ContextQMD
Back to Infisical

Snowflake Connection

docs/integrations/app-connections/snowflake.mdx

0.159.268.2 KB
Original Source

Infisical supports connecting to Snowflake using a Username and a Programmatic Access Token (PAT). PATs are scoped, revocable credentials that authenticate as a Snowflake user without exposing the user's password.

Prerequisites

  • A Snowflake account with permission to create Programmatic Access Tokens.
  • The account identifier for your Snowflake instance, which combines your organization name and account name. You can find it in your Snowflake login URL (https://app.snowflake.com/orgName/accountName/#/account/users) or under Account Details in Snowsight.

Create a Snowflake Programmatic Access Token

<Steps> <Step title="Open Snowsight User Settings"> In [Snowsight](https://app.snowflake.com/), open the side bar menu and select **User & Roles** under **Governance & Security**. 
    ![Snowflake User Profile](/images/app-connections/snowflake/step-1.png)
</Step>

<Step title="Create a new User">
    Click **Create user** in the top-right corner.

    ![Generate Programmatic Access Token](/images/app-connections/snowflake/step-2.png)
</Step>

<Step title="Configure user details and role">
    Provide a **Username** and assign a role. The role must have permission to create and manage secrets in the target database. The snippet below grants the minimum required privileges (alternatively, assign the **ACCOUNTADMIN** role).

    ![Configure User](/images/app-connections/snowflake/step-3.png)

    If you decide to go with a custom role, you just need to run the following snippet:

    ```SQL
    -- Grant INFISICAL user access to SECRET_SYNC_TEST
    CREATE ROLE IF NOT EXISTS INFISICAL_ROLE;
    GRANT ROLE INFISICAL_ROLE TO USER INFISICAL; -- Change INFISICAL to be your user

    GRANT ALL PRIVILEGES ON DATABASE SECRET_SYNC_TEST TO ROLE INFISICAL_ROLE;
    GRANT ALL PRIVILEGES ON SCHEMA SECRET_SYNC_TEST.PUBLIC TO ROLE INFISICAL_ROLE;
    GRANT OWNERSHIP ON ALL SECRETS IN SCHEMA SECRET_SYNC_TEST.PUBLIC TO ROLE INFISICAL_ROLE REVOKE CURRENT GRANTS; -- Transfers ownership
    GRANT OWNERSHIP ON FUTURE SECRETS IN SCHEMA SECRET_SYNC_TEST.PUBLIC TO ROLE INFISICAL_ROLE REVOKE CURRENT GRANTS; -- Transfers ownership
    ```

    <Note>
        If you select a custom role, note that **secret ownership is enforced per object**. Existing secrets in the target schema remain owned by their creator unless you transfer ownership. Infisical must use a role that **owns every secret it manages** (required for `CREATE OR REPLACE SECRET` and `DROP SECRET`). If the schema already has secrets, run the `GRANT OWNERSHIP ON ALL SECRETS ...` statement; always keep the `GRANT OWNERSHIP ON FUTURE SECRETS ...` statement.
    </Note>
</Step>

<Step title="Create a network policy">
    Programmatic Access Tokens require an attached network policy that defines the IPs allowed to authenticate as this user.


    ![Go into workspace](/images/app-connections/snowflake/step-4-workspace.png)
    ![Create network policy](/images/app-connections/snowflake/step-4.png)


    ```SQL
    CREATE NETWORK POLICY INFISICAL_SYNC_POLICY
        ALLOWED_IP_LIST = ('0.0.0.0/0')
        COMMENT = 'Allow access from any IP';
    
    ALTER USER INFISICAL set NETWORK_POLICY = 'INFISICAL_SYNC_POLICY';
    ```

    <Note>
        Be careful with the IPs you allow in your network policy. Using `0.0.0.0/0` allows access from **any IP address**, which can be dangerous in production. Prefer restricting the list to only the IP ranges that should be allowed to authenticate (for example, your corporate NAT(s) and/or Infisical's outbound IPs if you have them).
    </Note>
</Step>
<Step title="Generate a Programmatic Access Token">
    Open the **Programmatic access tokens** tab and click **Generate new token**. Give the token a descriptive name (e.g. `infisical`) and configure its expiration and role restrictions according to your security policy.

