Register a Snowflake Connection

PreviousHow-to Guides NextRegister a Databricks Unity Catalog Connection

Last updated 5 days ago

Was this helpful?

Register a Snowflake Connection

Public preview

allow you to register your data objects in a technology through a single connection, instead of registering data sources and an integration separately.

This feature is enabled by default on all tenants created post February 26, 2025, and available to created prior. Contact your Immuta representative to enable this feature.

Requirements

The following permissions and personas are used in the registration process:

Immuta permission: APPLICATION_ADMIN
Snowflake permissions for the user registering the connection and running the script:
- CREATE DATABASE ON ACCOUNT WITH GRANT OPTION
- CREATE ROLE ON ACCOUNT WITH GRANT OPTION
- CREATE USER ON ACCOUNT WITH GRANT OPTION
- MANAGE GRANTS ON ACCOUNT WITH GRANT OPTION
- APPLY MASKING POLICY ON ACCOUNT WITH GRANT OPTION
- APPLY ROW ACCESS POLICY ON ACCOUNT WITH GRANT OPTION
- REFERENCES on all tables
- USAGE on the schema and database to register data sources
Snowflake permissions for the new Immuta system user that is created:
- APPLY MASKING POLICY ON ACCOUNT
- APPLY ROW ACCESS POLICY ON ACCOUNT
- Additional grants associated with the IMMUTA database

Prerequisite

Register a connection

To register a Snowflake connection, follow the instructions below.

Click Data and select the Connections tab in the navigation menu.
Click the + Add Connection button.
Select the Snowflake data platform tile.
Enter the connection information:
- Host: The URL of your Snowflake account.
- Port: Your Snowflake port.
- Warehouse: The warehouse the Immuta system account user will use to run queries and perform Snowflake operations.
- Immuta Database: The new, empty database for Immuta to manage. This is where system views, user entitlements, row access policies, column-level policies, procedures, and functions managed by Immuta will be created and stored.
- Role: The default Snowflake role for the Immuta system account user.
- Display Name: The display name represents the unique name of your connection and will be used as prefix in the name for all data objects associated with this connection. It will also appear as the display name in the UI and will be used in all API calls made to update or delete the connection.
Click Next.
Select an authentication method from the dropdown menu. This authentication information will be included in the script populated later on the page.
1. Username and password: Choose one of the following options.
  1. Select Immuta Generated to have Immuta populate the system account name and password.
  2. Select User Provided to enter your own name and password for the Immuta system account.
2. Snowflake External OAuth:
  1. Fill out the Token Endpoint, which is where the generated token is sent. It is also known as aud (audience) and iss (issuer).
  2. Fill out the Client ID, which is the subject of the generated token. It is also known as sub (subject).
  3. Opt to fill out the Resource field with a URI of the resource where the requested token will be used.
  4. Enter the x509 Certificate Thumbprint. This identifies the corresponding key to the token and is often abbreviated as x5t or is called kid (key identifier).
  5. Upload the PEM Certificate, which is the client certificate that is used to sign the authorization request.
3. Key Pair Authentication:
  1. Complete the Username field. This username will be used to connect to the remote database and retrieve records for this data source.
  2. If using a private key, enter the Private Key Password.
  3. Click Select a File, and upload a Snowflake key pair file.
The Role is prepopulated from the entry on the previous page.
Copy the provided script and run it in Snowflake with the following Snowflake permissions:
- CREATE DATABASE ON ACCOUNT WITH GRANT OPTION
- CREATE ROLE ON ACCOUNT WITH GRANT OPTION
- CREATE USER ON ACCOUNT WITH GRANT OPTION
- MANAGE GRANTS ON ACCOUNT WITH GRANT OPTION
- APPLY MASKING POLICY ON ACCOUNT WITH GRANT OPTION
- APPLY ROW ACCESS POLICY ON ACCOUNT WITH GRANT OPTION
Click Test Connection.
If the connection is successful, click Next. If there are any errors, check the connection details and credentials to ensure they are correct and try again.
Ensure all the details are correct in the summary and click Complete Setup.

