required if you want to connect without a browser. In a browser setting, this value is autogenerated.

The following is an example connection string for PingFederate(Assuming that Active Directory is used as a Data Store):

AuthScheme=PingFederate;Url=https://myaccount.region.snowflakecomputing.com;User=myuser@mydomain;Account=myaccount;Warehouse=mywarehouse;

Using a Proof Key and External Token

Setting the AuthScheme to AzureAD or PingFederate involves the use of a Proof Key and an External Token. If you choose to complete authentication via an internet browser, these values are autogenerated and automatically included in the connection string that you use during the Snowflake log in process.

If you choose to connect by means other than via a browser, you must specify values for ProofKey and ExternalToken. In this case, follow the steps below to authenticate:

1. Create a local web server with a specified port, such as 8080.
2. Call the GetSSOAuthorizationURL stored procedure using your specified port. This procedure returns a login SSO URL.
3. Copy and paste the returned URL into a browser.
4. In the page that opens, enter your username and password.
5. After you log in, a callback URL is generated and sent to your local web server instance. This callback URL is in a specialized format. You need to write your own code to extract the External Token from the callback URL.

OAuth

To authenticate with OAuth, set the AuthScheme to OAuth. You can authenticate by Creating a Custom OAuth App to obtain the OAuthClientId, OAuthClientSecret, and CallbackURL connection properties.

NOTE: There is an additional connection property called OAuthAuthenticator. Its default value is Azure, but it can be set to None or OKTA. This property determines which authenticator that the OAuth application requests from Snowflake.

There is a distinction between setting the AuthScheme to AzureAD and setting the AuthScheme to OAuth and OAuthAuthenticator to Azure:

• AuthScheme=AzureAD: is a form SSO authentication which requires a browser, and from Snowflake's side, the security integration type is SAML2.
• AuthScheme=OAuth with OAuthAuthenticator=Azure: is a form of OAuth that does not require a browser. From Snowflake's side, the security integration type is "external_oauth".

Desktop Apps

This section describes desktop authentication using the credentials for your custom OAuth app. See Creating a Custom OAuth App for more information.

Get an OAuth Access Token

After setting the following, you are ready to connect:

• OAuthClientId: Set to the Client ID in your OAuth Integration settings.
• OAuthClientSecret: Set to the Client Secret in OAuth your Integration settings.
• CallbackURL: Set to the Redirect URL in your OAuth Integration settings.

When you connect, the Cloud opens the OAuth endpoint in your default browser. Log in and grant permissions to the application.

Manually Get an OAuth Access Token

Set the following connection properties to obtain the OAuthAccessToken:

• InitiateOAuth: Set to OFF.
• OAuthClientId: Set to the Client ID in your OAuth Integration settings.
• OAuthClientSecret: Set to the Client Secret in your OAuth Integration settings.

You can then call stored procedures to complete the OAuth exchange:

1. Call the GetOAuthAuthorizationUrl stored procedure. Set the CallbackURL input to the Redirect URI you specified in your app settings. The stored procedure returns the URL to the OAuth endpoint and the PKCEVerifier.
2. Open the URL, log in, and authorize the application. You are redirected back to the callback URL.
3. Call the GetOAuthAccessToken stored procedure. Set the CallbackURL input to the Redirect URI you specified in your app settings. Set the PKCEVerifier input to the value of the PKCEVerifier retrieved form the first step.

Headless Machines

To configure the driver to use OAuth with a user account on a headless machine, you need to authenticate on another device that has an internet browser.

1. Choose one of these two options:
   • Option 1: Obtain the OAuthVerifier value as described in "Obtain and Exchange a Verifier Code" below.
   • Option 2: Install the Cloud on another machine and transfer the OAuth authentication values after you authenticate through the usual browser-based flow, as described in "Transfer OAuth Settings" below.

2. Then configure the Cloud to automatically refresh the access token from the headless machine.

Option 1: Obtain and Exchange a Verifier Code

To obtain a verifier code, you must authenticate at the OAuth authorization URL.

See Creating a Custom OAuth App for a procedure. This section describes the procedure to authenticate and connect to data.

To obtain the verifier code, set the following properties on the headless machine:

• InitiateOAuth: Set to OFF.
• OAuthClientId: Set to the Client ID in your OAuth Integration settings.
• OAuthClientSecret: Set to the Client Secret in your OAuth Integration settings.

Next, authenticate from another machine and obtain the OAuthVerifier connection property:

1. Call the GetOAuthAuthorizationUrl stored procedure. Set the CallbackURL input to the Redirect URI you specified in your app settings. The stored procedure returns the URL to the OAuth endpoint and the PKCEVerifier.
2. Open the returned URL in a browser. Log in and grant permissions to the Cloud. You are then redirected to the callback URL, which contains the verifier code.
3. Save the value of the Verifier and the value of the PKCEVerifier. You need to set the value of the Verifier in the OAuthVerifier connection property and set the value of the PKCEVerifier in the PKCEVerifier connection property.

Finally, on the headless machine, set the following connection properties to obtain the OAuth authentication values:

• OAuthClientId: Set to the Client ID in your OAuth Integration settings.
• OAuthClientSecret: Set to the Client Secret in your OAuth Integration settings.
• OAuthVerifier: Set to the verifier code.
• PKCEVerifier: Set to the PKCE verifier code.
• OAuthSettingsLocation: Set to persist the encrypted OAuth authentication values to the specified location.
• InitiateOAuth: Set to REFRESH.

Connect to Data

After the OAuth settings file is generated, set the following properties to connect to data:

• OAuthSettingsLocation: Set to the location containing the encrypted OAuth authentication values. Make sure this location gives read and write permissions to the provider to enable the automatic refreshing of the access token.
• InitiateOAuth: Set to REFRESH.

