How to set up Snowflake

🤓 Who can do this? You will need your Snowflake administrator to run these commands — you may not have access yourself.

Create role in Snowflake

Create a role in Snowflake using the following commands:

CREATE OR REPLACE ROLE atlan_user_role;
GRANT OPERATE, USAGE ON WAREHOUSE "<warehouse-name>" TO ROLE atlan_user_role;

Atlan requires the following privileges to:

  • OPERATE allows Atlan to start the virtual warehouse to fetch metadata if the warehouse has stopped.
  • USAGE allows Atlan to show or list metadata from Snowflake. This in turn allows the Snowflake crawler to run the SHOW query.

Create a user

Create a separate user to integrate into Atlan, using one of the following 3 options:

With a public key in Snowflake

See Snowflake's official guide for details on generating an RSA key-pair. To create a user with a key-pair, replace the value for rsa_public_key with the public key and run the following:

CREATE USER atlan_user rsa_public_key='MIIBIjANBgkqh...' default_role=atlan_user_role default_warehouse='<warehouse-name>' display_name='Atlan';
TYPE = 'SERVICE'
💪 Did you know? Atlan only supports encrypted private keys — generally recommended as more secure. To generate an encrypted private key, omit the -nocrypt option. Refer to Snowflake documentation to learn more.

With a password in Snowflake

💪 Did you know? Snowflake recommends transitioning away from basic authentication using username and password. Change to key-pair authentication for enhanced security. For any existing Snowflake workflows, you can modify the crawler configuration to update the authentication method.

To create a user with a password, replace <password> and run the following:

CREATE USER atlan_user password='<password>' default_role=atlan_user_role default_warehouse='<warehouse-name>' display_name='Atlan';
TYPE = 'LEGACY_SERVICE'

Managed through your identity provider (IdP)

🧪 Preview feature! This feature is available for your experimentation, and we'd love your feedback. It may change before its final generally-available form.

This method is currently only available if Okta is your IdP — Snowflake supports authenticating natively through Okta:

  • Create a user in your identity provider (IdP) and use federated authentication in Snowflake.
  • Ensure the password for this user is maintained solely in the IdP and that multi-factor authentication (MFA) is disabled.

Grant role to user

To grant the atlan_user_role to the new user:

GRANT ROLE atlan_user_role TO USER atlan_user;

Choose metadata fetching method

Atlan supports two methods for fetching metadata from Snowflake — account usage and information schema. You should choose one of these two methods to set up Snowflake:

  Account usage Information schema
Overview Simplified grants but some limitations in functionality Most comprehensive approach, more grant management required
Method Views in the SNOWFLAKE database that display object metadata and usage metrics for your account System-defined views and table functions that provide extensive metadata for objects created in your account
Permissions User role and account, single grant for SNOWFLAKE database User role and account, multiple grants per database
Data latency 45 minutes to 3 hours (varies by view) None
Historical data retention 1 year 7 days to 6 months (varies by view or table function)
Asset extraction ACCOUNT_USAGE schema INFORMATION_SCHEMA schema
View lineage ACCOUNT_USAGE schema INFORMATION_SCHEMA schema
Table lineage ACCOUNT_USAGE schema ACCOUNT_USAGE schema
Tag import ACCOUNT_USAGE schema ACCOUNT_USAGE schema
Usage and popularity ACCOUNT_USAGE schema ACCOUNT_USAGE schema
Metadata extraction time Varies by warehouse size — for example, 8 minutes for 10 million assets (recommended for extracting a large number of assets) Varies by warehouse size — for example, 2+ hours for 10 million assets
Extraction limitations External table location data, procedures, and primary and foreign keys None

Grant permissions for account usage method

🚨 Careful! If you want to set warehouse timeouts when using this method, set a large value initially for the workflow to succeed. Once the workflow has succeeded, adjust the value to be twice the extraction time.

This method uses the views in SNOWFLAKE.ACCOUNT_USAGE (or a copied version of this schema) to fetch the metadata from Snowflake into Atlan. You can be more granular with permissions using this method, but there are limitations with this approach.

To crawl assets, generate lineage, and import tags

If you also want to be able to preview and query the data, you can use the preview and query existing assets permissions instead.

Snowflake stores all tag objects in the ACCOUNT_USAGE schema. If you're using the account usage method to crawl metadata in Atlan or you have configured the Snowflake miner, you will need to grant the same permissions to import tags as required for crawling Snowflake assets. Note that object tagging in Snowflake currently requires Enterprise Edition or higher.

