Register a Snowflake Connection
Requirements
APPLICATION_ADMIN
Immuta permissionThe Snowflake user registering the connection and running the script must have the following privileges:
CREATE DATABASE ON ACCOUNT WITH GRANT OPTION
CREATE ROLE ON ACCOUNT WITH GRANT OPTION
CREATE USER ON ACCOUNT WITH GRANT OPTION
MANAGE GRANTS ON ACCOUNT WITH GRANT OPTION
APPLY MASKING POLICY ON ACCOUNT WITH GRANT OPTION
APPLY ROW ACCESS POLICY ON ACCOUNT WITH GRANT OPTION
Prerequisites
No Snowflake integration configured in Immuta. If your Snowflake integration is already configured on the app settings page, follow the Use the connection upgrade manager guide.
Set up the Immuta system account
Complete the following actions in Snowflake:
Create a new user in Snowflake to be the Immuta system account. Immuta will use this system account continuously to orchestrate Snowflake policies and maintain state between Immuta and Snowflake.
Create a Snowflake role with a minimum of the following privileges:
USAGE
on all databases and schemas with registered data sources.REFERENCES
on all tables and views registered in Immuta..
Grant the new Snowflake role to the system account you just created.
Register a connection
To register a Snowflake connection, follow the instructions below.
Click Data and select the Connections tab in the navigation menu.
Click the + Add Connection button.
Select the Snowflake data platform tile.
Enter the connection information:
Host: The URL of your Snowflake account.
Port: Your Snowflake port.
Warehouse: The warehouse the Immuta system account user will use to run queries and perform Snowflake operations.
Immuta Database: The new, empty database for Immuta to manage. This is where system views, user entitlements, row access policies, column-level policies, procedures, and functions managed by Immuta will be created and stored.
Display Name: The display name represents the unique name of your connection and will be used as prefix in the name for all data objects associated with this connection. It will also appear as the display name in the UI and will be used in all API calls made to update or delete the connection.
Click Next.
Select an authentication method from the dropdown menu and enter the authentication information for the Immuta system account you created. Enter the Role with the listed privileges, then continue to enter the authentication information:
Username and password (Not recommended): Choose one of the following options.
Select Immuta Generated to have Immuta populate the system account name and password.
Select User Provided to enter your own name and password for the Immuta system account.
Snowflake External OAuth:
Fill out the Token Endpoint, which is where the generated token is sent. It is also known as
aud
(audience) andiss
(issuer).Fill out the Client ID, which is the subject of the generated token. It is also known as
sub
(subject).Opt to fill out the Resource field with a URI of the resource where the requested token will be used.
Enter the x509 Certificate Thumbprint. This identifies the corresponding key to the token and is often abbreviated as
x5t
or is calledkid
(key identifier).Upload the PEM Certificate, which is the client certificate that is used to sign the authorization request.
Complete the Username field. This user must be assigned the public key in Snowflake.
If using an encrypted private key, enter the Private Key Password.
Click Select a File, and upload the Snowflake private key pair file.
Copy the provided script and run it in Snowflake as a user with the privileges listed in the requirements section.
Click Test Connection.
If the connection is successful, click Next. If there are any errors, check the connection details and credentials to ensure they are correct and try again.
Ensure all the details are correct in the summary and click Complete Setup.
Last updated
Was this helpful?