Option 2: Transfer OAuth Settings

To install the Cloud on another machine, authenticate, and then transfer the resulting OAuth values:

1. On a second machine, install the Cloud and connect with the following properties set:
   • OAuthSettingsLocation: Set to a writable location.
   • OAuthClientId: Set to the Client ID in your app settings.
   • OAuthClientSecret: Set to the Client Secret in your app settings.
   • CallbackURL: Set to the Callback URL in your app settings.
2. Test the connection to authenticate. The resulting authentication values are written, encrypted, to the location specified by OAuthSettingsLocation. Once you have successfully tested the connection, copy the OAuth settings file to your headless machine. On the headless machine, set the following connection properties to connect to data:
   • InitiateOAuth: Set to REFRESH.
   • OAuthSettingsLocation: Set to the location of your OAuth settings file. Make sure this location gives read and write permissions to the Cloud to enable the automatic refreshing of the access token.

SAML Providers

The Cloud has generic support for SAML-based identity providers, such as OneLogin.

Set the AuthScheme to ExternalBrowser.

OneLogin

Set User to the Snowflake user you want to authenticate.

When you attempt a connection, the SAML provider will launch a login prompt in your default web browser.

Provide the credentials associated with your SAML provider to authenticate to Snowflake.

Configuring Access Control

If the authenticating user maps to a system-defined role, specify it in the RoleName property.

Customizing the SSL Configuration

By default, the Cloud attempts to negotiate TLS with the server. The server certificate is validated against the default system trusted certificate store. You can override how the certificate gets validated using the SSLServerCert connection property.

To specify another certificate, see the SSLServerCert connection property.

Connecting Through a Firewall or Proxy

HTTP Proxies

To authenticate to an HTTP proxy, set the following:

• ProxyServer: the hostname or IP address of the proxy server that you want to route HTTP traffic through.
• ProxyPort: the TCP port that the proxy server is running on.
• ProxyAuthScheme: the authentication method the Cloud uses when authenticating to the proxy server.
• ProxyUser: the username of a user account registered with the proxy server.
• ProxyPassword: the password associated with the ProxyUser.

Other Proxies

Set the following properties:

• To use a proxy-based firewall, set FirewallType, FirewallServer, and FirewallPort.
• To tunnel the connection, set FirewallType to TUNNEL.
• To authenticate, specify FirewallUser and FirewallPassword.
• To authenticate to a SOCKS proxy, additionally set FirewallType to SOCKS5.

The Cloud leverages the Snowflake API to enable bidirectional SQL access.

Discovering Schemas

The CData Cloud dynamically obtains the metadata as defined in Snowflake for the Warehouse, Database, and Schema specified. Database and Schema are both optional and restrict the tables and views to only the values you specify in each property.

Stored Procedures

Stored Procedures are functions for OAuth Authentication.

Stored procedures are function-like interfaces that extend the functionality of the Cloud beyond simple SELECT/INSERT/UPDATE/DELETE operations with Snowflake.

Stored procedures accept a list of parameters, perform their intended function, and then return any relevant response data from Snowflake, along with an indication of whether the procedure succeeded or failed.

CData Cloud - Snowflake Stored Procedures

Name	Description
GetSSOAuthorizationURL	Gets Browser-based SSO authorization URL. You can access the URL returned in the output in a Web browser. This requests the access token that is used as part of the connection string to Snowflake.

Gets Browser-based SSO authorization URL. You can access the URL returned in the output in a Web browser. This requests the access token that is used as part of the connection string to Snowflake.

Input

Name	Type	Required	Description
Port	String	False	The listening port of the callback url. The default value is 80.

Result Set Columns

Name	Type	Description
ProofKey	String
SSOURL	String
TokenURL	String

The connection string properties are the various options that can be used to establish a connection. This section provides a complete list of the options you can configure in the connection string for this provider. Click the links for further details.

For more information on establishing a connection, see Establishing a Connection.

Authentication

---

Property	Description
AuthScheme	The authentication scheme used. Accepted entries are Password, OKTA, PrivateKey, AzureAD, AzureMSI, OAuth, PingFederate, or ExternalBrowser.
Account	The Account provided for authentication with Snowflake database. This is usually derived from the URL automatically.
Warehouse	The name of the Snowflake warehouse.
User	The username provided for authentication with the Snowflake database.
Password	The user's password.
URL	The URL of Snowflake database.
MFAPasscode	Specifies the passcode to use for multi-factor authentication.
RoleName	The role of the Snowflake user: PUBLIC, SYSADMIN, or ACCOUNTADMIN.

Connection

---

Property	Description
UseVirtualHosting	If true (default), buckets will be referenced in the request using the hosted-style request: http://yourbucket.s3.amazonaws.com/yourobject. If set to false, the bean will use the path-style request: http://s3.amazonaws.com/yourbucket/yourobject. Note that this property will be set to false, in case of an S3 based custom service when the CustomURL is specified.

Azure Authentication

---

Property	Description
AzureTenant	Identifies the Snowflake tenant being used to access data, either by name (for example, contoso.omnicrosoft.com) or ID. (Conditional).

SSO

---

Property	Description
ProofKey	The ProofKey for authentication with Snowflake database. This is usually derived from GetSSOAuthorizationURL call.
ExternalToken	The External Token for authentication with the Snowflake database. This is usually derived from the external handler. For example, handle the callback URL from procedure GetSSOAuthorizationURL will get this token.
SSOProperties	Additional properties required to connect to the identity provider in a semicolon-separated list.

KeyPairAuth

---

Property	Description
PrivateKey	The private key provided for key pair authentication with Snowflake.
PrivateKeyPassword	The password for the private key specified in the PrivateKey property, if required.
PrivateKeyType	The type of key store containing the private key to use with key pair authentication.
PrivateKeySubject	The subject of the certificate containing the private key to use with key pair authentication.

