Snowflake
Configuring Veza for Snowflake data lake discovery
This document provides steps to configure the Veza integration for Snowflake. For more details see Notes and Supported Entities.
Setup
Snowflake Configuration
You will need to create a local Snowflake user for Veza to use at runtime. This user must:
Have a Snowflake role granting
usage
privilege on a virtual warehouse, enabling Veza to execute queries using the warehouse. The warehouse can be the defaultcompute_wh
already available in most Snowflake environments, or a dedicated warehouse created for Veza.
Granting read access to the snowflake
database
snowflake
databaseTo provision the account, connect to Snowflake and execute the following SnowSQL commands (update the bracketed values to use the correct user name, password, and role):
Using an alternative Snowflake database name
It is not possible to restrict a custom role's access to specific views in the ACCOUNT_USAGE schema of the snowflake
database. However, creating a new database containing copies of only the necessary views will limit Veza's access to the minimum required permissions.
Use the SnowSQL commands provided below to create a local user, create the required views, and grant minimum required permissions. Provide the custom database name when adding the integration to Veza.
Enable role type extraction
If you were using an alternative database for the integration prior to the 2023.10.30
release, you will need updated permissions to collect the metadata.
Update the bracketed values to match the actual database and role name, and run:
Enable tag extraction
Create a Network Security Policy to block non Veza-IPs
Where ip_range
is the support-provided list of IPs in CIDR notation, for example 192.168.1.0/24
Adjust warehouse autosuspend to reduce uptime after extractions
Snowflake sync frequency
Veza connects to Snowflake every 6 hours to scan for changes and update the Authorization Graph. The Veza customer success team can customize the default extraction interval for your Veza deployment.
Using key pair authentication
To generate an encrypted private key with openssl
:
You'll be prompted to enter and verify a passphrase. Add the '-nocrypt' option to create an unencrypted certificate.
The output file rsa_key.p8
is the PEM-formatted private key file. Save the passphrase, which you will need when configuring Veza.
Next, generate a public key for the private key you just created:
Exclude the public key delimiters from the key file. Only include the line containing the key string, without the BEGIN and END KEY statements.
The value for RSA_PUBLIC_KEY
should match the one you created.
Upload the private key file (and the passphrase, if encrypted) when configuring the Veza integration.
Veza Configuration
From the Veza Configurations panel, click Add New above the list of integrations. Choose Snowflake as the integration type. Enter a friendly name to identify the account in Veza, and complete the required fields:
Retrieving Snowflake region and account locators
To configure the connection to Veza, you will need the region and account locators for the Snowflake account. You can retrieve these with the queries:
Notes and Supported Entities
Snowflake Tags
Snowflake tags are custom metadata labels that can be applied to objects such as databases, schemas, tables, and columns in Snowflake. Discovery of tags is provided as an optional feature.
Enable the Extract Tags checkbox when configuring a new Snowflake integration or editing an existing integration to enable tag discovery. This option only applies to non-Standard Edition Snowflake instances.
You can review the Snowflake Tags Veza has found under Data Catalog > Tags > Snowflake Tags.
Supported Entities
The integration discovers the following entity types:
Snowflake Account
Snowflake Database
Snowflake Schema
Snowflake Table
Snowflake View
Snowflake Local User
Snowflake Local Role
Entity Properties
The metadata that Veza collects enables highly granular queries for search, rules, and workflows. To see any special properties Veza has discovered for an entity, search for the entity in Authorization Graph, click on it to open the actions sidebar, and click View Details on the action sidebar.
The available properties depend on the provider:
A. Properties defined by the provider, collected during discovery (such as activity status, MFA status, or creation date).
B. Veza-defined system properties, such as
ID
,Provider ID
, orType
.C. Properties such as
Full Admin
andUser Type
, which are not necessarily defined by the provider, but derived from the properties Veza has discovered. These are intended to provide a more consistent search experience for providers with different concepts of "Administrators" or "Service Accounts."
Snowflake Local User
Veza applies the
service account
User Type to Snowflake users with no password AND configured to use an RSA public key.A Snowflake role is marked as Full Admin if it's the
ACCOUNTADMIN
system role. Snowflake local users are marked as Full Admin when they can assumeACOUNTADMIN
.
Cross Service Connections
When an Okta Identity Provider integration is configured, Veza discovers relationships between Okta users and groups, the Snowflake roles they can assume, and the effective permissions on each Snowflake resource.
Okta users are mapped to local Snowflake users
Okta groups are mapped to local Snowflake roles
Last updated