How to set up Snowflake

Have more questions? Submit a request
πŸ€“ Who can do this? You will probably need your Snowflake administrator to run these commands β€” you may not have access yourself.

Create role in Snowflake

Create a role in Snowflake using the following commands:

CREATE OR REPLACE ROLE atlan_user_role;
GRANT OPERATE, USAGE ON WAREHOUSE "<warehouse-name>" TO ROLE atlan_user_role;

Create a user

Create a separate user to integrate into Atlan, using one of the following 3 options:

With a password in Snowflake

To create a user with a password, replace <password> and run the following:

CREATE USER atlan_user password='<password>' default_role=atlan_user_role default_warehouse='<warehouse-name>' display_name='Atlan';

With a public key in Snowflake

See Snowflake's official guide for details on generating an RSA key-pair. To create a user with a key-pair, replace the value for rsa_public_key with the public key and run the following:

CREATE USER atlan_user rsa_public_key='MIIBIjANBgkqh...' default_role=atlan_user_role default_warehouse='<warehouse-name>' display_name='Atlan';

Managed through your identity provider (IdP)

Create a user in your identity provider (IdP) and use federated authentication in Snowflake.

Ensure the password for this user is maintained solely in the IdP and that multi-factor authentication (MFA) is disabled.

Grant role to user

To grant the atlan_user_role to the new user:

GRANT ROLE atlan_user_role TO USER atlan_user;

Choose metadata fetching method

Atlan supports two methods for fetching metadata from Snowflake. You should choose one of these methods to set up Snowflake:

Information schema (recommended)

This method uses views in the INFORMATION_SCHEMA schema in Snowflake databases to fetch metadata. You still need to grant specific permissions to allow Atlan to crawl metadata, preview data and query data with this method.

Account usage (alternative)

🚨 Careful! If you want to set warehouse timeouts when using this method, set a large value initially for the workflow to succeed. Once the workflow has succeeded, adjust the value to be twice the extraction time.

This method uses the views in SNOWFLAKE.ACCOUNT_USAGE (or a copied version of this schema) to fetch the metadata from Snowflake into Atlan. You can be more granular with permissions using this method, but there are limitations with this approach.

To use the default SNOWFLAKE database and ACCOUNT_USAGE schema, grant these permissions:

GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE atlan_user_role;

To use a copied version of this default schema, grant these permissions:

GRANT USAGE ON DATABASE "<copied-database>" TO ROLE atlan_user_role;
GRANT USAGE ON SCHEMA "<copied-schema>" IN DATABASE "<copied-database>" TO ROLE atlan_user_role; 
GRANT REFERENCES ON ALL VIEWS IN DATABASE "<copied-database>" TO ROLE atlan_user_role;
  • Replace <copied-database> with the copied Snowflake database name.
  • Replace <copied-schema> with the copied Snowflake ACCOUNT_USAGE schema name.
🚨 Careful! With these permissions you can only crawl metadata into Atlan. To also preview and query data, add the permissions below.

Grant permissions

🚨 Careful! PIPE allows bulk grants for existing assets. For more information on GRANT, read this Snowflake documentation.

To crawl existing assets

Grant these permissions to crawl assets that already exist in Snowflake. If you also want to be able to preview and query the data, you can use the preview and query existing assets permissions instead.

GRANT USAGE ON DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT USAGE ON ALL SCHEMAS IN DATABASE "<database-name>" TO ROLE atlan_user_role; 
GRANT REFERENCES ON ALL TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role; 
GRANT REFERENCES ON ALL EXTERNAL TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT REFERENCES ON ALL VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT REFERENCES ON ALL MATERIALIZED VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON ALL STREAMS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT MONITOR ON PIPE "<pipe-name>" TO ROLE atlan_user_role;

Replace <database-name> with the database you want to be available in Atlan. (Repeat the statements for every database you wish to integrate into Atlan.)

πŸ’ͺ Did you know? The statements given on this page apply to all schemas, tables and views in a database in Snowflake. If you want to limit the access to only certain objects, you can instead specify the exact objects individually as well.

To crawl future assets

To crawl assets that may be created in the future in Snowflake, add these permissions. Again, if you want to also be able to preview and query the data for future assets, you can add the preview and query future assets permissions instead.

GRANT USAGE ON FUTURE SCHEMAS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT REFERENCES ON FUTURE TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT REFERENCES ON FUTURE EXTERNAL TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT REFERENCES ON FUTURE VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT REFERENCES ON FUTURE MATERIALIZED VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON FUTURE STREAMS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT MONITOR ON FUTURE PIPES IN DATABASE "<database-name>" TO ROLE atlan_user_role;

Replace <database-name> with the database you want to be available in Atlan. (Repeat the statements for every database you wish to integrate into Atlan.)

To mine query history for lineage

To also mine Snowflake's query history (for lineage), add these permissions. You can use either option:

  • To mine query history direct from Snowflake's internal tables:
    USE ROLE ACCOUNTADMIN;
    GRANT IMPORTED PRIVILEGES ON DATABASE snowflake TO ROLE atlan_user_role;
  • To mine query history from a cloned set of tables, where you can then also remove any sensitive data:
    GRANT USAGE ON DATABASE "<cloned-database>" TO ROLE atlan_user_role;
    GRANT USAGE ON SCHEMA "<cloned-database>"."<cloned-account-usage-schema>" TO ROLE atlan_user_role;
    GRANT SELECT ON ALL TABLES IN SCHEMA "<cloned-database>"."<cloned-account-usage-schema>" TO ROLE atlan_user_role;
    GRANT SELECT ON ALL VIEWS IN SCHEMA "<cloned-database>"."<cloned-account-usage-schema>" TO ROLE atlan_user_role;
    Replace <cloned-database> with the name of the cloned database, and <cloned-account-usage-schema> with the name of the cloned schema containing account usage details.

To preview and query existing assets

To query and preview data within assets that already exist in Snowflake, add these permissions:

GRANT USAGE ON DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT USAGE ON ALL SCHEMAS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON ALL TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON ALL EXTERNAL TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON ALL VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON ALL MATERIALIZED VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON ALL STREAMS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT MONITOR ON PIPE "<pipe-name>" TO ROLE atlan_user_role;

Replace <database-name> with the database you want to be able to preview and query in Atlan. (Repeat the statements for every database you wish to preview and query in Atlan.)

To preview and query future assets

To query and preview data within assets that may be created in the future in Snowflake, add these permissions:

GRANT USAGE ON FUTURE SCHEMAS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON FUTURE TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON FUTURE EXTERNAL TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON FUTURE VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON FUTURE MATERIALIZED VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON FUTURE STREAMS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT MONITOR ON FUTURE PIPES IN DATABASE "<database-name>" TO ROLE atlan_user_role;

Replace <database-name> with the database you want to be able to preview and query in Atlan. (Repeat the statements for every database you wish to preview and query in Atlan.)

Allowlist the Atlan IP

If you are using the IP allowlist in your Snowflake instance, you must add the Atlan IP to the allowlist. Please raise a support ticket from within Atlan, or submit a request.

(If you are not using the IP Allowlist in your Snowflake instance, you can skip this step.)

Related articles

Was this article helpful?
2 out of 2 found this helpful