OAuth

---

Property	Description
OAuthClientId	Specifies the client Id that was assigned the custom OAuth application was created. (Also known as the consumer key.) This ID registers the custom application with the OAuth authorization server.
OAuthClientSecret	Specifies the client secret that was assigned when the custom OAuth application was created. (Also known as the consumer secret ). This secret registers the custom application with the OAuth authorization server.
State	An optional value that has meaning for your OAuth App.
OAuthAuthenticator	This determines the authenticator that the OAuth application requests from Snowflake.
Scope	This determines the scopes that the OAuth application requests from Snowflake.
OAuthAuthorizationURL	The authorization URL for the OAuth service.
OAuthAccessTokenURL	The URL to retrieve the OAuth access token from.
PKCEVerifier	A random value used as input for calling GetOAuthAccessToken in the PKCE flow.

SSL

---

Property	Description
SSLServerCert	Specifies the certificate to be accepted from the server when connecting using TLS/SSL.

Logging

---

Property	Description
Verbosity	Specifies the verbosity level of the log file, which controls the amount of detail logged. Supported values range from 1 to 5.

Schema

---

Property	Description
BrowsableSchemas	Optional setting that restricts the schemas reported to a subset of all available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC .
Database	The name of the Snowflake database.
Schema	The schema of the Snowflake database.

Miscellaneous

---

Property	Description
AllowPreparedStatement	Prepare a query statement before its execution.
AllowUserVariables	When set to True, user variables (prefixed by an $) can be used in SQL queries.
ApplicationName	The application name connection string property expresses the HTTP User-Agent.
AsyncQueryTimeout	The timeout for asynchronous requests issued by the provider to download large result sets.
BatchMode	Allow specifying the batch mode. Default: Auto.
BindingType	Allow specifying the binding type for the Date, Time and Timestamp_* type.
CustomStage	The name of a custom stage to use during bulk write operations.
ExternalStageAWSAccessKey	Your AWS account access key. Only used when defining a CustomStage for bulk write operations.
ExternalStageAWSSecretKey	Your AWS account secret key. Only used when defining a CustomStage for bulk write operations.
ExternalStageAzureSASToken	The string value of the Azure Blob shared access signature.
IgnoreCase	Whether to ignore case in identifiers. Default: false.
MaxRows	Specifies the maximum rows returned for queries without aggregation or GROUP BY.
MaxThreads	Specifies the number of concurrent requests.
MergeDelete	A boolean indicating whether batch DELETE statements should be converted to MERGE statements automatically. Only used when the DELETE statement's where clause contains a table's primary key field only and they are combined with AND logical operator.
MergeInsert	A boolean indicating whether INSERT statements should be converted to MERGE statements automatically. Only used when the INSERT contains a table's primary key field.
MergeUpdate	A boolean indicating whether batch UPDATE statements should be converted to MERGE statements automatically. Only used when the UPDATE statement's where clause contains a table's primary key field only and they are combined with AND logical operator.
Pagesize	Specifies the maximum number of results to return from Snowflake, per page. This setting overrides the default page size set by the datasource, which is optimized for most use cases.
ReplaceInvalidUTF8Chars	Specifies whether to repalce invalid UTF8 characters with a '?'.
RetryOnS3Timeout	Whether or not to retry when network issues occur at during chunk downloading.
S3Domain	The URI of the S3 bucket you are using as your Snowflake S3 stage.
SessionIdleTimeout	The timeout minutes for Session, the values comes from Snowflake's session policy, which indicate the session policy parameter SESSION_IDLE_TIMEOUT_MINS. The default value is 240 minutes.
SessionParameters	The session parameters for Snowflake. For example: SessionParameters='QUERY_TAG=MyTag;QUOTED_IDENTIFIERS_IGNORE_CASE=True;';.
Timeout	Specifies the maximum time, in seconds, that the provider waits for a server response before throwing a timeout error. The default is 60 seconds. Set to 0 to disable the timeout.

This section provides a complete list of the Authentication properties you can configure in the connection string for this provider.

---

Property	Description
AuthScheme	The authentication scheme used. Accepted entries are Password, OKTA, PrivateKey, AzureAD, AzureMSI, OAuth, PingFederate, or ExternalBrowser.
Account	The Account provided for authentication with Snowflake database. This is usually derived from the URL automatically.
Warehouse	The name of the Snowflake warehouse.
User	The username provided for authentication with the Snowflake database.
Password	The user's password.
URL	The URL of Snowflake database.
MFAPasscode	Specifies the passcode to use for multi-factor authentication.
RoleName	The role of the Snowflake user: PUBLIC, SYSADMIN, or ACCOUNTADMIN.

The authentication scheme used. Accepted entries are Password, OKTA, PrivateKey, AzureAD, AzureMSI, OAuth, PingFederate, or ExternalBrowser.

Possible Values

Password, OKTA, PrivateKey, OAuth, OAuthClient, PingFederate

Data Type

string

Default Value

"OAuth"

Remarks

The Cloud supports the following authentication mechanisms. See the Getting Started chapter for authentication guides.

• Password: Set this to authenticate with a Snowflake user.
• OKTA: Set this to use the OKTA SSO identity provider. Set SSOProperties in addition to the User and Password you use to authenticate to OKTA.
• AzureAD: Set this along with User to use the Azure Active Directory identity provider. When connecting, your browser will open allowing you to login to Azure AD to complete the authentication.
• AzureMSI: Set this along with AzureResource to use the Azure Managed Service Identity when running on an Azure VM.
• PingFederate: Set this along with User to use the PingFederate SSO identity provider. When connecting, your browser will open allowing you to login to PingFederate to complete the authentication.
• PrivateKey: Set this to use key pair authentication. Set PrivateKey, PrivateKeyPassword and PrivateKeyType in addition to authenticate with key pair authentication.
• OAuth: Set this to use oauth authentication. Set OAuthClientId, OAuthClientSecret to the Snowflake OAuth credentials. Additionally, set InitiateOAuth to GETANDREFRESH. Note that the CData driver always uses PKCE with OAuth for extra security.
• OAuthClient: Set this to use oauth authentication with the client grant type. Set OAuthClientId, OAuthClientSecret to the Snowflake OAuth credentials. Additionally, set InitiateOAuth to GETANDREFRESH.
• ExternalBrowser: Set this along with User to use the OneLogin SSO identity provider. When connecting, your browser will open and authentication will be completed automatically.

