Skip to main content

Snowflake Integration Guide

User Access Review connection: Connect Snowflake to Drata to review the list of users with access to Snowflake in your organization.

Updated yesterday

The Snowflake integration enables security and compliance teams to review who has access to Snowflake in their organization. It connects Drata to Snowflake so your team can monitor user access, identify permission issues, and stay on top of user access reviews.

Key Capabilities

  • User access review data: Review the list of users with access to Snowflake

  • Access governance support: Identify and validate access permissions for compliance

  • Automated evidence collection: Sync Snowflake access data into Drata for user access reviews

Prerequisites & Data Access

  • Admin access to your Snowflake account: ACCOUNTADMIN

  • Ability to create a dedicated Snowflake service user (non-human account) for the integration, configured to use key-pair or SSO-based authentication instead of password-only sign-in.

  • Access to a Snowflake warehouse

  • Ability to retrieve the following values for setup:

    • Account Identifier

    • Client ID

    • Client Secret

    • Warehouse

  • Required Drata Role with Write access: Admin, Workspace Managers, DevOps Engineer

  • Access Reviewers (Access Reviewers can only Read the connection page they can’t make changes)

Permissions & Data Table

Permission/Scope

Why It’s Needed

ACCOUNTADMIN

Required to create the role, security integration, and user needed for the connection

Imported privileges on SNOWFLAKE database

Allows the integration role to access Snowflake account metadata

Warehouse usage privilege

Allows the integration role to use the specified warehouse

OAuth client credentials

Allows Drata to authenticate to Snowflake securely

Step-by-Step Setup

Step 1: Select a Warehouse

  1. Log in to Snowflake as an ACCOUNTADMIN user.

  2. Choose the warehouse you want to use for the integration.

  3. For these instructions, the example warehouse is COMPUTE_WH.

Expected outcome: You have identified the Snowflake warehouse to use for the integration.

Step 2: Create a Snowflake Role

  1. Open a Snowflake worksheet.

  2. Run the following SQL command to create a new role:

    CREATE ROLE TEST_AUTH_ROLE;

  3. Grant imported privileges on the Snowflake database to the role:

    GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE TEST_AUTH_ROLE;

Expected outcome: A new Snowflake role exists with access to required Snowflake metadata.

Step 3: Create the Security Integration

  1. In the Snowflake worksheet, run the following SQL command:

    CREATE SECURITY INTEGRATION TEST_LOCAL_OAUTH 
    TYPE = OAUTH 
    ENABLED = TRUE 
    OAUTH_CLIENT = CUSTOM 
    OAUTH_CLIENT_TYPE = 'CONFIDENTIAL' 
    OAUTH_REDIRECT_URI = 'https://app.drata.com/callback/snowflake' 
    OAUTH_ISSUE_REFRESH_TOKENS = TRUE 
    PRE_AUTHORIZED_ROLES_LIST = ('TEST_AUTH_ROLE');

  2. Grant warehouse usage to the role. Replace COMPUTE_WH with your warehouse name if different:

    GRANT USAGE ON WAREHOUSE COMPUTE_WH TO ROLE TEST_AUTH_ROLE;

Expected outcome: The security integration is created and the role can use the selected warehouse.

Step 4: Create the Integration User

  1. Run the following command to create a dedicated user for Drata. This keeps the integration's activity separate from your personal account.

    CREATE USER drata_integration_user
      TYPE = SERVICE
      DEFAULT_ROLE = TEST_AUTH_ROLE
      MUST_CHANGE_PASSWORD = FALSE;

    • Note: If your version of Snowflake does not support TYPE = SERVICE, you can omit that line, but we highly recommend it for security.

  2. Snowflake is deprecating passwords for service users and recommends stronger authentication methods. Instead of a standard password, configure this integration user to use key-pair authentication (or SSO) in line with Snowflake’s guidance.

    • First: Generate your public and private keys (following Snowflake’s official guide).

    • Then: Attach the public key to the Drata user by running this command (replace the text in quotes with your actual public key string):

      ALTER USER drata_integration_user
      SET RSA_PUBLIC_KEY='Replace the text';

    • 💡 Why Key-Pair?
      Key-pair authentication is significantly more secure than a password for automated integrations. It ensures that only a system with the matching private key can "talk" to your Snowflake data.

  3. Finally, you must give the new user permission to use the TEST_AUTH_ROLE. Without this step, the user exists but won't have the "keys to the room" they need to work.

    GRANT ROLE TEST_AUTH_ROLE TO USER drata_integration_user;

Expected outcome: A dedicated Snowflake service user exists, has the integration role assigned, and is configured to use strong authentication (key-pair or SSO) instead of password-only authentication.

Step 5: Gather the Required Credentials

  1. Find your Account Identifier in Snowflake.

  2. Run the following SQL command to retrieve the Client ID and Client Secret:

    SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS ('TEST_LOCAL_OAUTH');

  3. Confirm the Warehouse value you want to use for the connection.

Expected outcome: You have the Account Identifier, Client ID, Client Secret, and Warehouse needed to connect Snowflake to Drata.

Step 6: Confirm the Warehouse Format

  1. Review how your warehouse name is defined in Snowflake.

  2. If the warehouse name is entered without quotes, such as COMPUTE_WH, Snowflake treats it as uppercase.

  3. If the warehouse name is entered with double quotes, such as "compute_wh", Snowflake treats it as case-sensitive and it must be referenced exactly as created.

  4. For the Drata integration, use the warehouse name in uppercase without quotes when possible.

Expected outcome: Your warehouse value is formatted correctly for the connection and less likely to cause case-sensitivity errors.

Step 7: Connect Snowflake in Drata

  1. Log in to Drata → go to the Connections page.

  2. Navigate to your Available Connections.

  3. Search for and start the Snowflake connection process.

  4. Enter the following when prompted:

    • Account Identifier

    • Client ID

    • Client Secret

    • Warehouse

  5. Complete the connection flow.

Expected outcome: Snowflake is successfully connected and user access review data begins syncing to Drata.

Important Notes

  • Authentication:

    • Snowflake is enforcing strong authentication for human users and deprecating passwords for service users.

    • If your integration user is still configured with password-only authentication or as a legacy service user, follow Snowflake’s strong authentication guidance to migrate it to key-pair or SSO to avoid future connection issues.

    • See https://docs.snowflake.com/en/user-guide/security-mfa-rollout for details.

  • This integration is used for User Access Review and focuses on reviewing the list of users with access to Snowflake.

  • The warehouse value can be case-sensitive depending on how it was created in Snowflake.

  • To avoid warehouse naming issues, use the warehouse name in uppercase without quotes when possible.

  • The provided information does not specify whether multiple warehouses can be reviewed through a single connection.

Related Articles
Miro Integration
HubSpot Integration Guide (UAR)
Sentry Integration Guide
Klaviyo Integration Guide
Pinpoint Integration Guide
Did this answer your question?