Connecting Snowflake

Last updated: October 8, 2024

After this article...

You'll be able to connect the Snowflake integration to Lumos and resolve common issues that arise when connecting.

Required plan & roles

There's no minimum Snowflake plan required to connect the integration.

Most businesses will use the Snowflake Account Administrator role to connect the integration. However, the USERADMIN role can be leveraged instead, as long as the USER object is owned by this role.

Instructions

In Snowflake

1. Create a dedicated integration user with the Account Administrator role

Before you begin, we strongly recommend creating a dedicated Snowflake user for the Lumos integration to keep it decoupled from a specific employee's account.

This integration user needs to have the Account Administrator (accountadmin) role. The statements to execute are below.

USE ROLE accountadmin;
CREATE ROLE LUMOS_ADMIN;
GRANT ROLE accountadmin TO ROLE LUMOS_ADMIN;

GRANT MANAGE GRANTS ON ACCOUNT TO ROLE LUMOS_ADMIN;
GRANT CREATE USER ON ACCOUNT TO ROLE LUMOS_ADMIN;

// You need to remove the "" from the password string
// and replace CHANGE_ME with a strong password of your choosing.
CREATE USER LUMOS_ADMIN LOGIN_NAME=lumosadmin PASSWORD='"CHANGE_ME"';
GRANT ROLE LUMOS_ADMIN to user LUMOS_ADMIN;

2. Create a Snowflake OAuth app

The next step is creating an OAuth app for Lumos in Snowflake. The commands to execute are below.

CREATE OR REPLACE SECURITY INTEGRATION LUMOS_OAUTH
TYPE=oauth
ENABLED=true
OAUTH_CLIENT=CUSTOM
OAUTH_CLIENT_TYPE='CONFIDENTIAL'
OAUTH_REDIRECT_URI='https://app.lumosidentity.com/integrations/snowflake_oauth2_callback'
OAUTH_ISSUE_REFRESH_TOKENS=true
OAUTH_REFRESH_TOKEN_VALIDITY=7776000
;

By default, Snowflake only allows OAuth apps to remain valid for 90 days. After that, you'll need to generate a new OAuth app and reconnect the integration.

To extend your OAuth expiration timeline, you can follow the instructions in this article (the "could the Refresh Tokens' validity be increased beyond the Maximum limit in special circumstances?" section) to increase OAUTH_REFRESH_TOKEN_VALIDITY to the maximum duration of 31104000 (360 days).

3. Get the Client ID and Client Secret for your OAuth app.

Execute the command below to get your OAuth credentials.

SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('LUMOS_OAUTH');

Temporarily save these values to copy into Lumos.

4. Get your Snowflake account identifier

Execute the command below to get your Snowflake account ID.

SELECT CURRENT_ACCOUNT();

Temporarily save this value for to copy into Lumos.

In Lumos

1. Find the Snowflake card in your Lumos integrations. (Reconnect or add new)

2. Fill in the corresponding fields:

  • Account Identifier - The value returned by the statement in step 4 above.

    Client ID - The OAuth client ID generated in step 3 above.

    Client Secret - The OAuth client secret generated in step 3 above.

    Role Name - The name of the role you created in step 1 above (it must be LUMOS_ADMIN)

3. Click Connect Snowflake.  You'll be asked in the Oauth popup to enter the username and password you created in step 1 above. Complete this process to connect the integration!

Troubleshooting/FAQs

I can't connect the Snowflake integration.

Make sure all of the values from the Snowflake steps above match the values Snowflake generated.

How do you validate the Snowflake integration?

We make two calls to your Snowflake tenant, one to get the integration user and another to describe that user.

Get Current User: https://docs.snowflake.com/en/sql-reference/functions/current_user

We execute the following command.

SELECT CURRENT_USER;

Describe Current User: https://docs.snowflake.com/en/sql-reference/sql/desc-user (we use the username from the integration user)

We execute the following command.

DESCRIBE USER {INTEGRATION_SNOWFLAKE_USER_ID};

If we are able to describe the user, we consider the integration successful.