Skip to content

You are viewing documentation for Immuta version 2021.4.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

Configure Snowflake Integration

Audience: System Administrators

Content Summary: This page details how to install the Snowflake access pattern.

There are two integration options based on your Snowflake Edition:

See the migration section at the bottom of this page to migrate from a Snowflake Standard integration to a Snowflake Enterprise integration.

Configure Snowflake Enterprise Integration (Public Preview)

Policies Removed When Using CREATE OR REPLACE in Snowflake

If your workflow periodically replaces tables with the same table using the CREATE OR REPLACE statement in Snowflake, policies will be removed from those data sources in this integration.

Contact your Immuta Support Professional for guidance on recreating and applying Immuta policies to those data sources.

Enable the Preview Feature

  1. Click the App Settings icon in the left sidebar.
  2. Click Preview Features in the left panel.
  3. Scroll to the Native Snowflake Governance Controls modal and check the checkbox.

    Native Snowflake Governance Controls

  4. Click Save.

  5. Click Confirm.

Connect Your Snowflake Instance

  1. Click Native Integrations in the left panel of the App Settings page.
  2. Click the +Add Native Integration button and select Snowflake from the dropdown menu.

    Snowflake Config Modal

  3. Complete the Host, Port, and Default Warehouse fields.

    Snowflake Configuration

  4. Opt to check the Enable Project Workspace box. This will allow for managed Write access within Snowflake. Note: Project workspaces still use Snowflake views, so the default role of the account used to create the data sources in the project must be added to the Excepted Roles List.

  5. Opt to check the Enable External Catalog box. This will enable Immuta to automatically import table and column tags from Snowflake. Note this feature requires an Enterprise Edition of Snowflake.
  6. Opt to check the Enable Impersonation box and customize the Impersonation Role name as needed. This will allow users to natively impersonate another user.
  7. Opt to check the Enable Native Query Audit box. This will allow Immuta to ingest audit records for native queries.

  8. You have two options for installing the Snowflake and Snowflake Workspace access patterns: automatic or manual setup.

    Automatic Setup

    Select Automatic and enter your Username, Password, and Role.

    Immuta requires temporary, one-time use of credentials with specific permissions.

    When performing an automated installation, Immuta requires temporary, one-time use of credentials with the following permissions:

    • CREATE DATABASE ON ACCOUNT WITH GRANT OPTION
    • CREATE ROLE ON ACCOUNT WITH GRANT OPTION
    • CREATE USER ON ACCOUNT WITH GRANT OPTION
    • MANAGE GRANTS ON ACCOUNT

    These permissions will be used to create and configure a new IMMUTA database within the specified Snowflake instance. The credentials are not stored or saved by Immuta, and Immuta doesn’t retain access to them after initial setup is complete.

    You can create a new account for Immuta to use that has these permissions, or you can grant temporary use of a pre-existing account. By default, the pre-existing account with appropriate permissions is ACCOUNTADMIN. If you create a new account, it can be deleted after initial setup is complete.

    Alternatively, you can create create the IMMUTA database within the specified Snowflake instance manually using the Manual Setup option.

    Manual Setup

    Best Practices: Account Creation

    The account you create for Immuta should only be used for the native integration and should NOT be used as the credentials when creating data sources within Immuta. This will cause issues.

    Create a dedicated READ-ONLY account for creating and registering data sources within Immuta. This account should also not be the account used to configure the native integration.

    The specified role used to run the bootstrap needs to have the following privileges:

    • CREATE DATABASE ON ACCOUNT WITH GRANT OPTION
    • CREATE ROLE ON ACCOUNT WITH GRANT OPTION
    • CREATE USER ON ACCOUNT WITH GRANT OPTION
    • MANAGE GRANTS ON ACCOUNT

    It will create a user called "IMMUTA_SYSTEM_ACCOUNT", and grant the following privileges to that user:

    • APPLY MASKING POLICY
    • APPLY ROW ACCESS POLICY
    • Additional grants associated with the IMMUTA database
    • If you have selected to automatically ingest Snowflake object tags, which enables Snowflake as an External Catalog,
      • GRANT IMPORTED PRIVILEGES ON DATABASE snowflake
      • GRANT APPLY TAG ON ACCOUNT
    1. Download and run the bootstrap script linked in the Setup section.

      Snowflake Bootstrap Script

    2. Select Manual and enter the Username and Password for the Immuta System Account Credentials.

  9. If you enabled a Snowflake workspace, select Warehouses from the dropdown menu that will be available to project owners when creating native Snowflake workspaces. Select from a list of all the warehouses available to the privileged account entered above. Note that any warehouse accessible by the PUBLIC role does not need to be explicitly added.

  10. Enter the Excepted Roles/User List. Each role or username (both case-sensitive) in this list should be separated by a comma.

    Excepted Roles/Users will have no policies applied to queries.

    Any user with the username or acting under the role in this list will have no policies applied to them when querying Immuta protected Snowflake tables in Snowflake. Therefore, this list should be used for service or system accounts and the default role of the account used to create the data sources in the Immuta projects (if you have Snowflake workspace enabled).

