SaaS
Search powered by AI

Register a Snowflake Connection

Public preview

This feature is public preview and available to select accounts. Reach out to your Immuta support professional to enable it on your tenant.

Requirements

The following permissions and personas are used in the registration process:

  • Immuta permission: CREATE_DATA_SOURCE

  • Snowflake permissions for the user registering the connection and running the script:

    • CREATE DATABASE ON ACCOUNT WITH GRANT OPTION

    • CREATE ROLE ON ACCOUNT WITH GRANT OPTION

    • CREATE USER ON ACCOUNT WITH GRANT OPTION

    • MANAGE GRANTS ON ACCOUNT WITH GRANT OPTION

    • APPLY MASKING POLICY ON ACCOUNT WITH GRANT OPTION

    • APPLY ROW ACCESS POLICY ON ACCOUNT WITH GRANT OPTION

    • REFERENCES on all tables

    • USAGE on the schema and database to register data sources

  • Snowflake permissions for the new Immuta system user that is created:

    • APPLY MASKING POLICY ON ACCOUNT

    • APPLY ROW ACCESS POLICY ON ACCOUNT

    • Additional grants associated with the IMMUTA database

Prerequisite

No Snowflake native integration configured in Immuta. If your Snowflake native integration is already configured on the app settings page, follow the Use the connection upgrade manager guide.

Register a connection

To register a Snowflake connection, follow the instructions below.

  1. Click Data and select the Infrastructure tab in the navigation menu.

  2. Click the + Add Host button.

  3. Select the Snowflake data platform tile.

  4. Enter the connection information:

    • Host: The URL of your Snowflake account.

    • Port: Your Snowflake port.

    • Warehouse: The warehouse the Immuta system account user will use to run queries and perform Snowflake operations.

    • Immuta Database: The new, empty database for Immuta to manage. This is where system views, user entitlements, row access policies, column-level policies, procedures, and functions managed by Immuta will be created and stored.

    • Role: The default Snowflake role for the Immuta system account user.

    • Connection Key: The connection key represents the unique name of your connection and will be used as prefix in the name for all data objects associated with this connection. It will also appear as the display name in the UI and will be used in all API calls made to update or delete the connection.

  5. Click Next.

  6. Select an authentication method from the dropdown menu. This authentication information will be included in the script populated later on the page.

    1. Username and password: Choose one of the following options.

      1. Select Immuta Generated to have Immuta populate the system account name and password.

      2. Select User Provided to enter your own name and password for the Immuta system account.

    2. Snowflake External OAuth:

      1. Fill out the Token Endpoint, which is where the generated token is sent. It is also known as aud (audience) and iss (issuer).

      2. Fill out the Client ID, which is the subject of the generated token. It is also known as sub (subject).

      3. Opt to fill out the Resource field with a URI of the resource where the requested token will be used.

      4. Enter the x509 Certificate Thumbprint. This identifies the corresponding key to the token and is often abbreviated as x5t or is called kid (key identifier).

      5. Upload the PEM Certificate, which is the client certificate that is used to sign the authorization request.

    3. Key Pair Authentication:

      1. Complete the Username field. This username will be used to connect to the remote database and retrieve records for this data source.

      2. If using a private key, enter the Private Key Password.

      3. Click Select a File, and upload a Snowflake key pair file.

  7. The Role is prepopulated from the entry on the previous page.

  8. Copy the provided script and run it in Snowflake with the following Snowflake permissions:

    • CREATE DATABASE ON ACCOUNT WITH GRANT OPTION

    • CREATE ROLE ON ACCOUNT WITH GRANT OPTION

    • CREATE USER ON ACCOUNT WITH GRANT OPTION

    • MANAGE GRANTS ON ACCOUNT WITH GRANT OPTION

    • APPLY MASKING POLICY ON ACCOUNT WITH GRANT OPTION

    • APPLY ROW ACCESS POLICY ON ACCOUNT WITH GRANT OPTION

  9. Click Test Connection.

  10. If the connection is successful, click Next. If there are any errors, check the connection details and credentials to ensure they are correct and try again.

  11. Ensure all the details are correct in the summary and click Complete Setup.

PreviousHow-to GuidesNextRegister a Databricks Unity Catalog Connection

Last updated

Self-managed versions

2024.32024.22024.1

Copyright © 2014-2024 Immuta Inc. All rights reserved.