The Account provided for authentication with Snowflake database. This is usually derived from the URL automatically.

Data Type

string

Default Value

""

Remarks

The Account provided for authentication with the Snowflake database. Set this if your Snowflake database URL doesn't include the account name.

The name of the Snowflake warehouse.

Data Type

string

Default Value

""

Remarks

The name of the Snowflake warehouse.

The username provided for authentication with the Snowflake database.

Data Type

string

Default Value

""

Remarks

The username provided for authentication with the Snowflake database.

The user's password.

Data Type

string

Default Value

""

Remarks

The password provided for authentication with Snowflake.

The URL of Snowflake database.

Data Type

string

Default Value

""

Remarks

Set this property to the URL of the Snowflake database instance.

For example:

  https://orgname-myaccount.snowflakecomputing.com

To find your URL:

1. Click on your name in the lower left-hand corner of your Snowflake UI.
2. Hover over your Account ID.
3. Click the Copy Account URL icon to copy your account URL.

Specifies the passcode to use for multi-factor authentication.

Data Type

string

Default Value

""

Remarks

Specifies the passcode to use for multi-factor authentication.

The role of the Snowflake user: PUBLIC, SYSADMIN, or ACCOUNTADMIN.

Data Type

string

Default Value

""

Remarks

The role of the Snowflake user using the specified database. The defaults in Snowflake are: PUBLIC, SYSADMIN, or ACCOUNTADMIN. A custom role may also be specified.

This section provides a complete list of the Connection properties you can configure in the connection string for this provider.

---

Property	Description
UseVirtualHosting	If true (default), buckets will be referenced in the request using the hosted-style request: http://yourbucket.s3.amazonaws.com/yourobject. If set to false, the bean will use the path-style request: http://s3.amazonaws.com/yourbucket/yourobject. Note that this property will be set to false, in case of an S3 based custom service when the CustomURL is specified.

If true (default), buckets will be referenced in the request using the hosted-style request: http://yourbucket.s3.amazonaws.com/yourobject. If set to false, the bean will use the path-style request: http://s3.amazonaws.com/yourbucket/yourobject. Note that this property will be set to false, in case of an S3 based custom service when the CustomURL is specified.

Data Type

bool

Default Value

true

Remarks

If true (default), buckets will be referenced in the request using the hosted-style request: http://yourbucket.s3.amazonaws.com/yourobject. If set to false, the bean will use the path-style request: http://s3.amazonaws.com/yourbucket/yourobject. Note that this property will be set to false, in case of an S3 based custom service when the CustomURL is specified.

This section provides a complete list of the Azure Authentication properties you can configure in the connection string for this provider.

---

Property	Description
AzureTenant	Identifies the Snowflake tenant being used to access data, either by name (for example, contoso.omnicrosoft.com) or ID. (Conditional).

Identifies the Snowflake tenant being used to access data, either by name (for example, contoso.omnicrosoft.com) or ID. (Conditional).

Data Type

string

Default Value

""

Remarks

A tenant is a digital representation of your organization, primarily associated with a domain (for example, microsoft.com). The tenant is managed through a Tenant ID (also known as the directory ID), which is specified whenever you assign users permissions to access or manage Azure resources.

To locate the directory ID in the Azure Portal, navigate to Azure Active Directory > Properties.

Specifying AzureTenant is required when AuthScheme = either AzureServicePrincipal or AzureServicePrincipalCert, or if AuthScheme = AzureAD and the user belongs to more than one tenant.

This section provides a complete list of the SSO properties you can configure in the connection string for this provider.

---

Property	Description
ProofKey	The ProofKey for authentication with Snowflake database. This is usually derived from GetSSOAuthorizationURL call.
ExternalToken	The External Token for authentication with the Snowflake database. This is usually derived from the external handler. For example, handle the callback URL from procedure GetSSOAuthorizationURL will get this token.
SSOProperties	Additional properties required to connect to the identity provider in a semicolon-separated list.

The ProofKey for authentication with Snowflake database. This is usually derived from GetSSOAuthorizationURL call.

Data Type

string

Default Value

""

Remarks

The External Token for authentication with the Snowflake database. This is usually derived from the external handler. For example, handle the callback URL from procedure GetSSOAuthorizationURL will get this token.

Data Type

string

Default Value

""

Remarks

Additional properties required to connect to the identity provider in a semicolon-separated list.

Data Type

string

Default Value

""

Remarks

Additional properties required to connect to the identity provider in a semicolon-separated list. The following sections provide examples using the Okta provider.

OKTA

• Domain is the Okta domain you are signing in with, for example: myorg.okta.com.
• APIToken is your Okta API token. In most cases it is unnecessary but can be provided if needed.

This section provides a complete list of the KeyPairAuth properties you can configure in the connection string for this provider.

---

Property	Description
PrivateKey	The private key provided for key pair authentication with Snowflake.
PrivateKeyPassword	The password for the private key specified in the PrivateKey property, if required.
PrivateKeyType	The type of key store containing the private key to use with key pair authentication.
PrivateKeySubject	The subject of the certificate containing the private key to use with key pair authentication.

The private key provided for key pair authentication with Snowflake.

Data Type

string

Default Value

""

Remarks

The path to the file containing the private key or the name of the certificate store for the client certificate. The PrivateKeyType field specifies the type of the certificate store specified by PrivateKey. If the store is password protected, specify the password in PrivateKeyPassword.

