Connect Snowflake to Drata in order to review the list of users with access to Snowflake in your organization. Get ahead of any permissions issues and stay on top of your user access reviews.

BEFORE DIVING IN

Ensure you have Admin (ACCOUNTADMIN) access to your company's Snowflake account.
Set up a Snowflake role, security integration, and user account. Follow these instructions in order to create the role, integration, and account.

Important Note: Warehouse Field Case Sensitivity

Note: This section refer to the Warehouse field used while you create the Snowflake role, security integration, and user account.

The Warehouse field in Snowflake is case-sensitive depending on how it’s entered. Snowflake automatically converts unquoted identifiers to uppercase, but quoted identifiers are case-sensitive.

If you enter the warehouse name without quotes (COMPUTE_WH), Snowflake treats it as uppercase, and you can reference it in any case without quotes.
If you enter the warehouse name with double quotes ( "compute_wh"), Snowflake treats it as case-sensitive, and you must always reference it exactly as entered, including the quotes, otherwise Snowflake will throw an exception.

For the Drata integration, entering the warehouse name in uppercase without quotes (COMPUTE_WH) is recommended to avoid case-sensitivity errors.

Create a snowflake role

Log in as an account admin (ACCOUNTADMIN).
Select a warehouse to use. For these instructions, the warehouse we use is COMPUTE_WH.
We will utilize the Snowflake worksheet and create SQL commands to create what we need such as creating a new role. The new role we create will be called TEST_AUTH_ROLE.
- SQL command to create a new role:
```
CREATE ROLE TEST_AUTH_ROLE;
```
Run the command to create the role.
Add the necessary privileges to the newly created role by running the following command.
```
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE TEST_AUTH_ROLE;
```
- You may need to highlight the command and then run to only run that command.

Create the security integration

Next, you'll need to create a security integration for the role. Enter and run the following command:

CREATE SECURITY INTEGRATION TEST_LOCAL_OAUTH 
TYPE = OAUTH 
ENABLED = TRUE 
OAUTH_CLIENT = CUSTOM 
OAUTH_CLIENT_TYPE = 'CONFIDENTIAL' 
OAUTH_REDIRECT_URI = 'https://app.drata.com/callback/snowflake' 
OAUTH_ISSUE_REFRESH_TOKENS = TRUE 
PRE_AUTHORIZED_ROLES_LIST = ('TEST_AUTH_ROLE');

Grant the USAGE privilege for the warehouse to the role. Run the following command to give access to the COMPUTE_WH warehouse. Ensure to replace COMPUTE_WH with your warehouse name.
```
GRANT USAGE ON WAREHOUSE COMPUTE_WH TO ROLE TEST_AUTH_ROLE;
```

Create the new user account

You will need to create a new user for this role. Enter and run the following command to create a new user (replace drata_test_user_1 with your desired account name and enterpassword with your desired password):
```
CREATE USER drata_test_user_1 PASSWORD = 'enterpassword' DEFAULT_ROLE = TEST_AUTH_ROLE;
```
Grant the role to the new user by running this command:
```
GRANT ROLE TEST_AUTH_ROLE TO USER drata_test_user_1;
```

Now you can gather your Account Identifier, Client ID, and Client Secret. You will need these values to connect to Drata.

To get your Account Identifier, navigate to the place shown in the image below.
To retrieve the OAuth Client ID and Client Secret for your Snowflake account. To do so, run this command:
```
SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS ('TEST_LOCAL_OAUTH');
```

Connect Snowflake to Drata

On the Connections page, select Available connections and select the User Access Review category or search for Snowflake at the top search bar and select the Connect button.
Follow the instructions displayed on the drawer. Take your time and complete one step entirely before moving on to the next.
- Account Identifier: Enter your Snowflake’s account identifier. To find your account identifier, refer to Finding the Organization and Account Name for an Account.
- Client ID: Enter your Snowflake’s client ID. To find your client ID, refer to Snowflake’s Reference API documentation (SYSTEM$SHOW_OAUTH_CLIENT_SECRETS).
- Client Secret: Enter your Snowflake’s client secret. To find your client secret, refer to Snowflake’s Reference API documentation (SYSTEM$SHOW_OAUTH_CLIENT_SECRETS).
- Warehouse: Enter the warehouse you would like to review access for compliance purposes. To find your list of warehouses, refer to Snowflake’s Reference API documentation (SHOW WAREHOUSES).