Connect Snowflake to Drata in order to review the list of users with access to Snowflake in your organization. Get ahead of any permissions issues and stay on top of your user access reviews.

BEFORE DIVING IN

Ensure you have Admin (ACCOUNTADMIN) access to your company's Snowflake account.
Set up a snowflake role, security integration, and user account. Follow these instructions in order to create the role, integration, and account.
- Create a snowflake role:
  1. Log in as an account admin (ACCOUNTADMIN).
  2. Select a warehouse to use. For these instructions, the warehouse we use is COMPUTE_WH.
  3. We will utilize the Snowflake worksheet and create SQL commands to create what we need such as creating a new role. The new role we create will be called TEST_AUTH_ROLE.
    SQL command to create a new role:
    CREATE ROLE TEST_AUTH_ROLE;
  4. Run the command to create the role.
  5. Add the necessary privileges to the newly created role by running the following command.
    GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE TEST_AUTH_ROLE;
    You may need to highlight the command and then run to only run that command.
- Create the security integration:
  1. Next, you'll need to create a security integration for the role. Enter and run the following command:
    CREATE SECURITY INTEGRATION TEST_LOCAL_OAUTH
    TYPE = OAUTH
    ENABLED = TRUE
    OAUTH_CLIENT = CUSTOM
    OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
    OAUTH_REDIRECT_URI = 'https://app.drata.com/callback/snowflake'
    OAUTH_ISSUE_REFRESH_TOKENS = TRUE
    PRE_AUTHORIZED_ROLES_LIST = ('TEST_AUTH_ROLE');
  2. Grant the USAGE privilege for the warehouse to the role. Run the following command to give access to the COMPUTE_WH warehouse. Ensure to replace COMPUTE_WH with your warehouse name.
    GRANT USAGE ON WAREHOUSE COMPUTE_WH TO ROLE TEST_AUTH_ROLE;
- Create the new user account:
  1. You will need to create a new user for this role. Enter and run the following command to create a new user (replace drata_test_user_1 with your desired account name and enterpassword with your desired password):
    CREATE USER drata_test_user_1 PASSWORD = 'enterpassword' DEFAULT_ROLE = TEST_AUTH_ROLE;
  2. Grant the role to the new user by running this command:
    GRANT ROLE TEST_AUTH_ROLE TO USER drata_test_user_1;
- Now you can gather your Account Identifier, Client ID, and Client Secret. You will need these values to connect to Drata.
  1. To get your Account Identifier, navigate to the place shown in the image below.
  2. To retrieve the OAuth Client ID and Client Secret for your Snowflake account. To do so, run this command:
    SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS ('TEST_LOCAL_OAUTH');

Connect Snowflake to Drata

On the Connections page, select Available connections and select the User Access Review category or search for Snowflake at the top search bar and select the Connect button.
Follow the instructions displayed on the drawer. Take your time and complete one step entirely before moving on to the next.
- Account Identifier: Enter your Snowflake’s account identifier. To find your account identifier, refer to Finding the Organization and Account Name for an Account.
- Client ID: Enter your Snowflake’s client ID. To find your client ID, refer to Snowflake’s Reference API documentation (SYSTEM$SHOW_OAUTH_CLIENT_SECRETS).
- Client Secret: Enter your Snowflake’s client secret. To find your client secret, refer to Snowflake’s Reference API documentation (SYSTEM$SHOW_OAUTH_CLIENT_SECRETS).
- Warehouse: Enter the warehouse you would like to review access for compliance purposes. To find your list of warehouses, refer to Snowflake’s Reference API documentation (SHOW WAREHOUSES).

The following image displays the connection drawer’s instructions.

Additional resources

User Access Review