Snowflake as a source connection

info

Snowflake as a Source is currently in the beta stage.

Snowflake is a robust cloud-based data warehouse that serves as a Source in data integration workflows and is known for its high performance, scalability, and separation of storage and compute. With Data Integration, you can seamlessly extract data from multiple sources and load it into Snowflake for analysis and reporting.

Using Snowflake as a Source in Data Integration, you can leverage Snowflake’s robust data warehousing and querying capabilities while integrating that data into workflows managed by Data Integration.

Snowflake as a source compatibility versions

River modes	Versions supported	Support for managing schema drift
Multi-Tables (Standard Extraction)	All Versions	Yes
Custom Query	All Versions	Yes

note

You must create a new connection for using Snowflake as a Source. You cannot use connections configured for Snowflake as a Target.

Prerequisites

Before proceeding, ensure you have an active Snowflake account.

If you do not have a valid Snowflake account, create one. If you or your company already has a Snowflake account, you can connect/create a Data Integration user.

Setting up your Snowflake environment

Data Integration Snowflake environment can be configured in two ways. Select only one option, depending on your access and security requirements.

• Method 1: This method grants an existing user the SYSADMIN role, which enables Data Integration provides access to all objects in the database and extracts from and ingests to new and existing tables.

• Method 2: This method either creates or uses existing user, role, database, and warehouse, depending on the settings, and provides Data Integration the ability to ingest data to and/or extract data from (depending on the settings) said objects.

Method 1: Global permission with sysadmin role(First Method)

Snowflake provides a single user to have multiple roles. Data Integration must execute various commands on Snowflake and assign a SYSADMIN role to the Data Integration user.

Procedure

1. Navigate to your Snowflake console. Log in with a user who has access to the ACCOUNTADMIN role.
2. Select the worksheet tab.
3. Run the following commands:

   BEGIN;
   
    /* Set variables for script, select an existing user or create a new one, replace the value after var_user with 
    the name of the user, do not forget to replace {password} with the password of your choice 
    if you are creating a new user. */
   
      set var_user = 'Data_Integration_USER';
      set var_password = '{password}';
      
    /* switch to ACCOUNTADMIN role: only an ACCOUNTADMIN can set or unset a user’s role */
       USE ROLE accountadmin;
       
       /* Create a user for {conKeyRefs.DataIntegration} or use an existing one */
      create user if not exists identifier($var_user)
      password = $var_password;
      
       GRANT ROLE SYSADMIN TO USER identifier($var_user);
       ALTER USER identifier($var_user) SET DEFAULT_ROLE = SYSADMIN;
   COMMIT; 

Method 2: Specific permission with custom role(Second Method)

Copy the following script to your Snowflake console, making sure to change the variables to your desired values and only run the necessary steps.

BEGIN;
 /* Set variables for script, You can choose to work with the default suggested values in the script or use your own. 
 Do not forget to replace {password} with the password of your choice if you are creating a new user. */
   SET var_user = 'DATA_INTEGRATION_USER';
   SET var_password = '{password}';
   SET var_role = 'DATA_INTEGRATION_ROLE';
   SET var_database = 'DATA_INTEGRATION_DATABASE';
   SET var_warehouse = 'DATA_INTEGRATION_WAREHOUSE';
   SET var_schema = 'DATA_INTEGRATION_SCHEMA';  -- Add your schema here
   
  /* Switch to securityadmin role:  
Role that can manage any object grant globally, as well as create, monitor, and manage users and roles */
   USE ROLE SECURITYADMIN;
   
   /* Create role for DATA_INTEGRATION */
   CREATE ROLE IF NOT EXISTS IDENTIFIER($var_role);
   
   /* Create a user for DATA_INTEGRATION */
   CREATE USER IF NOT EXISTS IDENTIFIER($var_user)
   PASSWORD = $var_password
 DEFAULT_ROLE = $var_role
 DEFAULT_WAREHOUSE = $var_warehouse;
   
   /* Grant role to the new user */
   GRANT ROLE IDENTIFIER($var_role) TO USER IDENTIFIER($var_user);
   
  /* switch to sysadmin role: 
Role that has privileges to create warehouses and databases (and other objects) in an account. */
   USE ROLE SYSADMIN;
   
   /* Create warehouse for Data_Integration (optional) */
   CREATE WAREHOUSE IF NOT EXISTS IDENTIFIER($var_warehouse)
 WAREHOUSE_SIZE = XSMALL
 WAREHOUSE_TYPE = STANDARD
 AUTO_SUSPEND = 300
 AUTO_RESUME = TRUE
 INITIALLY_SUSPENDED = TRUE;
   