  • To use the default SNOWFLAKE database and ACCOUNT_USAGE schema and also mine Snowflake's query history (for lineage), grant these permissions:
    USE ROLE ACCOUNTADMIN;
    GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE atlan_user_role;
    • The ACCOUNTADMIN role is required to grant privileges on the SNOWFLAKE database due to the following reasons:
      • By default, only the ACCOUNTADMIN role can access the SNOWFLAKE database.
      • To enable other roles to access the database and schemas and query the views, a user with the ACCOUNTADMIN role will need to grant IMPORTED PRIVILEGES on the SNOWFLAKE database to the desired roles.
  • To use a copied or cloned version of this default schema, where you can also remove any sensitive data for security purposes, grant these permissions:
    GRANT USAGE ON DATABASE "<copied-database>" TO ROLE atlan_user_role;
    GRANT USAGE ON SCHEMA "<copied-schema>" IN DATABASE "<copied-database>" TO ROLE atlan_user_role; 
    GRANT REFERENCES ON ALL VIEWS IN DATABASE "<copied-database>" TO ROLE atlan_user_role;
    • Replace <copied-database> with the copied Snowflake database name.
    • Replace <copied-schema> with the copied Snowflake ACCOUNT_USAGE schema name.
    • The grants for the copied version cannot be used on the original SNOWFLAKE database. This is because Snowflake produces an error that granular grants cannot be given to imported databases.
    • When using a cloned or copied version, ensure that the table or view definition remains unchanged as in your SNOWFLAKE database. If the format is different — for example, a column is missing — it will no longer be considered a clone. 

(Optional) To preview and query existing assets

To query and preview data within assets that already exist in Snowflake, add these permissions:

GRANT USAGE ON DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT USAGE ON ALL SCHEMAS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON ALL TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON ALL EXTERNAL TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON ALL VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON ALL MATERIALIZED VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON ALL STREAMS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT MONITOR ON PIPE "<pipe-name>" TO ROLE atlan_user_role;

Replace <database-name> with the database you want to be able to preview and query in Atlan. (Repeat the statements for every database you wish to preview and query in Atlan.)

(Optional) To preview and query future assets

To query and preview data within assets that may be created in the future in Snowflake, add these permissions:

GRANT USAGE ON FUTURE SCHEMAS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON FUTURE TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON FUTURE EXTERNAL TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON FUTURE VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON FUTURE MATERIALIZED VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON FUTURE STREAMS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT MONITOR ON FUTURE PIPES IN DATABASE "<database-name>" TO ROLE atlan_user_role;

Replace <database-name> with the database you want to be able to preview and query in Atlan. (Repeat the statements for every database you wish to preview and query in Atlan.)

🚨 Careful! To ensure that all the assets you'd like to crawl are present in these grants, check the grants on the user role defined for the crawler.

Grant permissions for information schema method

This method uses views in the INFORMATION_SCHEMA schema in Snowflake databases to fetch metadata. You still need to grant specific permissions to allow Atlan to crawl metadata, preview data, and query data with this method.

To crawl existing assets

Grant these permissions to crawl assets that already exist in Snowflake. If you also want to be able to preview and query the data, you can use the preview and query existing assets permissions instead.

GRANT USAGE ON DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT USAGE ON ALL SCHEMAS IN DATABASE "<database-name>" TO ROLE atlan_user_role; 
GRANT REFERENCES ON ALL TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role; 
GRANT REFERENCES ON ALL EXTERNAL TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT REFERENCES ON ALL VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT REFERENCES ON ALL MATERIALIZED VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON ALL STREAMS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT MONITOR ON PIPE "<pipe-name>" TO ROLE atlan_user_role;
GRANT USAGE ON ALL FUNCTIONS IN DATABASE "<database-name>" TO ROLE atlan_user_role;

Replace <database-name> with the database you want to be available in Atlan. (Repeat the statements for every database you wish to integrate into Atlan.)

💪 Did you know? The statements given on this page apply to all schemas, tables, and views in a database in Snowflake. If you want to limit the access to only certain objects, you can instead specify the exact objects individually as well.

To crawl future assets

To crawl assets that may be created in the future in Snowflake, add these permissions. Again, if you want to also be able to preview and query the data for future assets, you can add the preview and query future assets permissions instead.

