How to debug test authentication and preflight check errors?
Missing warehouse grants
The user doesn’t have USAGE and OPERATE grants on a warehouse.
- Grant warehouse access to the role:
GRANT OPERATE, USAGE ON WAREHOUSE "<warehouse>" TO ROLE atlan_user_role;
- Then, ensure that you grant the role to the new user:
GRANT ROLE atlan_user_role TO USER atlan_user;
Missing authorized access to SNOWFLAKE.ACCOUNT_USAGE schema
The user doesn’t have authorized access to the SNOWFLAKE.ACCOUNT_USAGE database
- Reach out to your account admin to grant imported privileges on the
Snowflake
database to the role:USE ROLE ACCOUNTADMIN; GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE atlan_user_role;
- If using a copied database, you'll need to grant the following permissions:
GRANT USAGE ON DATABASE "<copied-database>" TO ROLE atlan_user_role; GRANT USAGE ON SCHEMA "<copied-schema>" IN DATABASE "<copied-database>" TO ROLE atlan_user_role; GRANT REFERENCES ON ALL VIEWS IN DATABASE "<copied-database>" TO ROLE atlan_user_role;
Missing usage grants on databases and/or schemas
The user doesn't have usage grants to the databases ` $missingDatabases ` and
schemas ` $missingSchemas
- Grant missing permissions listed here for information schema extraction method.
Atlan IP not allowlisted
Atlan's current location or network isn't recognized by Snowflake's security
settings. This can happen if Atlan's IP address isn't on the list of allowed
addresses in Snowflake's network policies.
- If you are using the IP allowlist in your Snowflake instance, you must add the Atlan IP to the allowlist. Contact Atlan support to obtain Atlan's IP addresses.
Incorrect credentials
The username or the password provided to connect to the Snowflake account is
incorrect.
- Sign into the Snowflake account for the specified host and verify that the username and password are correct.
- You can also create a new user, if required, by following the steps here.
Missing or unauthorized role
The role specified in your connection configuration doesn't exist in Snowflake
or your user account doesn't have grant to use this role.
- If the role does not exist or is missing the required grants, create a role and then grant the role to the user.
User account locked
The user account you're using to connect to Snowflake has been locked temporarily
because of multiple incorrect login attempts.
- Wait for the user account to unlock or create a different user account to continue.
Missing or unauthorized warehouse
The warehouse specified in your connection configuration doesn't exist in Snowflake
or your user account doesn't have grant to use this warehouse.
-
Ensure that the warehouse name is configured correctly.
-
Update the warehouse name in the configuration if your account is using a different warehouse. Create a role and then grant the role to the user for the updated warehouse.
Missing access to non-system databases or schemas
The configured user doesn't have usage grants to any database or schema.
or The configured user doesn't have usage grants to any non-system database or schema.
- This pertains to the information schema method of fetching metadata. Ensure that the user has authorized access to the databases and schemas to be crawled.
- Grant the requisite permissions as outlined here.
Why are some assets from a database or schema missing?
- Check the grants on the role attached to the user defined for the crawler. Ensure the missing database or schema is present in these grants.
SHOW GRANTS TO ROLE atlan_user_role;
Why are new tables or views missing?
- Make sure the role attached to the user defined for the crawler has grants for future tables and views being created in the database:
GRANT USAGE ON FUTURE SCHEMAS IN DATABASE "<database-name>" TO ROLE atlan_user_role; GRANT REFERENCES ON FUTURE TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role; GRANT REFERENCES ON FUTURE VIEWS IN DATABASE "<database-name>" TO ROLE atlan_user_role; GRANT REFERENCES ON FUTURE EXTERNAL TABLES IN DATABASE "<database-name>" TO ROLE atlan_user_role;
- Make sure you run the below commands as well so that new tables and views you've created in-between are also visible to the user:
GRANT USAGE ON ALL SCHEMAS IN DATABASE "<database-name>" TO role atlan_user_role; GRANT REFERENCES ON ALL TABLES IN DATABASE "<database-name>" TO role atlan_user_role; GRANT REFERENCES ON ALL EXTERNAL TABLES IN DATABASE "<database-name>" TO atlan_user_role; GRANT REFERENCES ON ALL VIEWS IN DATABASE "<database-name>" TO role atlan_user_role;
Why is some lineage missing?
- The query miner only mines query history for up to the previous two weeks. The miner will not mine any queries that ran before that time window. If the queries that created your assets ran before that time window, lineage for those assets will not be present.
- To mine more than the previous two weeks of query history, either use S3-based query mining or contact Atlan support. Note that Snowflake itself only retains query history for so long as well, though. Once Snowflake itself no longer contains the query history we will be unable to mine it for lineage.
- Lineage is unsupported for parameterized queries. Snowflake currently does not resolve values for parameterized queries before logging them in query history. This limits Atlan from generating lineage in such cases.
Missing attributes and lineage
- When using the account usage extraction method, there are currently some limitations. We are working with Snowflake to find workarounds for crawling the following:
- External table location data
- Procedures
- Primary key designation
- Furthermore, only database-level filtering is currently possible.
What views does Atlan require access to for the account usage method?
When using the account usage method for fetching metadata, Atlan requires access to the following views in Snowflake:
- For the crawler:
DATABASES
,SCHEMATA
,TABLES
,VIEWS
,COLUMNS
, andPIPES
- For the miner and popularity metrics:
QUERY_HISTORY
,ACCESS_HISTORY
, andSESSIONS
Why am I getting a destination URL mismatch error when authenticating via Okta SSO?
This error can occur when you're connecting to Snowflake through Okta SSO and enter the URL of your Snowflake instance in a format different from the one used in Okta.
Snowflake follows two URL formats:
- Legacy format —
<AccountLocator>.<Region>.snowflakecomputing.com
or<AccountLocator>.<Region>.<cloud>.snowflakecomputing.com
- New URL format —
<Orgname>-<AccountName>.snowflakecomputing.com
Ensure that you're using the same Snowflake URL format in Snowflake and Okta. Refer to Snowflake documentation to learn more.
Why am I getting a 'name or service not known' error when connecting via private link?
If you're getting the following error messages — java.net.UnknownHostException
and Name or service not known
— this is a known error for users who have upgraded to the Snowflake JDBC driver version 3.13.25., have underscores in their account name, and connect to their Snowflake accounts over private link (for example, https://my_account.us-west-2.privatelink.snowflakecomputing.com
).
If your Snowflake account name has an underscore — for example, my_account
— the updated JDBC driver will automatically convert underscores to dashes or hyphens -
. This does not affect normal URLs because Snowflake accepts URLs with both hyphens and underscores.
For private link users, however, the JDBC driver will return an error if there are underscores present in the account name and the connection will fail. To troubleshoot further, refer to Snowflake documentation.