   /* Create database for Data_Integration (optional) */
   CREATE DATABASE IF NOT EXISTS IDENTIFIER($var_database);
   
   /* Create schema in the database (optional) */
   CREATE SCHEMA IF NOT EXISTS IDENTIFIER($var_database).IDENTIFIER($var_schema);
  
  /* Grant Data_Integration role access to the warehouse */
   GRANT USAGE
   ON WAREHOUSE IDENTIFIER($var_warehouse)
   TO ROLE IDENTIFIER($var_role);
   
   /* Grant Data_Integration role access to the database */
   GRANT USAGE
   ON DATABASE IDENTIFIER($var_database)
   TO ROLE IDENTIFIER($var_role);
   
   /* Grant Data_Integration role access to the schema */
   GRANT USAGE
   ON SCHEMA IDENTIFIER($var_database).IDENTIFIER($var_schema)
   TO ROLE IDENTIFIER($var_role);
   
   /* Grant minimum access to tables for COPY INTO operations */
   GRANT SELECT
   ON ALL TABLES IN SCHEMA IDENTIFIER($var_database).IDENTIFIER($var_schema)
   TO ROLE IDENTIFIER($var_role);
   
   /* Grant the Data_Integration role the ability to use the COPY INTO command */
   GRANT INSERT
   ON ALL TABLES IN SCHEMA IDENTIFIER($var_database).IDENTIFIER($var_schema)
   TO ROLE IDENTIFIER($var_role);

COMMIT;

note

If you want to add Masking Policy permissions for this user, refer to the enforce masking policy section.

(Optional)Create network policy for Data Integration IPs

In some cases, your Snowflake account may be access-restricted by IPs or domains. In such cases, you must add Data Integration IPs to your Snowflake Network Policy to connect successfully.

note

Open Data Integration IPs in Snowflake Network Policies may block any other unspecified IPs in the network policy. Make sure you have whitelisted all your IPs in Snowflake’s network policies before creating Data Integration. Read more about network policies here.

Create a Network Policy for Data Integration IPs

Procedure

1. Log in to your Snowflake account.
2. Make sure the user is set to an ACCOUNTADMIN or SYSADMIN role.
3. In the worksheet, run the following command:

   CREATE OR REPLACE NETWORK POLICY Data_IntegrationIPs ALLOWED_IP_LIST = (Copy our most recent whitelisted IPs here)

info

Data Integration Whitelist IPs

Supported objects

When using Snowflake as a source, the following objects are fully supported:

• Tables
• Views
• Materialized Views (available exclusively for Enterprise accounts)

This compatibility ensures a seamless integration with Snowflake's data storage and processing capabilities. You can efficiently extract data from standard tables, which store raw data records, as well as from views, which may present aggregated or transformed data based on your business requirements.

Establishing a connection

You can connect to Snowflake using one of three methods:

• Basic Authentication
• OAuth2 Authentication
• Key-Pair Authentication

Basic authentication

You can connect to your Snowflake account using Basic Authentication.

Procedure

1. Navigate to Data Integration console.
2. Click Connections from the left-hand menu.
3. In the Snowflake Connection form type, enter your Connection Name.
4. Select the Basic Authentication Type.
5. Enter your Username and Password.
   note

   Snowflake passwords are restricted from including special characters such as {, }, ", ?, /, #,*, and others.

6. Enter the name of your Warehouse (mandatory).
7. Enter your Database name (mandatory).
8. Enter the name of your Role (optional).
   note

   If you leave it blank, the account's default one will be used. In this case, the default Role must have access to the selected Warehouse; otherwise, the connection will fail.

9. Enter your Account Name (mandatory).
   note

   To obtain your Account Name, click on your account details at the bottom left of the Snowflake account. Hover over your account to copy your Account URL that follows the format: https://account-name.eu-central-1.snowflakecomputing.com. In this case, the Account Name is account-name.eu-central-1. If you use Snowflake on other cloud platforms, include the cloud provider in the account name by appending it with a dot. For example: account-name.eu-central-1.gcp. :::

10. Click Test Connection to verify your connection is up to the task. If the connection succeeded, you can use this connection in Data Integration. You can pipe data to Snowflake by leveraging this connection in any River.

OAuth2 authentication

Connect to Snowflake using OAuth2 authentication to extract data securely. This setup uses a read-only user only.