  • To grant permissions at a database level:
    GRANT USAGE ON FUTURE SCHEMAS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
    GRANT REFERENCES ON FUTURE TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
    GRANT REFERENCES ON FUTURE EXTERNAL TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
    GRANT REFERENCES ON FUTURE VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
    GRANT REFERENCES ON FUTURE MATERIALIZED VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
    GRANT SELECT ON FUTURE STREAMS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
    GRANT MONITOR ON FUTURE PIPES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
    GRANT USAGE ON FUTURE FUNCTIONS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
    • Replace <database-name> with the database you want to crawl in Atlan. (Repeat the statements for every database you want to integrate into Atlan.)
      🚨 Careful! For any future grants defined at a schema level to a different role, the schema-level grants will take precedence over the database-level grants and any future grants defined at a database level to the Atlan role will be ignored. To learn more, refer to Snowflake documentation.
  • To grant permissions at a schema level:
    GRANT REFERENCES ON FUTURE TABLES IN SCHEMA "<database-name>.<schema-name>" TO ROLE atlan_user_role;
    GRANT REFERENCES ON FUTURE EXTERNAL TABLES IN SCHEMA "<database-name>.<schema-name>" TO ROLE atlan_user_role;
    GRANT REFERENCES ON FUTURE VIEWS IN SCHEMA "<database-name>.<schema-name>" TO ROLE atlan_user_role;
    GRANT REFERENCES ON FUTURE MATERIALIZED VIEWS IN SCHEMA "<database-name>.<schema-name>" TO ROLE atlan_user_role;
    GRANT SELECT ON FUTURE STREAMS IN SCHEMA "<database-name>.<schema-name>" TO ROLE atlan_user_role;
    GRANT MONITOR ON FUTURE PIPES IN SCHEMA "<database-name>.<schema-name>" TO ROLE atlan_user_role;
    GRANT USAGE ON FUTURE FUNCTIONS IN SCHEMA "<database-name>.<schema-name>" TO ROLE atlan_user_role;
    • Replace <database-name> with the database and <schema-name> with the schema you want to crawl in Atlan. (Repeat the statements for every database and schema you want to integrate into Atlan.)

To mine query history for lineage

To also mine Snowflake's query history (for lineage), add these permissions. You can use either option:

  • To mine query history direct from Snowflake's internal tables:
    USE ROLE ACCOUNTADMIN;
    GRANT IMPORTED PRIVILEGES ON DATABASE snowflake TO ROLE atlan_user_role;
  • To mine query history from a cloned or copied set of tables, where you can also remove any sensitive data:
    GRANT USAGE ON DATABASE "<cloned-database>" TO ROLE atlan_user_role;
    GRANT USAGE ON SCHEMA "<cloned-database>"."<cloned-account-usage-schema>" TO ROLE atlan_user_role;
    GRANT SELECT ON ALL TABLES IN SCHEMA "<cloned-database>"."<cloned-account-usage-schema>" TO ROLE atlan_user_role;
    GRANT SELECT ON ALL VIEWS IN SCHEMA "<cloned-database>"."<cloned-account-usage-schema>" TO ROLE atlan_user_role;
    • Replace <cloned-database> with the name of the cloned database, and <cloned-account-usage-schema> with the name of the cloned schema containing account usage details.
    • When using a cloned or copied version, ensure that the table or view definition remains unchanged as in your SNOWFLAKE database. If the format is different — for example, a column is missing — it will no longer be considered a clone. 

(Optional) To preview and query existing assets

To query and preview data within assets that already exist in Snowflake, add these permissions:

GRANT USAGE ON DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT USAGE ON ALL SCHEMAS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON ALL TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON ALL EXTERNAL TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON ALL VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON ALL MATERIALIZED VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON ALL STREAMS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT MONITOR ON PIPE "<pipe-name>" TO ROLE atlan_user_role;

Replace <database-name> with the database you want to be able to preview and query in Atlan. (Repeat the statements for every database you wish to preview and query in Atlan.)

(Optional) To preview and query future assets

To query and preview data within assets that may be created in the future in Snowflake, add the following permissions.

  • To grant permissions at a database level:
    GRANT USAGE ON FUTURE SCHEMAS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
    GRANT SELECT ON FUTURE TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
    GRANT SELECT ON FUTURE EXTERNAL TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
    GRANT SELECT ON FUTURE VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
    GRANT SELECT ON FUTURE MATERIALIZED VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
    GRANT SELECT ON FUTURE STREAMS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
    GRANT MONITOR ON FUTURE PIPES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
    • Replace <database-name> with the database you want to be able to preview and query in Atlan. (Repeat the statements for every database you want to preview and query in Atlan.)
      🚨 Careful! For any future grants defined at a schema level to a different role, the schema-level grants will take precedence over the database-level grants and any future grants defined at a database level to the Atlan role will be ignored. To learn more, refer to Snowflake documentation.
  • To grant permissions at a schema level:
    GRANT SELECT ON FUTURE TABLES IN SCHEMA "<database-name>.<schema-name>" TO ROLE atlan_user_role;
    GRANT SELECT ON FUTURE EXTERNAL TABLES IN SCHEMA "<database-name>.<schema-name>" TO ROLE atlan_user_role;
    GRANT SELECT ON FUTURE VIEWS IN SCHEMA "<database-name>.<schema-name>" TO ROLE atlan_user_role;
    GRANT SELECT ON FUTURE MATERIALIZED VIEWS IN SCHEMA "<database-name>.<schema-name>" TO ROLE atlan_user_role;
    GRANT SELECT ON FUTURE STREAMS IN SCHEMA "<database-name>.<schema-name>" TO ROLE atlan_user_role;
    GRANT MONITOR ON FUTURE PIPES IN SCHEMA "<database-name>.<schema-name>" TO ROLE atlan_user_role;
    • Replace <database-name> with the database and <schema-name> with the schema you want to be able to preview and query in Atlan. (Repeat the statements for every database and schema you want to preview and query in Atlan.)
🚨 Careful! To ensure that all the assets you'd like to crawl are present in these grants, check the grants on the user role defined for the crawler.

