Skip to main content

Snowflake Integration Guide

User Access Review connection: Connect Snowflake to Drata to review the list of users with access to Snowflake in your organization.

Updated yesterday

The Snowflake integration enables security and compliance teams to review who has access to Snowflake in their organization. It connects Drata to Snowflake so your team can monitor user access, identify permission issues, and stay on top of user access reviews.

Key Capabilities

  • User access review data: Review the list of users with access to Snowflake

  • Access governance support: Identify and validate access permissions for compliance

  • Automated evidence collection: Sync Snowflake access data into Drata for user access reviews

This integration is used to automate tests such as user access review verification and privileged access review, helping prove compliance with access control and least privilege policies.

Prerequisites & Data Access

  • Admin access to your Snowflake account: ACCOUNTADMIN

  • Ability to create a Snowflake role, security integration, and user

  • Access to a Snowflake warehouse

  • Ability to retrieve the following values for setup:

    • Account Identifier

    • Client ID

    • Client Secret

    • Warehouse

  • Required Drata Role with Write access: Admin, Workspace Managers, DevOps Engineer

  • Access Reviewers (Access Reviewers can only Read the connection page they can’t make changes)

Permissions & Data Table

Permission/Scope

Why It’s Needed

ACCOUNTADMIN

Required to create the role, security integration, and user needed for the connection

Imported privileges on SNOWFLAKE database

Allows the integration role to access Snowflake account metadata

Warehouse usage privilege

Allows the integration role to use the specified warehouse

OAuth client credentials

Allows Drata to authenticate to Snowflake securely

Step-by-Step Setup

Step 1: Select a Warehouse

  1. Log in to Snowflake as an ACCOUNTADMIN user.

  2. Choose the warehouse you want to use for the integration.

  3. For these instructions, the example warehouse is COMPUTE_WH.

Expected outcome: You have identified the Snowflake warehouse to use for the integration.

Step 2: Create a Snowflake Role

  1. Open a Snowflake worksheet.

  2. Run the following SQL command to create a new role:

    CREATE ROLE TEST_AUTH_ROLE;

  3. Grant imported privileges on the Snowflake database to the role:

    GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE TEST_AUTH_ROLE;

Expected outcome: A new Snowflake role exists with access to required Snowflake metadata.

Step 3: Create the Security Integration

  1. In the Snowflake worksheet, run the following SQL command:

    CREATE SECURITY INTEGRATION TEST_LOCAL_OAUTH 
    TYPE = OAUTH 
    ENABLED = TRUE 
    OAUTH_CLIENT = CUSTOM 
    OAUTH_CLIENT_TYPE = 'CONFIDENTIAL' 
    OAUTH_REDIRECT_URI = 'https://app.drata.com/callback/snowflake' 
    OAUTH_ISSUE_REFRESH_TOKENS = TRUE 
    PRE_AUTHORIZED_ROLES_LIST = ('TEST_AUTH_ROLE');

  2. Grant warehouse usage to the role. Replace COMPUTE_WH with your warehouse name if different:

    GRANT USAGE ON WAREHOUSE COMPUTE_WH TO ROLE TEST_AUTH_ROLE;

Expected outcome: The security integration is created and the role can use the selected warehouse.

Step 4: Create the Integration User

  1. In the Snowflake worksheet, run the following SQL command to create a new user. Replace the sample username and password with your own values:

    CREATE USER drata_test_user_1 PASSWORD = 'enterpassword' DEFAULT_ROLE = TEST_AUTH_ROLE;

  2. Grant the role to the user:

    GRANT ROLE TEST_AUTH_ROLE TO USER drata_test_user_1;

Expected outcome: A dedicated Snowflake user exists and has the integration role assigned.

Step 5: Gather the Required Credentials

  1. Find your Account Identifier in Snowflake.

  2. Run the following SQL command to retrieve the Client ID and Client Secret:

    SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS ('TEST_LOCAL_OAUTH');

  3. Confirm the Warehouse value you want to use for the connection.

Expected outcome: You have the Account Identifier, Client ID, Client Secret, and Warehouse needed to connect Snowflake to Drata.

Step 6: Confirm the Warehouse Format

  1. Review how your warehouse name is defined in Snowflake.

  2. If the warehouse name is entered without quotes, such as COMPUTE_WH, Snowflake treats it as uppercase.

  3. If the warehouse name is entered with double quotes, such as "compute_wh", Snowflake treats it as case-sensitive and it must be referenced exactly as created.

  4. For the Drata integration, use the warehouse name in uppercase without quotes when possible.

Expected outcome: Your warehouse value is formatted correctly for the connection and less likely to cause case-sensitivity errors.

Step 7: Connect Snowflake in Drata

  1. Log in to Drata → go to the Connections page.

  2. Navigate to your Available Connections.

  3. Search for and start the Snowflake connection process.

  4. Enter the following when prompted:

    • Account Identifier

    • Client ID

    • Client Secret

    • Warehouse

  5. Complete the connection flow.

Expected outcome:
Snowflake is successfully connected and user access review data begins syncing to Drata.

Important Notes

  • Important notes: This integration is used for User Access Review and focuses on reviewing the list of users with access to Snowflake.

  • The warehouse value can be case-sensitive depending on how it was created in Snowflake.

  • To avoid warehouse naming issues, use the warehouse name in uppercase without quotes when possible.

  • Principle of least privilege: The provided setup uses a dedicated role, security integration, and user for the connection.

  • The provided information does not specify whether multiple warehouses can be reviewed through a single connection.

Related Articles
Miro Integration
HubSpot Integration Guide (UAR)
Sentry Integration Guide
Greenhouse Integration Guide
Box Integration Guide
Did this answer your question?