Documentation
HomeCommunityQuickStartsStatus
Start typing to search…

Connect to Snowflake

Sigma supports secure connections to Snowflake.

📘

For information about Sigma feature compatibility with Snowflake connections, see Region, warehouse, and feature support.

This document explains how to connect your Sigma organization to a Snowflake account.

If you do not already have a Sigma organization created, you can use Snowflake Partner Connect to create an organization and connect your Snowflake database with just a few clicks. You must have the ACCOUNTADMIN role in Snowflake to use Snowflake Partner Connect. To sign up with Snowflake Partner Connect, select Sigma from the Partner Connect list, then click Connect in the Connect to Sigma modal.

For an end-to-end walkthrough of an OAuth configuration using Snowflake and Okta, see the Open Authorization (OAuth) QuickStart.

Requirements

  • You must be assigned the Admin account type.
  • If you configure Snowflake with key pair authentication, you must know the login_name of the user associated with the public key, which can be different from the user name. Find the login_name for any user by running the DESCRIBE USER command in Snowflake. Find all valid names for the DESCRIBE USER command with the ALL_USER_NAMES function.
  • You must be able to provide the credentials for a Snowflake user granted a role that has USAGE privileges to the necessary databases and schemas, and SELECT privileges to the necessary tables.

Considerations when connecting Sigma to Snowflake

Sigma reflects your Snowflake role configurations. If USE SECONDARY ROLES is set to ALL for a user, the user can access data available to secondary roles granted to the user. For more details about primary and secondary roles in Snowflake, see "Authorization through primary role and secondary roles" in the Overview of Access Control in the Snowflake documentation.

🚩

Sigma queries the Snowflake connection every 24 hours to index the databases, schemas, tables, and views. This process is automated, and reads from the Snowflake metadata in the cloud services layer. Under normal usage, this process results in minimal credit consumption; however in cases where there is minimal usage in a 24 hour period, higher credit consumption may occur. Snowflake connections without service accounts and authentication currently aren't indexed for cost reasons. To learn more about the cloud service layer and costs, see Understanding overall cost in the Snowflake documentation.

Create a Snowflake connection in Sigma

To create a Snowflake connection, perform the following steps in Sigma:

  1. Add a connection and specify connection details

  2. Specify your connection credentials

  3. Configure an authentication method:

  4. (Optional) Configure write access

  5. Configure connection features

Add a connection and specify connection details

  1. Click the user icon at the top right of your screen. The user icon is usually composed of your initials.

  2. In the drop-down menu, select Add connection. The Add new connection page appears.

  3. In the Connection details, specify the following:

NameEnter a Name for the new connection. Sigma displays this name in the connection list.
TypeSelect Snowflake.

Specify your connection credentials

In the Connection Credentials section, fill out the required fields:

  1. (Optional) If you access Snowflake using a proxy server, turn on the Use Custom Host toggle, then enter the Snowflake Custom Host name.

  2. In the Account field, enter the Snowflake account name. For details on how to format your account name, see Using an account name as an identifier in the Snowflake documentation.

  3. In the Warehouse field, enter the name of the warehouse as it is listed in Snowflake. This warehouse is used to run all queries generated from Sigma.

    📘

    To instead set a different warehouse for different users or teams, you can set the warehouse using user attributes. Click Set by user attributes in the Warehouse field . See Dynamically assign roles used by a connection.

  4. If you set your Warehouse field using user attributes and you plan to use input tables on this connection, provide a warehouse name in the Service Account Warehouse field that a service account can use. For more details, see Warehouse Switching in the Dynamic Role Switching with Snowflake QuickStart.

  5. Choose the authentication method that you plan to use to connect to Snowflake. Next to Authentication, click the down arrow (), then choose your authentication method. For the method that you select, complete the required fields:

Authentication TypeConsiderations
Key-Pair

Authenticate to your Snowflake data warehouse using a private key.

The connection is configured to use a service account and you can delegate user access through the service account. You can parameterize this connection to use a different role and warehouse on a per-user or per-team basis with Sigma user attributes, as long as the service account has access to the requested role and warehouse. Any form of authentication to Sigma is supported.

Recommended when your users don't have accounts in Snowflake, or when you don't want your Snowflake policies or grants to be inherited by users in Sigma.