When the certificate store type is PEMKEY_FILE, PFXFILE, etc., this property must be set to the path to the file. When the type is PEMKEY_BLOB, PFXBLOB, etc., the property must be set to the binary contents of the file.

Designations of certificate stores are platform-dependent.

The following are designations of the most common User and Machine certificate stores in Windows:

MY	A certificate store holding personal certificates with their associated private keys.
CA	Certifying authority certificates.
ROOT	Root certificates.
SPC	Software publisher certificates.

In Java, the certificate store normally is a file containing certificates and optional private keys.

The password for the private key specified in the PrivateKey property, if required.

Data Type

string

Default Value

""

Remarks

The password for the private key specified in the PrivateKey property, if required.

The type of key store containing the private key to use with key pair authentication.

Possible Values

PFXBLOB, JKSBLOB, PEMKEY_BLOB, PUBLIC_KEY_BLOB, SSHPUBLIC_KEY_BLOB, XMLBLOB

Data Type

string

Default Value

"PEMKEY_BLOB"

Remarks

This property can take one of the following values:

USER - default	For Windows, this specifies that the certificate store is a certificate store owned by the current user. Note that this store type is not available in Java.
MACHINE	For Windows, this specifies that the certificate store is a machine store. Note that this store type is not available in Java.
PFXFILE	The certificate store is the name of a PFX (PKCS12) file containing certificates.
PFXBLOB	The certificate store is a string (base-64-encoded) representing a certificate store in PFX (PKCS12) format.
JKSFILE	The certificate store is the name of a Java key store (JKS) file containing certificates. Note that this store type is only available in Java.
JKSBLOB	The certificate store is a string (base-64-encoded) representing a certificate store in JKS format. Note that this store type is only available in Java.
PEMKEY_FILE	The certificate store is the name of a PEM-encoded file that contains a private key and an optional certificate.
PEMKEY_BLOB	The certificate store is a string (base64-encoded) that contains a private key and an optional certificate.
PUBLIC_KEY_FILE	The certificate store is the name of a file that contains a PEM- or DER-encoded public key certificate.
PUBLIC_KEY_BLOB	The certificate store is a string (base-64-encoded) that contains a PEM- or DER-encoded public key certificate.
SSHPUBLIC_KEY_FILE	The certificate store is the name of a file that contains an SSH-style public key.
SSHPUBLIC_KEY_BLOB	The certificate store is a string (base-64-encoded) that contains an SSH-style public key.
P7BFILE	The certificate store is the name of a PKCS7 file containing certificates.
PPKFILE	The certificate store is the name of a file that contains a PuTTY Private Key (PPK).
XMLFILE	The certificate store is the name of a file that contains a certificate in XML format.
XMLBLOB	The certificate store is a string that contains a certificate in XML format.

The subject of the certificate containing the private key to use with key pair authentication.

Data Type

string

Default Value

"*"

Remarks

When PrivateKeyType is set to "User" or "Machine", the subject of the certificate is necessary to retrieve the specified certificate.

This section provides a complete list of the OAuth properties you can configure in the connection string for this provider.

---

Property	Description
OAuthClientId	Specifies the client Id that was assigned the custom OAuth application was created. (Also known as the consumer key.) This ID registers the custom application with the OAuth authorization server.
OAuthClientSecret	Specifies the client secret that was assigned when the custom OAuth application was created. (Also known as the consumer secret ). This secret registers the custom application with the OAuth authorization server.
State	An optional value that has meaning for your OAuth App.
OAuthAuthenticator	This determines the authenticator that the OAuth application requests from Snowflake.
Scope	This determines the scopes that the OAuth application requests from Snowflake.
OAuthAuthorizationURL	The authorization URL for the OAuth service.
OAuthAccessTokenURL	The URL to retrieve the OAuth access token from.
PKCEVerifier	A random value used as input for calling GetOAuthAccessToken in the PKCE flow.

Specifies the client Id that was assigned the custom OAuth application was created. (Also known as the consumer key.) This ID registers the custom application with the OAuth authorization server.

Data Type

string

Default Value

""

Remarks

OAuthClientId is one of a handful of connection parameters that need to be set before users can authenticate via OAuth. For details, see Establishing a Connection.

Specifies the client secret that was assigned when the custom OAuth application was created. (Also known as the consumer secret ). This secret registers the custom application with the OAuth authorization server.

Data Type

string

Default Value

""

Remarks

OAuthClientSecret is one of a handful of connection parameters that need to be set before users can authenticate via OAuth. For details, see Establishing a Connection.

An optional value that has meaning for your OAuth App.

Data Type

string

Default Value

""

Remarks

Used in OAuth authentication: This is an optional value that has meaning for your OAuth App.

This determines the authenticator that the OAuth application requests from Snowflake.

Possible Values

None, Azure, OKTA, Other

Data Type

string

Default Value

"None"

Remarks

This determines the authenticator that the OAuth application requests from Snowflake.

This determines the scopes that the OAuth application requests from Snowflake.

Data Type

string

Default Value

""

Remarks

By default the Cloud will request that the user authorize all available scopes. If you want to override this, you can set this property to a space-separated list of OAuth scopes.

The authorization URL for the OAuth service.

Data Type

string

Default Value

""

Remarks

The authorization URL for the OAuth service. At this URL, the user logs into the server and grants permissions to the application. In OAuth 1.0, if permissions are granted, the request token is authorized.

The URL to retrieve the OAuth access token from.

Data Type

string

Default Value

""

Remarks

The URL to retrieve the OAuth access token from. In OAuth 1.0, the authorized request token is exchanged for the access token at this URL.

A random value used as input for calling GetOAuthAccessToken in the PKCE flow.

Data Type

string

Default Value

""

Remarks

This is usually derived from GetOAuthAuthorizationUrl call.

This section provides a complete list of the SSL properties you can configure in the connection string for this provider.