(Optional) To import Snowflake tags

Snowflake stores all tag objects in the ACCOUNT_USAGE schema. Note that object tagging in Snowflake currently requires Enterprise Edition or higher.

To import tags from Snowflake, grant these permissions:

  • To use the default SNOWFLAKE database and ACCOUNT_USAGE schema and also mine Snowflake's query history (for lineage), grant these permissions:
    USE ROLE ACCOUNTADMIN;
    GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE atlan_user_role;
    • The ACCOUNTADMIN role is required to grant privileges on the SNOWFLAKE database due to the following reasons:
      • By default, only the ACCOUNTADMIN role can access the SNOWFLAKE database.
      • To enable other roles to access the database and schemas and query the views, a user with the ACCOUNTADMIN role will need to grant IMPORTED PRIVILEGES on the SNOWFLAKE database to the desired roles.
  • To use a copied or cloned version of this default schema, where you can also remove any sensitive data for security purposes, grant these permissions:
    GRANT USAGE ON DATABASE "<copied-database>" TO ROLE atlan_user_role;
    GRANT USAGE ON SCHEMA "<copied-schema>" IN DATABASE "<copied-database>" TO ROLE atlan_user_role; 
    GRANT REFERENCES ON ALL VIEWS IN DATABASE "<copied-database>" TO ROLE atlan_user_role;
    • Replace <copied-database> with the copied Snowflake database name.
    • Replace <copied-schema> with the copied Snowflake ACCOUNT_USAGE schema name.
    • The grants for the copied version cannot be used on the original SNOWFLAKE database. This is because Snowflake produces an error that granular grants cannot be given to imported databases.

(Optional) To push updated tags to Snowflake

To push tags updated for assets in Atlan to Snowflake, grant these permissions:

GRANT APPLY TAG ON ACCOUNT TO ROLE <role-name>;

You can learn more about tag privileges from Snowflake documentation.

(Optional) To crawl dynamic tables

Atlan currently supports fetching metadata for dynamic tables using the MONITOR privilege. Refer to Snowflake documentation to learn more.

To crawl existing dynamic tables from Snowflake:

  • Grant permissions at a database level:
    GRANT MONITOR ON ALL DYNAMIC TABLES IN DATABASE "<DATABASE_NAME>" TO ROLE atlan_user_role;
  • Grant permissions at a schema level:
    GRANT MONITOR ON ALL DYNAMIC TABLES IN SCHEMA "<database-name>.<schema-name>" TO ROLE atlan_user_role;

To crawl future dynamic tables from Snowflake:

  • Grant permissions at a database level:
    GRANT MONITOR ON FUTURE DYNAMIC TABLES IN DATABASE "<DATABASE_NAME>" TO ROLE atlan_user_role;
  • Grant permissions at a schema level:
    GRANT MONITOR ON FUTURE DYNAMIC TABLES IN SCHEMA "<database-name>.<schema-name>" TO ROLE atlan_user_role;

Replace <database-name> with the database and <schema-name> with the schema you want to crawl in Atlan. (Repeat the statements for every database and schema you want to integrate into Atlan.)

(Optional) To crawl Iceberg tables

Atlan currently supports fetching metadata for Iceberg tables only for the information schema extraction method.

To crawl Iceberg tables from Snowflake, grant the following permissions:

  • To crawl existing Iceberg tables in Snowflake:
    GRANT REFERENCES ON ALL ICEBERG TABLES IN DATABASE <database-name> TO ROLE atlan_user_role;
  • To crawl future Iceberg tables in Snowflake:
    GRANT REFERENCES ON FUTURE ICEBERG TABLES IN DATABASE <database-name> TO ROLE atlan_user_role;
  • To crawl Iceberg catalog metadata for Iceberg tables in Snowflake:
    GRANT USAGE ON INTEGRATION <integration-name> TO ROLE atlan_user_role;
    🚨 Careful! You must first grant permissions to crawl existing Iceberg tables for this permission to work on catalogs. You must also grant permissions to all the catalogs you want to crawl in Atlan individually.

Allowlist the Atlan IP

If you are using the IP allowlist in your Snowflake instance, you must add the Atlan IP to the allowlist. Please raise a support ticket from within Atlan, or submit a request.

(If you are not using the IP Allowlist in your Snowflake instance, you can skip this step.)

Related articles

Was this article helpful?
2 out of 3 found this helpful