Skip to main content
Snowflake Connection

User Access Review connection: Connect Snowflake to Drata to review the list of users with access to Snowflake in your organization.

Updated over 3 months ago

Connect Snowflake to Drata in order to review the list of users with access to Snowflake in your organization. Get ahead of any permissions issues and stay on top of your user access reviews.

BEFORE DIVING IN

  • Ensure you have Admin (ACCOUNTADMIN) access to your company's Snowflake account.

  • Set up a snowflake role, security integration, and user account. Follow these instructions in order to create the role, integration, and account.

    • Create a snowflake role:

      1. Log in as an account admin (ACCOUNTADMIN).

      2. Select a warehouse to use. For these instructions, the warehouse we use is COMPUTE_WH.

      3. We will utilize the Snowflake worksheet and create SQL commands to create what we need such as creating a new role. The new role we create will be called TEST_AUTH_ROLE.

        • SQL command to create a new role:

          CREATE ROLE TEST_AUTH_ROLE;
      4. Run the command to create the role.

      5. Add the necessary privileges to the newly created role by running the following command.

        GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE TEST_AUTH_ROLE;
        • You may need to highlight the command and then run to only run that command.

    • Create the security integration:

      1. Next, you'll need to create a security integration for the role. Enter and run the following command:

        CREATE SECURITY INTEGRATION TEST_LOCAL_OAUTH 
        TYPE = OAUTH
        ENABLED = TRUE
        OAUTH_CLIENT = CUSTOM
        OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
        OAUTH_REDIRECT_URI = 'https://app.drata.com/callback/snowflake'
        OAUTH_ISSUE_REFRESH_TOKENS = TRUE
        PRE_AUTHORIZED_ROLES_LIST = ('TEST_AUTH_ROLE');
      2. Grant the USAGE privilege for the warehouse to the role. Run the following command to give access to the COMPUTE_WH warehouse. Ensure to replace COMPUTE_WH with your warehouse name.

        GRANT USAGE ON WAREHOUSE COMPUTE_WH TO ROLE TEST_AUTH_ROLE;
    • Create the new user account:

      1. You will need to create a new user for this role. Enter and run the following command to create a new user (replace drata_test_user_1 with your desired account name and enterpassword with your desired password):

        CREATE USER drata_test_user_1 PASSWORD = 'enterpassword' DEFAULT_ROLE = TEST_AUTH_ROLE;
      2. Grant the role to the new user by running this command:

        GRANT ROLE TEST_AUTH_ROLE TO USER drata_test_user_1;
    • Now you can gather your Account Identifier, Client ID, and Client Secret. You will need these values to connect to Drata.

      1. To get your Account Identifier, navigate to the place shown in the image below.

      2. To retrieve the OAuth Client ID and Client Secret for your Snowflake account. To do so, run this command:

        SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS ('TEST_LOCAL_OAUTH');

Connect Snowflake to Drata

  1. On the Connections page, select Available connections and select the User Access Review category or search for Snowflake at the top search bar and select the Connect button.

    Snowflake connection on Connection page
  2. Follow the instructions displayed on the drawer. Take your time and complete one step entirely before moving on to the next.

The following image displays the connection drawer’s instructions.

Snowflake connection instruction drawer

Additional resources

Did this answer your question?