Skip to content

You are viewing documentation for Immuta version 2021.2.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

Enable Dynamic Native Snowflake

Audience: System Administrators

Content Summary: This page details how to install the Native Dynamic Snowflake access pattern.

Enable Native Snowflake

Application Administrators have two options for installing the Native Dynamic Snowflake and Snowflake Workspace access patterns: automatic or manual setup.

Automatic Setup

  1. Click the App Settings icon in the left sidebar.
  2. Click Enable in the Native Snowflake SQL Integration section.

    Snowflake Configuration

  3. Complete the Host, Port, and Default Warehouse fields.

    Snowflake Config Modal

  4. Opt to check the Enable Project Workspace box. This will allow for managed Write access within Snowflake.

  5. Select Automatic and enter your Username, Password, and Role.

    Immuta requires temporary, one-time use of credentials with specific permissions.

    When performing an automated installation, Immuta requires temporary, one-time use of credentials with the following permissions:

    • CREATE DATABASE ON ACCOUNT WITH GRANT OPTION
    • CREATE ROLE ON ACCOUNT WITH GRANT OPTION
    • CREATE USER ON ACCOUNT WITH GRANT OPTION
    • MANAGE GRANTS ON ACCOUNT

    These permissions will be used to create and configure a new IMMUTA database within the specified Snowflake instance. The credentials are not stored or saved by Immuta, and Immuta doesn’t retain access to them after initial setup is complete.

    You can create a new account for Immuta to use that has these permissions, or you can grant temporary use of a pre-existing account. By default, the pre-existing account with appropriate permissions is ACCOUNTADMIN. If you create a new account, it can be deleted after initial setup is complete.

    Alternatively, you can create create the IMMUTA database within the specified Snowflake instance manually using the Manual Setup option.

  6. Opt to select Warehouses from the dropdown menu that will be available to project owners when creating native Snowflake workspaces. Select from a list of all the warehouses available to the privileged account entered above. Note that any warehouse accessible by the PUBLIC role does not need to be explicitly added.

  7. Click Test Snowflake Connection.

  8. Once the credentials are successfully tested, click Save.

Manual Setup

Best Practices: Account Creation

The account you create for Immuta should only be used for the native integration and should NOT be used as the credentials when creating data sources within Immuta. This will cause issues.

Create a dedicated READ-ONLY account for creating and registering data sources within Immuta. This account should also not be the account used to configure the native integration.

The specified role needs to have the following privileges: CREATE DATABASE ON ACCOUNT WITH GRANT OPTION, CREATE ROLE ON ACCOUNT WITH GRANT OPTION, CREATE USER ON ACCOUNT WITH GRANT OPTION, and MANAGE GRANTS ON ACCOUNT.

  1. Click the App Settings icon in the left sidebar.
  2. Click Enable in the Native Snowflake SQL Integration section.
  3. Complete the Host, Port, and Default Warehouse fields.

    Snowflake Config Modal

  4. Download and run the bootstrap script linked in the Setup section.

    Snowflake Bootstrap Script

  5. Select Manual and enter the Username and Password for the Immuta System Account Credentials.

  6. Opt to select Warehouses from the dropdown menu that will be available to project owners when creating native Snowflake workspaces. Select from a list of all the warehouses available to the privileged account entered above. Note that any warehouse accessible by the PUBLIC role does not need to be explicitly added.
  7. Opt to Enable Project Workspace by checking the box. This will allow for managed Write access within Snowflake.
  8. Click Test Snowflake Connection.
  9. Once the credentials are successfully tested, click Save.

Once Snowflake has been enabled, all future Snowflake data sources will also be created natively within the immuta database of the linked Snowflake instance. In addition to creating views, Immuta will also periodically sync user metadata to a system table within the Snowflake instance.

Multiple Snowflake Instances

Immuta allows the user to connect multiple Snowflake instances in a single Immuta instance.

Automatic Setup

  1. Click the App Settings icon in the left sidebar.
  2. Click Add Connection in the Native Snowflake SQL Integration section.

    Snowflake Configuration

  3. Complete the Host, Port, and Default Warehouse fields.

    Snowflake Config Modal

  4. Opt to check the Enable Project Workspace box. This will allow for managed Write access within Snowflake.

  5. Select Automatic and enter your Username, Password, and Role.

    Immuta requires temporary, one-time use of credentials with specific permissions.

    When performing an automated installation, Immuta requires temporary, one-time use of credentials with the following permissions:

    • CREATE DATABASE ON ACCOUNT WITH GRANT OPTION
    • CREATE ROLE ON ACCOUNT WITH GRANT OPTION
    • CREATE USER ON ACCOUNT WITH GRANT OPTION
    • MANAGE GRANTS ON ACCOUNT

    These permissions will be used to create and configure a new IMMUTA database within the specified Snowflake instance. The credentials are not stored or saved by Immuta, and Immuta doesn’t retain access to them after initial setup is complete.

    You can create a new account for Immuta to use that has these permissions, or you can grant temporary use of a pre-existing account. By default, the pre-existing account with appropriate permissions is ACCOUNTADMIN. If you create a new account, it can be deleted after initial setup is complete.

    Alternatively, you can create create the IMMUTA database within the specified Snowflake instance manually using the Manual Setup option.

  6. Opt to select Warehouses from the dropdown menu that will be available to project owners when creating native Snowflake workspaces. Select from a list of all the warehouses available to the privileged account entered above. Note that any warehouse accessible by the PUBLIC role does not need to be explicitly added.

  7. Click Test Snowflake Connection.

  8. Once the credentials are successfully tested, click Save.

Manual Setup

Best Practices: Account Creation

The account you create for Immuta should only be used for the native integration and should NOT be used as the credentials when creating data sources within Immuta. This will cause issues.

Create a dedicated READ-ONLY account for creating and registering data sources within Immuta. This account should also not be the account used to configure the native integration.

The specified role needs to have the following privileges: CREATE DATABASE ON ACCOUNT WITH GRANT OPTION, CREATE ROLE ON ACCOUNT WITH GRANT OPTION, CREATE USER ON ACCOUNT WITH GRANT OPTION, and MANAGE GRANTS ON ACCOUNT.

  1. Click the App Settings icon in the left sidebar.
  2. Click Add Connection in the Native Snowflake SQL Integration section.

    Snowflake Configuration

  3. Complete the Host, Port, and Default Warehouse fields.

    Snowflake Config Modal

  4. Download and run the bootstrap script linked in the Setup section.

    Snowflake Bootstrap Script

  5. Select Manual and enter the Username and Password for the Immuta System Account Credentials.

  6. Opt to select Warehouses from the dropdown menu that will be available to project owners when creating native Snowflake workspaces. Select from a list of all the warehouses available to the privileged account entered above. Note that any warehouse accessible by the PUBLIC role does not need to be explicitly added.
  7. Opt to Enable Project Workspace by checking the box. This will allow for managed Write access within Snowflake.
  8. Click Test Snowflake Connection.
  9. Once the credentials are successfully tested, click Save.