---

Property	Description
SSLServerCert	Specifies the certificate to be accepted from the server when connecting using TLS/SSL.

Specifies the certificate to be accepted from the server when connecting using TLS/SSL.

Data Type

string

Default Value

""

Remarks

If using a TLS/SSL connection, this property can be used to specify the TLS/SSL certificate to be accepted from the server. Any other certificate that is not trusted by the machine is rejected.

This property can take the following forms:

Description	Example
A full PEM Certificate (example shortened for brevity)	-----BEGIN CERTIFICATE----- MIIChTCCAe4CAQAwDQYJKoZIhv......Qw== -----END CERTIFICATE-----
A path to a local file containing the certificate	C:\cert.cer
The public key (example shortened for brevity)	-----BEGIN RSA PUBLIC KEY----- MIGfMA0GCSq......AQAB -----END RSA PUBLIC KEY-----
The MD5 Thumbprint (hex values can also be either space or colon separated)	ecadbdda5a1529c58a1e9e09828d70e4
The SHA1 Thumbprint (hex values can also be either space or colon separated)	34a929226ae0819f2ec14b4a3d904f801cbb150d

If not specified, any certificate trusted by the machine is accepted.

Use '*' to signify to accept all certificates. Note that this is not recommended due to security concerns.

This section provides a complete list of the Logging properties you can configure in the connection string for this provider.

---

Property	Description
Verbosity	Specifies the verbosity level of the log file, which controls the amount of detail logged. Supported values range from 1 to 5.

Specifies the verbosity level of the log file, which controls the amount of detail logged. Supported values range from 1 to 5.

Data Type

string

Default Value

"1"

Remarks

This property defines the level of detail the Cloud includes in the log file. Higher verbosity levels increase the detail of the logged information, but may also result in larger log files and slower performance due to the additional data being captured.

The default verbosity level is 1, which is recommended for regular operation. Higher verbosity levels are primarily intended for debugging purposes. For more information on each level, refer to Logging.

When combined with the LogModules property, Verbosity can refine logging to specific categories of information.

This section provides a complete list of the Schema properties you can configure in the connection string for this provider.

---

Property	Description
BrowsableSchemas	Optional setting that restricts the schemas reported to a subset of all available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC .
Database	The name of the Snowflake database.
Schema	The schema of the Snowflake database.

Optional setting that restricts the schemas reported to a subset of all available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC .

Data Type

string

Default Value

""

Remarks

Listing all available database schemas can take extra time, thus degrading performance. Providing a list of schemas in the connection string saves time and improves performance.

The name of the Snowflake database.

Data Type

string

Default Value

""

Remarks

The name of the Snowflake database.

The schema of the Snowflake database.

Data Type

string

Default Value

""

Remarks

The schema of the Snowflake database.

This section provides a complete list of the Miscellaneous properties you can configure in the connection string for this provider.

---

Property	Description
AllowPreparedStatement	Prepare a query statement before its execution.
AllowUserVariables	When set to True, user variables (prefixed by an $) can be used in SQL queries.
ApplicationName	The application name connection string property expresses the HTTP User-Agent.
AsyncQueryTimeout	The timeout for asynchronous requests issued by the provider to download large result sets.
BatchMode	Allow specifying the batch mode. Default: Auto.
BindingType	Allow specifying the binding type for the Date, Time and Timestamp_* type.
CustomStage	The name of a custom stage to use during bulk write operations.
ExternalStageAWSAccessKey	Your AWS account access key. Only used when defining a CustomStage for bulk write operations.
ExternalStageAWSSecretKey	Your AWS account secret key. Only used when defining a CustomStage for bulk write operations.
ExternalStageAzureSASToken	The string value of the Azure Blob shared access signature.
IgnoreCase	Whether to ignore case in identifiers. Default: false.
MaxRows	Specifies the maximum rows returned for queries without aggregation or GROUP BY.
MaxThreads	Specifies the number of concurrent requests.
MergeDelete	A boolean indicating whether batch DELETE statements should be converted to MERGE statements automatically. Only used when the DELETE statement's where clause contains a table's primary key field only and they are combined with AND logical operator.
MergeInsert	A boolean indicating whether INSERT statements should be converted to MERGE statements automatically. Only used when the INSERT contains a table's primary key field.
MergeUpdate	A boolean indicating whether batch UPDATE statements should be converted to MERGE statements automatically. Only used when the UPDATE statement's where clause contains a table's primary key field only and they are combined with AND logical operator.
Pagesize	Specifies the maximum number of results to return from Snowflake, per page. This setting overrides the default page size set by the datasource, which is optimized for most use cases.
ReplaceInvalidUTF8Chars	Specifies whether to repalce invalid UTF8 characters with a '?'.
RetryOnS3Timeout	Whether or not to retry when network issues occur at during chunk downloading.
S3Domain	The URI of the S3 bucket you are using as your Snowflake S3 stage.
SessionIdleTimeout	The timeout minutes for Session, the values comes from Snowflake's session policy, which indicate the session policy parameter SESSION_IDLE_TIMEOUT_MINS. The default value is 240 minutes.
SessionParameters	The session parameters for Snowflake. For example: SessionParameters='QUERY_TAG=MyTag;QUOTED_IDENTIFIERS_IGNORE_CASE=True;';.
Timeout	Specifies the maximum time, in seconds, that the provider waits for a server response before throwing a timeout error. The default is 60 seconds. Set to 0 to disable the timeout.

Prepare a query statement before its execution.

Data Type

bool

Default Value

false

Remarks

If the AllowPreparedStatement property is set to false, statements are parsed each time they are executed. Setting this property to false can be useful if you are executing many different queries only once.

If you are executing the same query repeatedly, you will generally see better performance by leaving this property at the default, true. Preparing the query avoids recompiling the same query over and over. However, prepared statements also require the Cloud to keep the connection active and open while the statement is prepared.