PreviousHow-to Guides NextRegister a Databricks Unity Catalog Connection

Last updated 5 days ago

Was this helpful?

Public preview

allow you to register your data objects in a technology through a single connection, instead of registering data sources and an integration separately.

This feature is enabled by default on all tenants created post February 26, 2025, and available to created prior. Contact your Immuta representative to enable this feature.

Requirements

The following permissions and personas are used in the registration process:

Immuta permission: APPLICATION_ADMIN
Snowflake permissions for the user registering the connection and running the script:
- CREATE DATABASE ON ACCOUNT WITH GRANT OPTION
- CREATE ROLE ON ACCOUNT WITH GRANT OPTION
- CREATE USER ON ACCOUNT WITH GRANT OPTION
- MANAGE GRANTS ON ACCOUNT WITH GRANT OPTION
- APPLY MASKING POLICY ON ACCOUNT WITH GRANT OPTION
- APPLY ROW ACCESS POLICY ON ACCOUNT WITH GRANT OPTION
- REFERENCES on all tables
- USAGE on the schema and database to register data sources
Snowflake permissions for the new Immuta system user that is created:
- APPLY MASKING POLICY ON ACCOUNT
- APPLY ROW ACCESS POLICY ON ACCOUNT
- Additional grants associated with the IMMUTA database

Prerequisite

No Snowflake integration configured in Immuta. If your Snowflake integration is already configured on the app settings page, follow the guide.

Register a connection

To register a Snowflake connection, follow the instructions below.

Click Data and select the Connections tab in the navigation menu.
Click the + Add Connection button.
Select the Snowflake data platform tile.
Enter the connection information:
- Host: The URL of your Snowflake account.
- Port: Your Snowflake port.
- Warehouse: The warehouse the Immuta system account user will use to run queries and perform Snowflake operations.
- Immuta Database: The new, empty database for Immuta to manage. This is where system views, user entitlements, row access policies, column-level policies, procedures, and functions managed by Immuta will be created and stored.
- Role: The default Snowflake role for the Immuta system account user.
- Display Name: The display name represents the unique name of your connection and will be used as prefix in the name for all data objects associated with this connection. It will also appear as the display name in the UI and will be used in all API calls made to update or delete the connection.
Click Next.
Select an authentication method from the dropdown menu. This authentication information will be included in the script populated later on the page.
1. Username and password: Choose one of the following options.
  1. Select Immuta Generated to have Immuta populate the system account name and password.
  2. Select User Provided to enter your own name and password for the Immuta system account.
2. Snowflake External OAuth:
  1. Fill out the Token Endpoint, which is where the generated token is sent. It is also known as aud (audience) and iss (issuer).
  2. Fill out the Client ID, which is the subject of the generated token. It is also known as sub (subject).
  3. Opt to fill out the Resource field with a URI of the resource where the requested token will be used.
  4. Enter the x509 Certificate Thumbprint. This identifies the corresponding key to the token and is often abbreviated as x5t or is called kid (key identifier).
  5. Upload the PEM Certificate, which is the client certificate that is used to sign the authorization request.
3. Key Pair Authentication:
  1. Complete the Username field. This username will be used to connect to the remote database and retrieve records for this data source.
  2. If using a private key, enter the Private Key Password.
  3. Click Select a File, and upload a Snowflake key pair file.
The Role is prepopulated from the entry on the previous page.
Copy the provided script and run it in Snowflake with the following Snowflake permissions:
- CREATE DATABASE ON ACCOUNT WITH GRANT OPTION
- CREATE ROLE ON ACCOUNT WITH GRANT OPTION
- CREATE USER ON ACCOUNT WITH GRANT OPTION
- MANAGE GRANTS ON ACCOUNT WITH GRANT OPTION
- APPLY MASKING POLICY ON ACCOUNT WITH GRANT OPTION
- APPLY ROW ACCESS POLICY ON ACCOUNT WITH GRANT OPTION
Click Test Connection.
If the connection is successful, click Next. If there are any errors, check the connection details and credentials to ensure they are correct and try again.
Ensure all the details are correct in the summary and click Complete Setup.