Skip to main content

Snowflake Connector Setup

Connector Setup for Snowflake

Updated over 2 weeks ago

Snowflake is an elastically scalable cloud data warehouse.

Connecting Savant to Snowflake requires some setup in both platforms. It's recommended to set up a service account with the correct permissions in Snowflake before configuring the Savant connector.

Features

  • Read data from Snowflake

  • Write data to Snowflake

Requirements

  • A Snowflake account with the appropriate permissions to create a user and warehouse for Fivetran

  • Savant role with the required permissions to warehouses, databases, schemas, and tables

  • Whitelist Savant IPs

Connection Methods:

Savant supports an OAuth connection to Snowflake. This document will provide a step by step guide to setup the connection.

OAuth

Step 1: Create an OAuth client in your Snowflake.

  • Login to Snowflake as an ACCOUNTADMIN.

  • Run the following statement to create a Savant role in Snowflake:

CREATE ROLE IF NOT EXISTS savant_role COMMENT = "Access to selected tables for Savant";

GRANT ROLE savant_role TO ROLE SYSADMIN;

GRANT USAGE ON WAREHOUSE "<warehouse>" TO ROLE savant_role;

GRANT USAGE ON DATABASE "<database>" TO ROLE savant_role;

GRANT USAGE ON SCHEMA "<database>"."<schema>"
TO ROLE savant_role;

GRANT SELECT ON ALL TABLES IN SCHEMA "<database>"."<schema>"
TO ROLE savant_role;

GRANT SELECT ON FUTURE TABLES IN SCHEMA "<database>"."<schema>"
TO ROLE savant_role;

GRANT SELECT ON ALL VIEWS IN SCHEMA "<database>"."<schema>"
TO ROLE savant_role;

GRANT SELECT ON FUTURE VIEWS IN SCHEMA "<database>"."<schema>"
TO ROLE savant_role;

Step 2: Update the statement below:

  • For EU region, change OAUTH_REDIRECT_URI to https://app-eu.savantlabs.io/api/callback

  • If you have a Snowflake network policy that blocks public IPs, make sure to whitelist Savant's IPs and add update the <network policy> value. Otherwise, remove the line.

CREATE SECURITY INTEGRATION SAVANT_CLIENT
TYPE = OAUTH
ENABLED = TRUE
OAUTH_CLIENT = CUSTOM
OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
OAUTH_REDIRECT_URI = 'https://app.savantlabs.io/api/callback'
OAUTH_ISSUE_REFRESH_TOKENS = TRUE
OAUTH_REFRESH_TOKEN_VALIDITY = 7776000
NETWORK_POLICY = '<network policy>'
;
  • Run the updated statement from above to create an integration.

  • Run the following statement to retrieve its client id and client secret:

SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS( 'SAVANT_CLIENT' );

  • The result is a JSON document with one client id and two client secrets.

  • Write down the Client Id and one of the Secrets, which will be needed to setup the connection in Savant.

Step 3: Once you have configured the connection in Snowflake, adding the connection to Savant is simple.

  • Choose the OAuth connection option

  • Enter the Server you are connecting to (ex: https://123.us-region1/gcp.snowflakecomputing.com)

  • Enter Client Id from Snowflake (ex: oLOlP+yDErz8/H/vOpv4g5Gy=)

  • Enter your Client Secret from Snowflake

  • Enter savant_role in Role

  • Enter your Role, Warehouse and Database from Snowflake, or leave the fields blank opt to use the defaults.

  • Click Authenticate

SSH Tunnel

Additional properties can be seen when the SSH Tunnel checkbox is selected. Click here to learn more about configuring SSH Tunneling in Savant.

Troubleshooting:

  • Ensure your CREATE SECURITY INTEGRATION statement is free of typos and that the OAUTH_REDIRECT_URI exactly matches what’s configured in Savant (including protocol, domain, and trailing slash).

  • Rerun SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('SAVANT_CLIENT'), copy one of the secrets exactly (no extra spaces), and re-enter it under Savant’s OAuth setup.

  • As System Admin, confirm savant_role has USAGE on the warehouse, database, and schema plus SELECT on all current and future tables/views.

  • On Snowflake, query LOGIN_HISTORY and QUERY_HISTORY for errors; on Savant, enable debug logging to capture HTTP response codes (e.g. 401, 403, 504) and error messages.

Did this answer your question?