  11. Click Test Snowflake Connection.

  12. Once the credentials are successfully tested, click Save.

Configure Snowflake Standard Integration

  1. Click the App Settings icon in the left sidebar.
  2. Click Native Integrations in the left panel.
  3. Click the +Add Native Integration button and select Snowflake from the dropdown menu.

    Snowflake Config Modal

  4. Complete the Host, Port, and Default Warehouse fields.

    Snowflake Configuration

  5. Opt to check the Enable Project Workspace box. This will allow for managed Write access within Snowflake.

  6. Opt to check the Enable External Catalog box. This will enable Immuta to automatically import table and column tags from Snowflake. Note this feature requires an Enterprise Edition of Snowflake.
  7. Opt to check the Enable Impersonation box and customize the Impersonation Role name as needed. This will allow users to natively impersonate another user.
  8. Opt to check the Enable Native Query Audit box. This will allow Immuta to ingest audit records for native queries.

  9. Opt to check the Enable External Catalog box. This will allow Immuta to automatically ingest Snowflake object tags.

  10. You have two options for installing the Snowflake and Snowflake Workspace access patterns: automatic or manual setup.

    Automatic Setup

    Select Automatic and enter your Username, Password, and Role.

    Immuta requires temporary, one-time use of credentials with specific permissions.

    When performing an automated installation, Immuta requires temporary, one-time use of credentials with the following permissions:

    • CREATE DATABASE ON ACCOUNT WITH GRANT OPTION
    • CREATE ROLE ON ACCOUNT WITH GRANT OPTION
    • CREATE USER ON ACCOUNT WITH GRANT OPTION
    • MANAGE GRANTS ON ACCOUNT

    These permissions will be used to create and configure a new IMMUTA database within the specified Snowflake instance. The credentials are not stored or saved by Immuta, and Immuta doesn’t retain access to them after initial setup is complete.

    You can create a new account for Immuta to use that has these permissions, or you can grant temporary use of a pre-existing account. By default, the pre-existing account with appropriate permissions is ACCOUNTADMIN. If you create a new account, it can be deleted after initial setup is complete.

    Alternatively, you can create create the IMMUTA database within the specified Snowflake instance manually using the Manual Setup option.

    Manual Setup

    Best Practices: Account Creation

    The account you create for Immuta should only be used for the native integration and should NOT be used as the credentials when creating data sources within Immuta. This will cause issues.

    Create a dedicated READ-ONLY account for creating and registering data sources within Immuta. This account should also not be the account used to configure the native integration.

    The specified role used to run the bootstrap needs to have the following privileges:

    • CREATE DATABASE ON ACCOUNT WITH GRANT OPTION
    • CREATE ROLE ON ACCOUNT WITH GRANT OPTION
    • CREATE USER ON ACCOUNT WITH GRANT OPTION
    • MANAGE GRANTS ON ACCOUNT
    1. Download and run the bootstrap script linked in the Setup section.

      Snowflake Bootstrap Script

    2. Select Manual and enter the Username and Password for the Immuta System Account Credentials.

  11. If you enabled a Snowflake workspace, select Warehouses from the dropdown menu that will be available to project owners when creating native Snowflake workspaces. Select from a list of all the warehouses available to the privileged account entered above. Note that any warehouse accessible by the PUBLIC role does not need to be explicitly added.

  12. Click Test Snowflake Connection.
  13. Once the credentials are successfully tested, click Save.

Now that Snowflake has been enabled, all future Snowflake data sources will also be created natively within the immuta database of the linked Snowflake instance. In addition to creating views, Immuta will also periodically sync user metadata to a system table within the Snowflake instance.

Migrate from a Snowflake Standard Integration to a Snowflake Enterprise Integration (Public Preview)

Migration Troubleshooting
  • If multiple Snowflake integrations are enabled, they will all migrate together. If one fails, they will all revert to the Snowflake Standard integration.
  • If an error occurs during migration and the integration cannot be reverted, the integration must be disabled and re-enabled.
  1. Click the App Settings icon in the left sidebar.
  2. Click Preview Features in the left panel.
  3. Scroll to the Native Snowflake Governance Controls modal and check the checkbox.
  4. Using the credentials entered to enable the Snowflake integration, fill out the Username, Password, and Key Pair.
  5. Click Save.
  6. Click Confirm.

Migrate Back from a Snowflake Enterprise Integration to a Snowflake Standard Integration (Public Preview)

Please consult your Immuta professional.

Migration back from Enterprise to Standard Snowflake integrations is only intended to resolve any issues that occur during migration and regain utility of Immuta. Please consult your Immuta professional.

Access must be revoked.

Access to the Snowflake tables must be revoked when migrating from the Snowflake Enterprise to the Snowflake Standard integration to prevent users from having access to the raw tables.

  1. Click the App Settings icon in the left sidebar.
  2. Click Preview Features in the left panel.
  3. Scroll to the Native Snowflake Governance Controls modal and uncheck the checkbox.
  4. Using the credentials entered to enable the Snowflake integration, fill out the Username, Password, and Key Pair.
  5. Click Save.
  6. Click Confirm.