Prerequisites

1. Create a custom OAuth integration in Snowflake.
2. Ensure the integration:
   • Has OAUTH_CLIENT = CUSTOM
   • Issues refresh tokens
   • Specifies ALLOWED_ROLES (For example, READER)
   • Includes the correct OAUTH_REDIRECT_URI for your region
3. Grant usage of the integration to your read-only user:

   GRANT USAGE ON INTEGRATION my_oauth_integration TO USER readonly_user;
   Example: OAuth Integration with 90-Day Token

   CREATE SECURITY INTEGRATION my_oauth_source
   TYPE = OAUTH
   ENABLED = TRUE
   OAUTH_CLIENT = CUSTOM
   OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
   OAUTH_REDIRECT_URI = 'https://console.rivery.io/api/oauthcallback/snowflake'
   OAUTH_ISSUE_REFRESH_TOKENS = TRUE
   OAUTH_ALLOW_NON_TLS_REDIRECT_URI = FALSE
   ALLOWED_ROLES = ('READER')
   OAUTH_REFRESH_TOKEN_VALIDITY = '90 days';

Redirect URIs by region

Region	Redirect URI
US	https://console.rivery.io/api/oauthcallback/snowflake
EU	https://eu-west-1.console.rivery.io/api/oauthcallback/snowflake
IL	https://il-central-1.console.rivery.io/api/oauthcallback/snowflake

Required fields

Field	Description
Client ID	From the OAuth2 app registered in Snowflake
Client Secret	From the OAuth2 app
Account Name	For example, xy12345.east-us-2.azure
Role	Must be a read-only role, For example, READER
Username	Snowflake user assigned the read-only role

Creating a connection

Procedure

1. Navigate to the Data Integration Account.

2. Click Connections and select + New Connection.

3. Choose the Snowflake connection.

4. Enter the required fields.

5. Click Connect to Snowflake.

6. Authenticate through the Snowflake login page.

   After successful authentication, the integration receives:

   • Access token – used for running queries

   • Refresh token – used for maintaining session continuity

     All tokens are securely stored.

note

• Client ID/Secret: Use the exact values from your Snowflake OAuth app.
• Account Name: Format as <org>-<account>.<region>.<cloud> (do not include protocol or domain).
• Role: Make sure to include in the ALLOWED_ROLES of the integration.
• Username: Case-sensitive and must be granted usage on the integration.
• Redirect URI: Must have the exact match with the URI specified in your Snowflake integration.

Key-Pair authentication

You can connect to your Snowflake account using Key-Pair Authentication.

Procedure

1. Open a Terminal to generate the private key. (Mac/ Linux)

   note

   Windows is not supported.

2. Enter the following command into your Terminal window to download the Key file to your Documents folder:

   cd Documents
   note

   To confirm the command, click the Enter key.

3. Run the following command to generate a decrypted version of the Key:

   openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt
   note

   Data Integration does not support key-pair authentication with an encrypted private key.

4. Create the Public key by referencing the Private key. Copy and run it:

   openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
5. This enables you to generate a private key in PEM (Privacy Enhanced Mail) format:

   cat rsa_key.pub

6. To assign the public key to a Snowflake user, run the ALTER USER command in your Snowflake console:
   note

   Replace < Username > with your Snowflake Username.

   alter user < Username > set rsa_public_key='';

7. Copy the PEM format and paste it between the apostrophes in the Snowflake console code.

8. Go to the Connections menu in Data Integration.

9. Fill out the Snowflake Connection form with the following information:

   a. Type in Connection Name.

   b. Select the Key-Pair Authentication Type.

   c. Enter your Username.

   d. Enter the name of your Warehouse (mandatory).

   e. Enter your Database name (mandatory).

   f. Enter the name of your Role (optional).

   note

   If you leave it blank, the account's default one will be used, and in that case, the default Role must have access to the selected Warehouse, or the connection will fail.

   g. Input your Account Name (mandatory).

   info

   To obtain your Account Name, click on your account details at the bottom left of the Snowflake UI. Hover over your account to view the option to copy your Account URL, which follows this format: https://account-name.eu-central-1.snowflakecomputing.com. In this case, the Account Name would be account-name.eu-central-1. If you use Snowflake on other cloud platforms, include the cloud provider in the account name by appending it with a dot. For example: account-name.eu-central-1.gcp.

10. Drag the rsa_key.p8 file from your Documents folder to the label, or browse for it.
11. Click Test Connection to verify your connection is up to the task. If the connection succeeded, you can now use this connection in Data Integration.

Refer to the Snowflake documentationto generate an encrypted Key or for more information on the Key-Pair configuration process.