Connection-level OAuth (Beta)

Authenticate to your Snowflake account using OAuth. The OAuth configuration is specific to the Snowflake connection.

All users gain access to data in Sigma based on their roles in Snowflake. Policies you apply in Snowflake also apply in Sigma, such as RLS or other RBAC policies. For this method, you can sign in to Sigma through any method while using a dedicated OAuth configuration to access your Snowflake account from Sigma. When users access data on the connection, they log in and gain access as individual users to the connected Snowflake account.

This method is recommended when Sigma users have user accounts in Snowflake and you want your Snowflake policies and grants to be inherited in Sigma on a per-user basis, but you want to use a different authentication method or OAuth authorization server to authenticate users into Sigma and Snowflake.

Organization-level OAuth

Authenticate to a Snowflake account using the same OAuth configuration that you use to manage authentication to your Sigma organization. When a user logs in to Sigma using OAuth, Sigma receives an OAuth token which it uses to automatically sign the user in to Snowflake.

All user access to Snowflake is based on an individual user’s grants and access in Snowflake. Any policies that you apply in Snowflake apply in Sigma, such as RLS or other RBAC policies.

This method is recommended when your users have accounts in Snowflake and you want your Snowflake policies and grants to be inherited in Sigma on a per-user basis and you want to use the same OAuth server to authenticate both Sigma and Snowflake.

🚩

Snowflake will no longer be supporting username and password authentication and recommends using key pair authentication or OAuth for programmatic service users. See Snowflake Strengthens Security with Default Multi-Factor Authentication and Stronger Password Policies in the Snowflake blog.

Connect to Snowflake with key pair authentication

To authenticate the connection using a combination of public and private RSA key pairs, select Key Pair as your authentication method.

This method requires that you have a public and private key already created, and a Snowflake user configured with the public key. For instructions, see Key-pair authentication and key-pair rotation in the Snowflake documentation. If you have a multi-factor authentication (MFA) policy applied, exclude this user from the MFA policy. For a full walkthrough of all prerequisite steps, as well as detailed steps on how to rotate your keys, see the Snowflake Key-pair Auth QuickStart.

  1. In the User field, enter the Snowflake login name that is configured with the public key. Retrieve the login name for a user by running the DESCRIBE USER command in Snowflake.

  2. In the Private Key field, paste the private key text, including the header.

    Connection Credentials form with required fields for key-pair authentication filled in

  3. (Optional) If you configured one, enter the Private Key Passphrase.

  4. (Optional) Enter a Snowflake Role to be used on this connection. If no role is provided, the user's default role in Snowflake is used.

    To dynamically set the role based on a user attribute value assigned in Sigma, click Set by user attributes in the Role field. See Dynamically assign roles used by a connection.

  5. If you set your Role field using user attributes and you plan to use input tables on this connection, provide a Service Account Role that the service account can use in cases of dynamic role switching. If not set, the service account's role will be the default role set for the user in Snowflake. See the Dynamic Role Switching with Snowflake QuickStart.

Next, see Configure write access and Configure connection features for additional options. Or, if you are finished configuring your connection, click Create at the top right to create your connection.

Connect to Snowflake with OAuth

If you want to use OAuth to connect to Snowflake, see Connect to Snowflake with OAuth.

Connect to Snowflake with basic authentication

To connect with a username and password, select Basic Auth as your authentication method.

🚩

Snowflake will block all users, including service users, from using single-factor authentication by late 2026. You must transition to multi-factor authentication by that time. For full details on Snowflake's deprecation plan, see Planning for the deprecation of single-factor password sign-ins.

Sigma recommends transitioning away from using basic authentication when connecting to Snowflake. For improved security, use key pair or OAuth authentication instead.

If you have a multi-factor authentication (MFA) policy applied, exclude this user from the MFA policy.

  1. In the User field, enter a Snowflake login_name. In Snowflake, login_name is different from user name. Find login_name for any user with the describe user command in Snowflake. Find all valid names for the describe user command with the all_user_names command in Snowflake.

  2. In the Password field, enter a Snowflake password.

  3. [optional] Enter a Snowflake Role to be used on this connection. If no role is provided, the user’s default role in Snowflake is used.

    📘

    To set the role using user attributes, click Set by user attributes in the Role field. See Dynamically assign roles used by a connection.

