Register a Snowflake Connection

Public preview

Connections allow you to register your data objects in a technology through a single connection, instead of registering data sources and an integration separately.

This feature is enabled by default on all tenants created post February 26, 2025, and available to select tenants created prior. Contact your Immuta representative to enable this feature.

Requirements

  • APPLICATION_ADMIN Immuta permission

  • The Snowflake user registering the connection and running the script must have the following privileges:

    • CREATE DATABASE ON ACCOUNT WITH GRANT OPTION

    • CREATE ROLE ON ACCOUNT WITH GRANT OPTION

    • CREATE USER ON ACCOUNT WITH GRANT OPTION

    • MANAGE GRANTS ON ACCOUNT WITH GRANT OPTION

    • APPLY MASKING POLICY ON ACCOUNT WITH GRANT OPTION

    • APPLY ROW ACCESS POLICY ON ACCOUNT WITH GRANT OPTION

Prerequisites

No Snowflake integration configured in Immuta. If your Snowflake integration is already configured on the app settings page, follow the Use the connection upgrade manager guide.

Set up the Immuta system account

Complete the following actions in Snowflake:

  1. Create a new user in Snowflake to be the Immuta system account. Immuta will use this system account continuously to orchestrate Snowflake policies and maintain state between Immuta and Snowflake.

  2. Create a Snowflake role with a minimum of the following privileges:

    • USAGE on all databases and schemas with registered data sources.

    • REFERENCES on all tables and views registered in Immuta.

    • .

  3. Grant the new Snowflake role to the system account you just created.

Register a connection

To register a Snowflake connection, follow the instructions below.

  1. Click Data and select the Connections tab in the navigation menu.

  2. Click the + Add Connection button.

  3. Select the Snowflake data platform tile.

  4. Enter the connection information:

    • Host: The URL of your Snowflake account.

    • Port: Your Snowflake port.

    • Warehouse: The warehouse the Immuta system account user will use to run queries and perform Snowflake operations.

    • Immuta Database: The new, empty database for Immuta to manage. This is where system views, user entitlements, row access policies, column-level policies, procedures, and functions managed by Immuta will be created and stored.

    • Display Name: The display name represents the unique name of your connection and will be used as prefix in the name for all data objects associated with this connection. It will also appear as the display name in the UI and will be used in all API calls made to update or delete the connection.

  5. Click Next.

  6. Select an authentication method from the dropdown menu and enter the authentication information for the Immuta system account you created. Enter the Role with the listed privileges, then continue to enter the authentication information:

    1. Username and password (Not recommended): Choose one of the following options.

      1. Select Immuta Generated to have Immuta populate the system account name and password.

      2. Select User Provided to enter your own name and password for the Immuta system account.

    2. Snowflake External OAuth:

      1. Fill out the Token Endpoint, which is where the generated token is sent. It is also known as aud (audience) and iss (issuer).

      2. Fill out the Client ID, which is the subject of the generated token. It is also known as sub (subject).

      3. Opt to fill out the Resource field with a URI of the resource where the requested token will be used.

      4. Enter the x509 Certificate Thumbprint. This identifies the corresponding key to the token and is often abbreviated as x5t or is called kid (key identifier).

      5. Upload the PEM Certificate, which is the client certificate that is used to sign the authorization request.

    3. Key Pair Authentication:

      1. Complete the Username field. This user must be assigned the public key in Snowflake.

      2. If using an encrypted private key, enter the Private Key Password.

      3. Click Select a File, and upload the Snowflake private key pair file.

  7. Copy the provided script and run it in Snowflake as a user with the privileges listed in the requirements section.

  8. Click Test Connection.

  9. If the connection is successful, click Next. If there are any errors, check the connection details and credentials to ensure they are correct and try again.

  10. Ensure all the details are correct in the summary and click Complete Setup.

Last updated

Was this helpful?