Create role in Snowflake
Create a role in Snowflake using the following commands:
CREATE OR REPLACE ROLE atlan_user_role;
GRANT OPERATE, USAGE ON WAREHOUSE "<warehouse-name>" TO ROLE atlan_user_role;
- Replace
<warehouse-name>
with the default warehouse to use when running the Snowflake crawler.
Choose metadata fetching method
Atlan supports two methods for fetching metadata from Snowflake. You should choose one of these methods to set up Snowflake:
Information schema (recommended)
This method uses views in the INFORMATION_SCHEMA
schema in the Snowflake databases to fetch metadata. Atlan uses one set of permissions (below) to crawl metadata, preview data and query data with this method.
Account usage (alternative)
This method uses the views in SNOWFLAKE.ACCOUNT_USAGE
(or a cloned version of this schema) to fetch the metadata from Snowflake into Atlan. You can be more granular with permissions using this method, but there are limitations with this approach.
To use the default SNOWFLAKE
database and ACCOUNT_USAGE
schema, grant these permissions:
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE atlan_user_role;
To use a cloned version of this default schema, grant these permissions:
GRANT USAGE ON DATABASE "<clone-database>" TO role atlan_user_role;
GRANT USAGE ON SCHEMA "<clone-schema>" IN DATABASE "<clone-database>" TO role atlan_user_role;
GRANT SELECT ON ALL VIEWS IN DATABASE "<clone-database>" TO role atlan_user_role;
- Replace
<clone-database>
with the cloned Snowflake database name. - Replace
<clone-schema>
with the cloned SnowflakeACCOUNT_USAGE
schema name.
Grant permissions
To crawl, preview and query existing assets
Grant these permissions to crawl, preview and query assets that already exist in Snowflake:
GRANT USAGE ON DATABASE "<database-name>" TO role atlan_user_role;
GRANT USAGE ON ALL SCHEMAS IN DATABASE "<database-name>" TO role atlan_user_role;
GRANT SELECT ON ALL TABLES IN DATABASE "<database-name>" TO role atlan_user_role;
GRANT SELECT ON ALL EXTERNAL TABLES IN DATABASE "<database-name>" TO atlan_user_role;
GRANT SELECT ON ALL VIEWS IN DATABASE "<database-name>" TO role atlan_user_role;
GRANT SELECT ON ALL MATERIALIZED VIEWS IN DATABASE "<database-name>" TO role atlan_user_role;
Replace <database-name>
with the database you want to be available in Atlan. (Repeat the statements for every database you wish to integrate into Atlan.)
To crawl, preview and query future assets
To crawl, preview and query assets that may be created in the future in Snowflake, add these permissions:
GRANT USAGE ON FUTURE SCHEMAS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON FUTURE TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON FUTURE EXTERNAL TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON FUTURE VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT SELECT ON FUTURE MATERIALIZED VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
Replace <database-name>
with the database you want to be available in Atlan. (Repeat the statements for every database you wish to integrate into Atlan.)
To mine query history for lineage
To also mine Snowflake's query history (for lineage), add these permissions:
GRANT IMPORTED PRIVILEGES ON DATABASE snowflake TO ROLE atlan_user_role;
ACCOUNTADMIN
role to mine query history from Snowflake.Create a user
Create a separate user to integrate into Atlan, using one of the following 3 options:
With a password in Snowflake
To create a user with a password, replace <password>
and run the following:
CREATE USER atlan_user password='<password>' default_role=atlan_user_role default_warehouse='<warehouse-name>' display_name='Atlan';
With a public key in Snowflake
See Snowflake's official guide for details on generating an RSA key-pair. To create a user with a key-pair, replace the value for rsa_public_key
with the public key and run the following:
CREATE USER altan_user rsa_public_key='MIIBIjANBgkqh...' default_role=atlan_user_role default_warehouse='<warehouse-name>' display_name='Atlan';
Managed through your identity provider (IdP)
Create a user in your identity provider (IdP) and use federated authentication in Snowflake.
Ensure the password for this user is maintained solely in the IdP and that multi-factor authentication (MFA) is disabled.
Grant role to user
To grant the atlan_user_role
to the new user:
GRANT ROLE atlan_user_role TO USER atlan_user;
Allowlist the Atlan IP
If you are using the IP allowlist in your Snowflake instance, you must add the Atlan IP to the allowlist. Please raise a support ticket from within Atlan, or submit a request.
(If you are not using the IP Allowlist in your Snowflake instance, you can skip this step.)