Troubleshooting Snowflake connectivity

Updated May 06, 2025 12:05

How to debug test authentication and preflight check errors?

Missing warehouse grants

The user doesn’t have USAGE and OPERATE grants on a warehouse.

GRANT OPERATE, USAGE ON WAREHOUSE "<warehouse>" TO ROLE atlan_user_role;

Then, ensure that you grant the role to the new user:
```
GRANT ROLE atlan_user_role TO USER atlan_user;
```

Missing authorized access to SNOWFLAKE.ACCOUNT_USAGE schema

The user doesn’t have authorized access to the SNOWFLAKE.ACCOUNT_USAGE database

Reach out to your account admin to grant imported privileges on the Snowflake database to the role:

USE ROLE ACCOUNTADMIN;
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE atlan_user_role;

If using a copied database, you'll need to grant the following permissions:

GRANT USAGE ON DATABASE "<copied-database>" TO ROLE atlan_user_role;
GRANT USAGE ON SCHEMA "<copied-schema>" IN DATABASE "<copied-database>" TO ROLE atlan_user_role; 
GRANT REFERENCES ON ALL VIEWS IN DATABASE "<copied-database>" TO ROLE atlan_user_role;

Missing usage grants on databases and/or schemas

The user doesn't have usage grants to the databases ` $missingDatabases ` and schemas ` $missingSchemas

Grant missing permissions listed here for information schema extraction method.

Atlan IP not allowlisted

Atlan's current location or network isn't recognized by Snowflake's security settings. This can happen if Atlan's IP address isn't on the list of allowed addresses in Snowflake's network policies.

If you are using the IP allowlist in your Snowflake instance, you must add the Atlan IP to the allowlist. Contact Atlan support to obtain Atlan's IP addresses.

Incorrect credentials

The username or the password provided to connect to the Snowflake account is incorrect.

Sign into the Snowflake account for the specified host and verify that the username and password are correct.
You can also create a new user, if required, by following the steps here.

Missing or unauthorized role

The role specified in your connection configuration doesn't exist in Snowflake or your user account doesn't have grant to use this role.

If the role does not exist or is missing the required grants, create a role and then grant the role to the user.

User account locked

The user account you're using to connect to Snowflake has been locked temporarily because of multiple incorrect login attempts.

Wait for the user account to unlock or create a different user account to continue.

Missing or unauthorized warehouse

The warehouse specified in your connection configuration doesn't exist in Snowflake or your user account doesn't have grant to use this warehouse.

Ensure that the warehouse name is configured correctly.
Update the warehouse name in the configuration if your account is using a different warehouse. Create a role and then grant the role to the user for the updated warehouse.

Missing access to non-system databases or schemas

The configured user doesn't have usage grants to any database or schema. or The configured user doesn't have usage grants to any non-system database or schema.

This pertains to the information schema method of fetching metadata. Ensure that the user has authorized access to the databases and schemas to be crawled.
Grant the requisite permissions as outlined here.

Why are some assets from a database or schema missing?

Check the grants on the role attached to the user defined for the crawler. Ensure the missing database or schema is present in these grants.
```
SHOW GRANTS TO ROLE atlan_user_role;
```

Why are new tables or views missing?

Make sure the role attached to the user defined for the crawler has grants for future tables and views being created in the database:

GRANT USAGE ON FUTURE SCHEMAS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT REFERENCES ON FUTURE TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT REFERENCES ON FUTURE VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role;
GRANT REFERENCES ON FUTURE EXTERNAL TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;

Make sure you run the below commands as well so that new tables and views you've created in-between are also visible to the user:

GRANT USAGE ON ALL SCHEMAS IN DATABASE "<database-name>" TO role atlan_user_role; 
GRANT REFERENCES ON ALL TABLES IN DATABASE "<database-name>" TO role atlan_user_role; 
GRANT REFERENCES ON ALL EXTERNAL TABLES IN DATABASE "<database-name>" TO atlan_user_role;
GRANT REFERENCES ON ALL VIEWS IN DATABASE "<database-name>" TO role atlan_user_role;

Why is some lineage missing?

The query miner only mines query history for up to the previous two weeks. The miner will not mine any queries that ran before that time window. If the queries that created your assets ran before that time window, lineage for those assets will not be present.
To mine more than the previous two weeks of query history, either use S3-based query mining or contact Atlan support. Note that Snowflake itself only retains query history for so long as well, though. Once Snowflake itself no longer contains the query history we will be unable to mine it for lineage.
Lineage is unsupported for parameterized queries. Snowflake currently does not resolve values for parameterized queries before logging them in query history. This limits Atlan from generating lineage in such cases.

Missing attributes and lineage

When using the account usage extraction method, there are currently some limitations. We are working with Snowflake to find workarounds for crawling the following:
- External table location data
- Procedures
- Primary key designation
Furthermore, only database-level filtering is currently possible.

What views does Atlan require access to for the account usage method?

When using the account usage method for fetching metadata, Atlan requires access to the following views in Snowflake:

For the crawler: DATABASES, SCHEMATA, TABLES, VIEWS, COLUMNS, and PIPES
For the miner and popularity metrics: QUERY_HISTORY, ACCESS_HISTORY, and SESSIONS

Does the Snowflake Account Usage setup support crawling stages?

Yes, the existing Account Usage setup for Snowflake is sufficient to crawl metadata for stages. Atlan can fetch stage assets using the ACCOUNT_USAGE schema without requiring any additional permissions or configuration.

To review the setup steps for enabling Account Usage in Atlan, refer to the connectivity setup guide for Snowflake.

Why am I getting a destination URL mismatch error when authenticating via Okta SSO?

This error can occur when you're connecting to Snowflake through Okta SSO and enter the URL of your Snowflake instance in a format different from the one used in Okta.

Snowflake follows two URL formats:

Legacy format — <AccountLocator>.<Region>.snowflakecomputing.com or <AccountLocator>.<Region>.<cloud>.snowflakecomputing.com
New URL format — <Orgname>-<AccountName>.snowflakecomputing.com

Ensure that you're using the same Snowflake URL format in Snowflake and Okta. Refer to Snowflake documentation to learn more.

Why am I getting a 'name or service not known' error when connecting via private link?

If you're getting the following error messages — java.net.UnknownHostException and Name or service not known — this is a known error for users who have upgraded to the Snowflake JDBC driver version 3.13.25., have underscores in their account name, and connect to their Snowflake accounts over private link (for example, https://my_account.us-west-2.privatelink.snowflakecomputing.com).

If your Snowflake account name has an underscore — for example, my_account — the updated JDBC driver will automatically convert underscores to dashes or hyphens -. This does not affect normal URLs because Snowflake accepts URLs with both hyphens and underscores.

For private link users, however, the JDBC driver will return an error if there are underscores present in the account name and the connection will fail. To troubleshoot further, refer to Snowflake documentation.