Connect to Snowflake

Sigma supports secure connections to Snowflake.

📘

For information about Sigma feature compatibility with Snowflake connections, see Region, warehouse, and feature support.

This document explains how to connect your organization to a Snowflake warehouse from Sigma.

📘

If you do not already have a Sigma Organization created, you can use Snowflake Partner Connect to create an organization and connect your Snowflake database with just a few clicks. You must have the ACCOUNTADMIN role in Snowflake to use Snowflake Partner Connect. To sign up with Snowflake Partner Connect, select Sigma from the Partner Connect list, then click Connect in the Connect to Sigma modal.

For an end-to-end walkthrough of an OAuth configuration using Snowflake and Okta, see the Open Authorization (OAuth) QuickStart.

Requirements

  • You must be assigned the Admin account type.
  • You must be able to provide the credentials for a Snowflake user in a role that has USAGE privileges to the necessary databases and schemas, and SELECT privileges to the necessary tables.

Sigma queries the Snowflake connection every 24 hours to index the catalogs, schemas, tables, and views. This process is automated, and reads from the Snowflake metadata in the cloud services layer. Under normal usage, this process results in 0 credit consumption; however in cases where there is minimal usage in a 24 hour period, credit consumption may occur. See Understanding overall cost in the Snowflake documentation.

Create a Snowflake connection in Sigma

To create a Snowflake connection, perform the following steps in Sigma:

Add a connection and specify connection details

  1. Click the user icon at the top right of your screen.
    The user icon is usually composed of your initials.

  2. In the drop-down menu, select Add connection. The Add new connection page appears.

  3. In the Connection details, specify the following:

NameEnter a Name for the new connection. Sigma displays this name in the connection list.
TypeSelect the Snowflake tile.

Specify your connection credentials

In the Connection Credentials section, fill out the required fields:

  1. [optional] If you access Snowflake using a proxy server, turn on the Use Custom Host toggle, then enter the Snowflake Custom Host name.

  2. In the Account field, enter the Snowflake account name. For details on how to format your account name, see Using an account name as an identifier in the Snowflake documentation.

  3. In the Warehouse field, enter your warehouse’s name as listed in Snowflake.

📘

To set the warehouse using user attributes, click Set by user attributes in the Warehouse field . See Configure user attributes on a Snowflake connection.

  1. If you set your Warehouse field using user attributes and you plan to use input tables on this connection, provide a warehouse name in the Service Account Warehouse field that the service account can use in cases of dynamic warehouse switching. See Warehouse Switching in the Dynamic Role Switching with Snowflake QuickStart.

  2. Click the caret () next to Authentication, choose your authentication method, then fill in the required fields for the method you select:

🚩

Snowflake recommends using key pair authentication or OAuth for programmatic service users, and you can enforce that with authentication policies. See Snowflake Strengthens Security with Default Multi-Factor Authentication and Stronger Password Policies in the Snowflake blog.

Connect to Snowflake with key pair authentication

To authenticate the connection using a combination of public and private RSA key pairs, select Key Pair as your authentication method.

This method requires that you have a public and private key already created, and a Snowflake user configured with the public key. See Key-pair authentication and key-pair rotation in the Snowflake documentation. If you have a multi-factor authentication (MFA) policy applied, exclude this user from the MFA policy. For a full walkthrough of all prerequisite steps as well as detailed steps on how to rotate your keys, see the Snowflake Key-pair Auth QuickStart.

  1. In the User field, enter the Snowflake username that is configured with the public key.

  2. In the Private Key field, paste the private key text, including the header.

    Connection Credentials form with required fields for key-pair authentication filled in

  3. [optional] If you configured one, enter the Private Key Passphrase.

  4. [optional] Enter a Snowflake Role to be used on this connection. If no role is provided, the user's default role in Snowflake is used.

📘

To set the role using user attributes, click Set by user attributes in the Role field. See Configure user attributes on a Snowflake connection.

  1. If you set your Role field using user attributes and you plan to use input tables on this connection, provide a Service Account Role that the service account can use in cases of dynamic role switching. If not set, the service account's role will be the default role set for the user in Snowflake. See the Dynamic Role Switching with Snowflake QuickStart.

Next, see Configure write access and Configure connection features for additional options. Or, if you are finished configuring your connection, click Create at the top right to create your connection.

