Snowflake is an elastically scalable cloud data warehouse.
Connecting Savant to Snowflake requires some setup in both platforms. It's recommended to set up a service account with the correct permissions in Snowflake before configuring the Savant connector.
Features
Read data from Snowflake
Write data to Snowflake
Requirements
A Snowflake account with the appropriate permissions to create a user and warehouse for Fivetran
Savant role with the required permissions to warehouses, databases, schemas, and tables
Whitelist Savant IPs
Connection Methods:
Savant supports an OAuth connection to Snowflake. This document will provide a step by step guide to setup the connection.
OAuth
Step 1: Create an OAuth client in your Snowflake.
Login to Snowflake as an
ACCOUNTADMIN.Run the following statement to create a Savant role in Snowflake:
CREATE ROLE IF NOT EXISTS savant_role COMMENT = "Access to selected tables for Savant";
GRANT ROLE savant_role TO ROLE SYSADMIN;
GRANT USAGE ON WAREHOUSE "<warehouse>" TO ROLE savant_role;
GRANT USAGE ON DATABASE "<database>" TO ROLE savant_role;
GRANT USAGE ON SCHEMA "<database>"."<schema>"
TO ROLE savant_role;
GRANT SELECT ON ALL TABLES IN SCHEMA "<database>"."<schema>"
TO ROLE savant_role;
GRANT SELECT ON FUTURE TABLES IN SCHEMA "<database>"."<schema>"
TO ROLE savant_role;
GRANT SELECT ON ALL VIEWS IN SCHEMA "<database>"."<schema>"
TO ROLE savant_role;
GRANT SELECT ON FUTURE VIEWS IN SCHEMA "<database>"."<schema>"
TO ROLE savant_role;
Step 2: Update the statement below:
For EU region, change OAUTH_REDIRECT_URI to
https://app-eu.savantlabs.io/api/callbackIf you have a Snowflake network policy that blocks public IPs, make sure to whitelist Savant's IPs and add update the
<network policy>value. Otherwise, remove the line.
CREATE SECURITY INTEGRATION SAVANT_CLIENT
TYPE = OAUTH
ENABLED = TRUE
OAUTH_CLIENT = CUSTOM
OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
OAUTH_REDIRECT_URI = 'https://app.savantlabs.io/api/callback'
OAUTH_ISSUE_REFRESH_TOKENS = TRUE
OAUTH_REFRESH_TOKEN_VALIDITY = 7776000
NETWORK_POLICY = '<network policy>'
;
Run the updated statement from above to create an integration.
Run the following statement to retrieve its
client idandclient secret:
SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS( 'SAVANT_CLIENT' );
The result is a JSON document with one client id and two client secrets.
Write down the Client Id and one of the Secrets, which will be needed to setup the connection in Savant.
Step 3: Once you have configured the connection in Snowflake, adding the connection to Savant is simple.
Choose the OAuth connection option
Enter the Server you are connecting to (ex:
https://123.us-region1/gcp.snowflakecomputing.com)Enter Client Id from Snowflake (ex:
oLOlP+yDErz8/H/vOpv4g5Gy=)Enter your Client Secret from Snowflake
Enter
savant_rolein RoleEnter your Role, Warehouse and Database from Snowflake, or leave the fields blank opt to use the defaults.
Click Authenticate
SSH Tunnel
Additional properties can be seen when the SSH Tunnel checkbox is selected. Click here to learn more about configuring SSH Tunneling in Savant.
Troubleshooting:
Ensure your
CREATE SECURITY INTEGRATIONstatement is free of typos and that theOAUTH_REDIRECT_URIexactly matches what’s configured in Savant (including protocol, domain, and trailing slash).Rerun
SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('SAVANT_CLIENT'), copy one of the secrets exactly (no extra spaces), and re-enter it under Savant’s OAuth setup.As System Admin, confirm
savant_rolehasUSAGEon the warehouse, database, and schema plusSELECTon all current and future tables/views.On Snowflake, query
LOGIN_HISTORYandQUERY_HISTORYfor errors; on Savant, enable debug logging to capture HTTP response codes (e.g. 401, 403, 504) and error messages.