When set to True, user variables (prefixed by an $) can be used in SQL queries.

Data Type

bool

Default Value

false

Remarks

When set to True, user variables (prefixed by an $) can be used in SQL queries. The default behavior is to treat identifiers prefixed with $ as command parameters.

The application name connection string property expresses the HTTP User-Agent.

Data Type

string

Default Value

""

Remarks

The timeout for asynchronous requests issued by the provider to download large result sets.

Data Type

int

Default Value

300

Remarks

If the AsyncQueryTimeout property is set to 0, asynchronous operations will not time out; instead, they will run until they complete successfully or encounter an error condition. This property is distinct from Timeout which applies to individual HTTP operations while AsyncQueryTimeout applies to execution time of the operation as a whole.

If AsyncQueryTimeout expires and the asynchronous request has not finished being processed, the Cloud raises an error condition.

Allow specifying the batch mode. Default: Auto.

Possible Values

Auto, Binding, Upload

Data Type

string

Default Value

"Auto"

Remarks

There are two kinds of API for batch opearation: Binding API and Upload API.

• Auto: When the count of values is less than the session parameter "client_binding_threshold", using the Binding API. Or, using the Upload API.
• Binding: Using the Binding API.
• Upload: Using the Upload API.

Allow specifying the binding type for the Date, Time and Timestamp_* type.

Possible Values

DEFAULT, TEXT

Data Type

string

Default Value

"DEFAULT"

Remarks

There are two kinds of binding types: DEFAULT and TEXT.

• DEFAULT: Uses the binding type DATE for the Date type, TIME for the Time type, and TIMESTAMP_* for the Timestamp_* type. By default, the driver selects either the Binding API or Upload API based on the number of records, unless BatchMode is specified. The behavior for TIMESTAMP_* types is determined by the session parameter CLIENT_TIMESTAMP_TYPE_MAPPING. However, if the insert query is executed using the Upload API, this session parameter does not apply. As a result, timestamp values may vary when inserting different quantities of records.
• TEXT: Uses the binding type TEXT for Date, Time, and Timestamp_* types. This option ensures consistent timestamp values across both the Binding API and the Upload API, regardless of the number of inserted records.

The name of a custom stage to use during bulk write operations.

Data Type

string

Default Value

""

Remarks

The name of a custom stage to use during bulk write operations. This can be an internal or external stage. If the stage is external, the AWS or Azure credentials must be provided as well via the ExternalStageAWSAccessKey/ExternalStageAWSSecretKey or ExternalStageAzureAccessKey properties.

When the CustomStage property is left unspecified, the Cloud will generate a temporay stage automatically during the upload process and delete it after the upload is complete.

To avoid parsing errors with the generated CSV, you should include the FIELD_OPTIONALLY_ENCLOSED_BY parameter on the stage definition and set it to the double quote character. Otherwise, you may face parsing issues if you have string values that contain special characters in CSV (commas, double quotes, etc.). For example:

CREATE STAGE "TEST_STAGE_CDATA" FILE_FORMAT = ( FIELD_OPTIONALLY_ENCLOSED_BY='\"' )

Your AWS account access key. Only used when defining a CustomStage for bulk write operations.

Data Type

string

Default Value

""

Remarks

Your AWS account access key. This value is accessible from your AWS security credentials page:

1. Sign into the AWS Management console with the credentials for your root account.
2. Select your account name or number and select My Security Credentials in the menu that is displayed.
3. Click Continue to Security Credentials and expand the Access Keys section to manage or create root account access keys.

Your AWS account secret key. Only used when defining a CustomStage for bulk write operations.

Data Type

string

Default Value

""

Remarks

Your AWS account secret key. This value is accessible from your AWS security credentials page:

1. Sign into the AWS Management console with the credentials for your root account.
2. Select your account name or number and select My Security Credentials in the menu that is displayed.
3. Click Continue to Security Credentials and expand the Access Keys section to manage or create root account access keys.

The string value of the Azure Blob shared access signature.

Data Type

string

Default Value

""

Remarks

The string value of the Azure Blob shared access signature.

You can go to "Shared access signature" in "Settings" section for your Azure Blob container through Azure Portal, then click "Generate SAS token and URL" and copy the value from "Blob SAS token" textbox. Please be cautionus to select the proper permission (Create, Write, Delete) in "Permissions" dropdown list and validity of Start and Expiry time before you generate SAS token.

Whether to ignore case in identifiers. Default: false.

Data Type

bool

Default Value

false

Remarks

A session parameter that specifies whether Snowflake will treat identifiers as case sensitive. Default: false(case is sensitive).

Specifies the maximum rows returned for queries without aggregation or GROUP BY.

Data Type

int

Default Value

-1

Remarks

This property sets an upper limit on the number of rows the Cloud returns for queries that do not include aggregation or GROUP BY clauses. This limit ensures that queries do not return excessively large result sets by default.

When a query includes a LIMIT clause, the value specified in the query takes precedence over the MaxRows setting. If MaxRows is set to "-1", no row limit is enforced unless a LIMIT clause is explicitly included in the query.

This property is useful for optimizing performance and preventing excessive resource consumption when executing queries that could otherwise return very large datasets.

Specifies the number of concurrent requests.

Data Type

string

Default Value

"5"

Remarks

This property allows you to issue multiple requests simultaneously, thereby improving performance.

A boolean indicating whether batch DELETE statements should be converted to MERGE statements automatically. Only used when the DELETE statement's where clause contains a table's primary key field only and they are combined with AND logical operator.

Data Type

bool

Default Value

false

Remarks

A boolean indicating whether DELETE statements should be converted to MERGE statements automatically to allow for upsert functionality. This property is primarily intended for use with tools where you have no direct control over the queries being executed. Otherwise, as long as Query Passthrough is True, you could execute the MERGE command directly.

