# Configure Snowflake Integration without Snowflake Governance Features

For tutorials on migrating, updating, or removing your Snowflake instance, see the Manage Your Snowflake Integration page.

Snowflake Standard Edition

This installation guide is for users on Snowflake Standard. If you currently use Snowflake Enterprise, please see the installation guide for that integration.

## Configure Snowflake Integration

1. Click the App Settings icon in the left sidebar.
2. Click Native Integrations in the left panel.
3. Click the +Add Native Integration button and select Snowflake from the dropdown menu.

4. Scroll down and uncheck the box for Snowflake Governance Features.

5. Scroll back up and complete the Host, Port, and Default Warehouse fields.

6. Opt to check the Enable Project Workspace box. This will allow for managed Write access within Snowflake.
7. Opt to check the Enable External Catalog box. This will enable Immuta to automatically import table and column tags from Snowflake. Note this feature requires an Enterprise Edition of Snowflake.
8. Opt to check the Enable Impersonation box and customize the Impersonation Role name as needed. This will allow users to natively impersonate another user. Note you cannot edit this choice after you configure the integration.
9. Opt to check the Enable Native Query Audit box. This will allow Immuta to ingest audit records for native queries.

10. Opt to check the Enable External Catalog box. This will allow Immuta to automatically ingest Snowflake object tags.

11. You have two options for installing the Snowflake and Snowflake Workspace access patterns: automatic or manual setup.

Automatic Setup

Immuta requires temporary, one-time use of credentials with specific permissions.

When performing an automated installation, Immuta requires temporary, one-time use of credentials with the following permissions:

• CREATE DATABASE ON ACCOUNT WITH GRANT OPTION
• CREATE ROLE ON ACCOUNT WITH GRANT OPTION
• CREATE USER ON ACCOUNT WITH GRANT OPTION
• MANAGE GRANTS ON ACCOUNT

These permissions will be used to create and configure a new IMMUTA database within the specified Snowflake instance. The credentials are not stored or saved by Immuta, and Immuta doesn’t retain access to them after initial setup is complete.

You can create a new account for Immuta to use that has these permissions, or you can grant temporary use of a pre-existing account. By default, the pre-existing account with appropriate permissions is ACCOUNTADMIN. If you create a new account, it can be deleted after initial setup is complete.

Alternatively, you can create create the IMMUTA database within the specified Snowflake instance manually using the Manual Setup option.

1. From the Select Authentication Method Dropdown, select either Username and Password or Key Pair Authentication:

Key Pair Authentication

2. Click Key Pair (Required), and upload a Snowflake key pair file.
3. Complete the Role field.

Manual Setup

Best Practices: Account Creation

The account you create for Immuta should only be used for the integration and should NOT be used as the credentials when creating data sources within Immuta. This will cause issues.

Create a dedicated READ-ONLY account for creating and registering data sources within Immuta. This account should also not be the account used to configure the integration.

The specified role used to run the bootstrap needs to have the following privileges:

• CREATE DATABASE ON ACCOUNT WITH GRANT OPTION
• CREATE ROLE ON ACCOUNT WITH GRANT OPTION
• CREATE USER ON ACCOUNT WITH GRANT OPTION
• MANAGE GRANTS ON ACCOUNT

Warning: Different Accounts

The account used to enable the integration must be different from the account used to create data sources in Immuta. Otherwise, workspace views won't be generated properly.

Now that Snowflake has been enabled, all future Snowflake data sources will also be created natively within the immuta database of the linked Snowflake instance. In addition to creating views, Immuta will also periodically sync user metadata to a system table within the Snowflake instance.