Connect to Snowflake with OAuth

If you have OAuth enabled on your organization and you want to use it on the connection select OAuth as your authentication method.

  1. [optional] If you are using OAuth to authenticate users to your Sigma organization with an external IdP (Okta, Azure AD, Auth0, or PingIndentity) and you want to re-use that OAuth configuration for this connection, enable the toggle next to Use organization-level OAuth configuration. If you do not use OAuth as your authentication method for your Sigma organization, this option is not present. If you enable this toggle, skip to step 3.

  2. If you do not have an organization-level OAuth configuration, or if you do not wish to re-use the your organization-level OAuth configuration, set up a unique OAuth configuration for this connection.

    📘

    The option to configure a unique OAuth application to authenticate users to a connection – in other words, opting to not re-use the OAuth configuration you use at the organization level – is a public beta feature and is subject to limitations.

    See Use different OAuth configurations for authenticating users to your connections than you use for your Sigma organization (Beta).

    Complete the procedure in Configure a Sigma OAuth application before filling out the fields in the OAuth Features section.

    1. [optional] Enter any additional Scopes to further specify the access of the OAuth token. The default scopes openid, profile, email, and session:role-any are required. The default scope offline_access is recommended but not required. For more information about these scopes, see Step 3: Create an authorization server in Configure a Sigma OAuth application.
    2. In the Metadata URI field, enter the OAuth metadata URI. For instructions on how to obtain this value, see Step 3: Create an authorization server in Configure a Sigma OAuth application.
    3. In the Client ID field, enter the client ID from your OAuth application. For instructions on how to obtain this value, see Step 1: Create an app for Sigma in your IdP in Configure a Sigma OAuth application.
    4. [optional] If you did not enable PKCE in your OAuth application, enter the client secret from your OAuth application in the Client Secret field. For instructions on how to obtain this value, see Step 1: Create an app for Sigma in your IdP in Configure a Sigma OAuth application. After you enter and save this value, Sigma does not display it.
    5. [optional] Check the box next to Require PKCE if you want to use Proof Key for Code Exchange to further authenticate this connection. Only select this option if you configured your Sigma OAuth application to require PKCE. See Step 1: Create an app for Sigma in your IdP in in Configure a Sigma OAuth application.
    6. [optional] Check the box next to Use JWT bearer tokens if you want to use JSON Web Tokens to further authenticate this connection. Only select this option if you configured your Sigma OAuth application to use JWT bearer tokens (or public key / private key). See Step 1: Create an app for Sigma in your IdP in Configure a Sigma OAuth application.
  3. Determine whether you need a Service Account. There are three reasons to configure a service account:

    • If you enable write access on this connection, a service account is required. Sigma uses the service account to log all edits made to all input tables on this connection.
    • If you use Sigma’s public embedding features, a service account is required. Service account credentials are used to run queries on publicly embedded dashboards.
    • If you want admins to be able to configure individual workbooks to run using a service account rather than each individual’s OAuth credentials, a service account is required. See Run a workbook with service account credentials.
  4. If you determine that you need a service account, turn on the Service Account switch, then enter a User and Password for the Snowflake service account.

📘

A service account is a Snowflake user created for administrative purposes in Sigma. It is the same as any other Snowflake user. The user must be granted the role you want to use for your connection, and that role must be granted USAGE privilege on the warehouse. If you have a multi-factor authentication (MFA) policy applied, exclude the service account from this policy.

Your service account must be added to the OAuth user list like all other OAuth accounts on the connection. See Configure a Sigma OAuth application.

  1. [optional] Enter a Snowflake Role to be used on this connection. If no role is provided, the user's default role in Snowflake is used.

Next, see Configure write access and Configure connection features for additional options. Or, if you are finished configuring your connection, click Create at the top right to create your connection.

Connect to Snowflake with basic authentication

To connect with a username and password, select Basic Auth as your authentication method.

🚩

Sigma Computing recommends transitioning away from using basic authentication when connecting to Snowflake. For improved security, use key pair or OAuth authentication instead.

If you have a multi-factor authentication (MFA) policy applied, exclude this user from the MFA policy.