When this property is False, DELETE bulk statements won't executed against the server. When it is set to True and the DELETE query contains the primary key field, the Snowflake will send a MERGE query that will execute an DELETE if match is found in Snowflake. For example this query:

DELETE FROM "Table" WHERE "ID" = 1 AND "NAME" = 'Jerry'

Will be sent to Snowflake as the following MERGE request:

MERGE INTO "Table" AS "Target" USING "RTABLE1_TMP_20eca05b-c050-47dd-89bc-81c7f617f877" AS "Source" ON ("Target"."ID" = "Source"."ID" AND "Target"."NAME" = "Source"."NAME") 
WHEN MATCHED THEN DELETE

A boolean indicating whether INSERT statements should be converted to MERGE statements automatically. Only used when the INSERT contains a table's primary key field.

Data Type

bool

Default Value

false

Remarks

A boolean indicating whether INSERT statements should be converted to MERGE statements automatically to allow for upsert functionality. This property is primarily intended for use with tools where you have no direct control over the queries being executed. Otherwise, as long as Query Passthrough is True, you could execute the MERGE command directly.

When this property is False, INSERT statements are executed directly against the server. When it is set to True and the INSERT query contains the primary key field, the Snowflake will send a MERGE query that will execute an INSERT if no match is found in Snowflake or an UPDATE if it is. For example this query:

INSERT INTO "Table" ("ID", "NAME", "AGE") VALUES (1, 'NewName', 10)

Will be sent to Snowflake as the following MERGE request:

MERGE INTO "Table" AS "Target" USING (SELECT 1 AS "ID") AS [Source] ON ("Target"."ID" = "Source"."ID") 
WHEN NOT MATCHED THEN INSERT ("ID", "NAME", "AGE") VALUES (1, 'NewName', 10) 
WHEN MATCHED THEN UPDATE SET "NAME" = 'NewName', "AGE" = 10

A boolean indicating whether batch UPDATE statements should be converted to MERGE statements automatically. Only used when the UPDATE statement's where clause contains a table's primary key field only and they are combined with AND logical operator.

Data Type

bool

Default Value

false

Remarks

A boolean indicating whether UPDATE statements should be converted to MERGE statements automatically to allow for upsert functionality. This property is primarily intended for use with tools where you have no direct control over the queries being executed. Otherwise, as long as Query Passthrough is True, you could execute the MERGE command directly.

When this property is False, UPDATE statements are executed directly against the server. When it is set to True and the UPDATE query contains the primary key field, the Snowflake will send a MERGE query that will execute an INSERT if no match is found in Snowflake or an UPDATE if it is. For example this query:

UPDATE "Table" SET "NAME" = 'NewName', "AGE" = 10 WHERE "ID" = 1

Will be sent to Snowflake as the following MERGE request:

MERGE INTO "Table" AS "Target" USING "RTABLE1_TMP_20eca05b-c050-47dd-89bc-81c7f617f877" AS "Source" ON ("Target"."ID" = "Source"."ID") 
WHEN MATCHED THEN UPDATE SET "Target"."NAME" = "Source"."NAME", "Target"."AGE" = "Source"."AGE"

Specifies the maximum number of results to return from Snowflake, per page. This setting overrides the default page size set by the datasource, which is optimized for most use cases.

Data Type

int

Default Value

5000

Remarks

You may want to adjust the default pagesize to optimize results for a particular object or service endpoint you are querying. Be aware that increasing the page size may improve performance, but it could also result in higher memory consumption per page.

Specifies whether to repalce invalid UTF8 characters with a '?'.

Data Type

bool

Default Value

false

Remarks

Specifies whether to repalce invalid UTF8 characters with a '?'

Whether or not to retry when network issues occur at during chunk downloading.

Data Type

bool

Default Value

false

Remarks

Typically if a network issue such as a timeout occurs during chunk downloading of data, the CData Cloud will throw an exception. Set this property to true to cause the CData Cloud to attempt retrying the request before failing.

The URI of the S3 bucket you are using as your Snowflake S3 stage.

Data Type

string

Default Value

""

Remarks

Generally, the default domain is "s3.amazonaws.com". However, for Chinese S3 regions, the default domain is "s3.{region}.amazonaws.com.cn".

The timeout minutes for Session, the values comes from Snowflake's session policy, which indicate the session policy parameter SESSION_IDLE_TIMEOUT_MINS. The default value is 240 minutes.

Data Type

int

Default Value

240

Remarks

The timeout minutes for Session, the values comes from Snowflake's session policy, which indicate the session policy parameter SESSION_IDLE_TIMEOUT_MINS. The default value is 240 minutes.

The timeout minutes for Session, the values comes from Snowflake's session policy, which indicate the session policy parameter SESSION_IDLE_TIMEOUT_MINS. The default value is 240 minutes.

The session parameters for Snowflake. For example: SessionParameters='QUERY_TAG=MyTag;QUOTED_IDENTIFIERS_IGNORE_CASE=True;';.

Data Type

string

Default Value

""

Remarks

The session parameters for Snowflake. For example: SessionParameters='QUERY_TAG=MyTag;QUOTED_IDENTIFIERS_IGNORE_CASE=True;';

Specifies the maximum time, in seconds, that the provider waits for a server response before throwing a timeout error. The default is 60 seconds. Set to 0 to disable the timeout.

Data Type

int

Default Value

120

Remarks

This property controls the maximum time, in seconds, that the Cloud waits for an operation to complete before canceling it. If the timeout period expires before the operation finishes, the Cloud cancels the operation and throws an exception.

The timeout applies to each individual communication with the server rather than the entire query or operation. For example, a query could continue running beyond 60 seconds if each paging call completes within the timeout limit.

Setting this property to 0 disables the timeout, allowing operations to run indefinitely until they succeed or fail due to other conditions such as server-side timeouts, network interruptions, or resource limits on the server. Use this property cautiously to avoid long-running operations that could degrade performance or result in unresponsive behavior.