    ![Generate Programmatic Access Token](/images/app-connections/snowflake/step-5.png)
</Step>
<Step title="Copy the Token">
    Copy the generated token. Snowflake only displays it once — store it somewhere secure for the next step.

    ![Copy Programmatic Access Token](/images/app-connections/snowflake/step-6.png)
</Step>

<Step title="Copy the Snowflake Account">
    Copy the **Account identifier**. The fastest way is to read it from your Snowsight URL (`https://app.snowflake.com/orgName/accountName/#/account/users`), where the identifier is `orgName-accountName`.

    Alternatively, click your username in the bottom-left corner, open **Account details**, and copy the **Account** value from the **Config File** tab.

    ![Account details button](/images/app-connections/snowflake/account-info-left-corner.png)
    ![Account details](/images/app-connections/snowflake/account-details.png)
    ![Account info](/images/app-connections/snowflake/account-info.png)
</Step>
</Steps> <Tip> Create a dedicated Snowflake user (or role) for Infisical rather than reusing a personal account. This keeps the connection's blast radius small and makes it easy to rotate or revoke access independently. </Tip>

Create Snowflake Connection in Infisical

<Tabs> <Tab title="Infisical UI"> <Steps> <Step title="Navigate to App Connections"> In your Infisical dashboard, go to **Organization Settings** → **App Connections**. 
            ![App Connections Tab](/images/app-connections/general/add-connection.png)
        </Step>
        <Step title="Select Snowflake Connection">
            Click **Add Connection** and choose **Snowflake** from the list of available connections.

            ![Select Snowflake Connection](/images/app-connections/snowflake/snowflake-app-connection-option.png)
        </Step>
        <Step title="Fill out Connection Form">
            Complete the form with:
            - A **name** for the connection (e.g. `snowflake-prod`)
            - An optional **description**
            - The Snowflake **Account** identifier (e.g. `orgName-accountName`)
            - The Snowflake **Username** (The name of the user that was created)
            - The **Programmatic Access Token** generated in the previous section

            ![Snowflake Connection Form](/images/app-connections/snowflake/snowflake-app-connection-form.png)
        </Step>
        <Step title="Connection Created">
            After clicking **Create**, Infisical validates the credentials by opening a connection to your Snowflake account. Once validated, your **Snowflake Connection** is ready to use.

            ![Snowflake Connection Created](/images/app-connections/snowflake/snowflake-app-connection-created.png)
        </Step>
    </Steps>
</Tab>
<Tab title="API">
    Create a Snowflake connection via the API.

    ### Sample request

    ```bash Request
    curl --request POST \
      --url https://app.infisical.com/api/v1/app-connections/snowflake \
      --header 'Content-Type: application/json' \
      --data '{
        "name": "my-snowflake-connection",
        "method": "username-and-token",
        "credentials": {
          "account": "xy12345.us-east-1",
          "username": "<YOUR-SNOWFLAKE-USERNAME>",
          "password": "<YOUR-PROGRAMMATIC-ACCESS-TOKEN>"
        }
      }'
    ```

    ### Sample response

    ```bash Response
    {
      "appConnection": {
        "id": "e5d18aca-86f7-4026-a95e-efb8aeb0d8e6",
        "name": "my-snowflake-connection",
        "description": null,
        "version": 1,
        "orgId": "6f03caa1-a5de-43ce-b127-95a145d3464c",
        "createdAt": "2025-04-23T19:46:34.831Z",
        "updatedAt": "2025-04-23T19:46:34.831Z",
        "isPlatformManagedCredentials": false,
        "app": "snowflake",
        "method": "username-and-token",
        "credentials": {
          "account": "xy12345.us-east-1",
          "username": "<YOUR-SNOWFLAKE-USERNAME>"
        }
      }
    }
    ```
</Tab>
</Tabs>