  1. In the User field, enter a Snowflake username.

  2. In the Password field, enter a Snowflake password.

  3. [optional] Enter a Snowflake Role to be used on this connection. If no role is provided, the user’s default role in Snowflake is used.

📘

To set the role using user attributes, click Set by user attributes in the Role field. See Configure user attributes on a Snowflake connection.

  1. If you set your Role field using user attributes and you plan to use input tables on this connection, provide a Service Account Role that the service account can use in cases of dynamic role switching. If not set, the service account's role will be the default role set for the user in Snowflake. See the Dynamic Role Switching with Snowflake QuickStart.

Next, see Configure write access and Configure connection features for additional options. Or, if you are finished configuring your connection, click Create at the top right to create your connection.

Configure write access

Write access is necessary for the following features:

The steps to configure write access differ depending on the authentication method used for the connection. Follow the instructions that match your authentication option:

Configure write access on a connection with Basic Auth or Key Pair Auth

Configuring write access requires setting up a dedicated database and schema in Snowflake and granting the necessary privileges. To enable write access, grant the Snowflake user that you use to configure the Sigma connection a role with the following privileges:

ObjectPrivilege
DatabaseUSAGE
SchemaUSAGE, CREATE TABLE, CREATE VIEW, CREATE STAGE

Turn on the switch next to Enable write access. Then, configure these fields:

  1. In the Write database field, enter the name of the database where Sigma should store write-back data.

  2. In the Write schema field, enter the database schema where Sigma should store write-back data.

  3. [optional] In the Materialization warehouse field, enter a separate warehouse to run queries that perform materialization. If you don't specify a materialization warehouse, Sigma uses the primary warehouse for this connection.

  4. [optional] By default, Sigma uses dynamic tables for incremental materialization. If you do not want to use dynamic tables, turn off the Use dynamic tables switch. See About materialization (Beta) for more details.

Next, see Configure connection features for additional options. Or, if you are finished configuring your connection, click Create at the top right to create your connection.

Configure write access on a connection with OAuth

Configuration of write access requires setting up dedicated databases and schemas in Snowflake granting the necessary permissions. See Configure OAuth with write access for all prerequisite steps.

Enable the toggle next to Enable write access. Then, configure these fields:

  1. Provide at least one Destination where Snowflake should store write back data from Sigma. Use the format DATABASE.SCHEMA.

  2. [optional] Enter additional destinations as needed, depending on how you want to partition the data that Sigma writes back to your data warehouse. For example, you might create separate destinations for different teams and set up your team and schema permissions to ensure that each team has access to their designated destinations.

  3. [optional] In the Input table edit log destination field, provide an additional DATABASE.SCHEMA destination specifically to log all edits made to input tables on this connection. This DATABASE.SCHEMA should be used only for this purpose. Only your service account should have access to write to this schema. If you leave this field blank, input tables cannot be created on this connection.

  4. [optional] In the Materialization warehouse field, enter a separate warehouse to run queries that perform materialization. If you don't specify a materialization warehouse, Sigma uses the primary warehouse for this connection.

  5. [optional] By default, Sigma uses dynamic tables for incremental materialization. If you do not want to use dynamic tables, turn off the Use dynamic tables switch. See About materialization (Beta) for more details.

Next, see Configure connection features for additional options. Or, if you are finished configuring your connection, click Create at the top right to create your connection.

Configure connection features

In the Connection Features section, specify the following:

  1. In the Connection timeout field, specify the amount of time, in seconds, that Sigma should wait for the query to return results before timing out. The default in 120 seconds. The maximum is 600 seconds (10 minutes).

  2. [optional] If you do not want Sigma to automatically make column names from the data source more readable, turn off the Use friendly names switch. For example, with Use friendly names enabled, a database column ORDER_NUMBER appears as Order Number.

  3. [optional] In the Export warehouse field, enter the name of the virtual warehouse created for export queries. For more details, see Configure an export warehouse.

Finish creating your connection

After you specify all the parameters of the connection, click Create.

  1. Click Create at the top right of the screen to create your connection. Sigma displays a connection summary on the screen.

  2. Click Browse Connection, then click Add permission to grant data access for users in your organization. See Data permissions.

    The permission summary on the connection, showing that no users have access to this connection yet

  3. Use the navigation in the left panel to explore the schemas and tables in your connection.

    The browse connection view, showing a table available through the connection