  4. If you set your Role field using user attributes and you plan to use input tables on this connection, provide a Service Account Role that the service account can use in cases of dynamic role switching. If not set, the service account uses the default role set for the user in Snowflake. See the Dynamic Role Switching with Snowflake QuickStart.

Next, see Configure write access and Configure connection features for additional options. Or, if you are finished configuring your connection, click Create at the top right to create your connection.

Configure write access

Write access is required to use any of the following features:

📘

When you enable write access, binary input and output must be set to the hex format. See Binary input and output in the Snowflake documentation.

The steps to configure write access differ depending on the authentication method used for the connection. Follow the instructions that match your authentication option:

Configure write access on a connection with Basic Auth or Key Pair Auth

Configuring write access requires setting up a dedicated database and schema in Snowflake and granting the necessary privileges.

Before enabling write access, grant the Snowflake user that you use to configure the Sigma connection a role with the following privileges:

ObjectPrivilege
DatabaseUSAGE
SchemaUSAGE, CREATE TABLE, CREATE VIEW, CREATE STAGE
📘

To perform incremental materialization with dynamic tables, the primary role used by the connection must also be granted the privileges listed in Privileges to create a dynamic table in the Snowflake documentation.

Turn on the Enable write access toggle, then configure the following fields:

  1. In the Write database field, enter the name of the database where Sigma should store write-back data.

  2. In the Write schema field, enter the database schema where Sigma should store write-back data.

  3. [optional] In the Materialization warehouse field, enter a separate warehouse to run queries that perform materialization. If you don't specify a materialization warehouse, Sigma uses the primary warehouse for this connection.

  4. [optional] By default, Sigma uses dynamic tables for incremental materialization. If you do not want to use dynamic tables, turn off the Use dynamic tables switch. See About materialization for more details.

Next, see Configure connection features for additional options. Or, if you are finished configuring your connection, click Create at the top right to create your connection.

Configure write access on a connection with OAuth

After setting up OAuth for the connection, configure write access.

Configuring write access requires setting up dedicated databases and schemas in Snowflake and granting the necessary privileges. See Configure OAuth with write access for details and best practices.

Turn on the Enable write access toggle, then configure the following fields:

  1. Provide at least one Destination where Snowflake should store write back data from Sigma. Use the format DATABASE.SCHEMA.

  2. [optional] Enter additional destinations as needed, depending on how you want to partition the data that Sigma writes back to your data warehouse. For example, you might create separate destinations for different teams and set up your team and schema permissions to ensure that each team has access to their designated destinations.

  3. [optional, but required to use input tables] In the Input table edit log destination field, provide an additional DATABASE.SCHEMA destination specifically to log all edits made to input tables on this connection. This DATABASE.SCHEMA should be used only for this purpose. Only your service account should have access to write to this schema. If you leave this field blank, input tables cannot be created on this connection.

  4. [optional] In the Materialization warehouse field, enter a separate warehouse to run queries that perform materialization. If you don't specify a materialization warehouse, Sigma uses the primary warehouse for this connection.

  5. [optional] By default, Sigma uses dynamic tables for incremental materialization. If you do not want to use dynamic tables, turn off the Use dynamic tables switch. See About materialization (Beta) for more details.

Next, see Configure connection features for additional options. Or, if you are finished configuring your connection, click Create at the top right to create your connection.

Configure connection features

In the Connection Features section, specify the following:

  1. In the Connection timeout field, specify the amount of time, in seconds, that Sigma should wait for the query to return results before timing out. The default in 120 seconds. The maximum is 600 seconds (10 minutes).

  2. [optional] If you do not want Sigma to automatically make column names from the data source more readable, turn off the Use friendly names switch. For example, with Use friendly names enabled, a database column ORDER_NUMBER or OrderNumber appears as Order Number.

  3. [optional] In the Export warehouse field, enter the name of the virtual warehouse created for export queries. For more details, see Configure an export warehouse.

Finish creating your connection

After you specify all of the parameters for the connection, click Create.

  1. Click Create at the top right of the screen to create your connection. Sigma displays a connection summary on the screen.

  2. Click Browse Connection, then click Grant access to grant data access for users in your organization. See Data access overview.

  3. Use the navigation in the left panel to explore the schemas and tables in your connection.

    The browse connection view, showing a table available through the connection

Updated about 14 hours ago

Related resources
Resources
Sigma home
Blog
Learn
Sigma Community
© Sigma Computing