
Snowflake
Last updated:
Jul 14, 2025
💡 This is a step by step guide to integrate Snowflake and Querio. We use key-pair authentication to create a secure, non-human, persistent connection—no OAuth refresh tokens or session timeouts.
Before you start
A Snowflake admin role with rights to create users/roles and manage grants (typically SECURITYADMIN and USERADMIN).
The RSA public key you want to associate with the Snowflake service user (2048-bit or stronger). We’ll send you this key, however, if your policy requires, you may generate your own key pair and keep the private key on your side.
1) Create a dedicated service user
What: A non-human user that Querio will use to connect (type SERVICE).
How (as USERADMIN
) execute the following SQL in a worksheet :
If the user already exists, you can ALTER USER to set the properties.
https://docs.snowflake.com/en/sql-reference/sql/create-user
Note: TYPE = SERVICE clearly identifies this as an application/service identity.
2) Create a least-privilege role and grants
What: A role with only the privileges needed to read your chosen objects.
How (as SECURITYADMIN
or ACCOUNTADMIN
) execute the following SQL in a worksheet:
Important: Follow least privilege and scope grants only to the databases/schemas you intend Querio to read. Use future grants to avoid drift.
https://docs.snowflake.com/en/user-guide/security-access-control-configure
Tip: You typically do not need OPERATE on the warehouse if AUTO_RESUME is enabled (default). Queries with USAGE can trigger auto-resume.
https://docs.snowflake.com/en/sql-reference/sql/alter-warehouse?utm_source=chatgpt.com
3) Associate the RSA public key to the service user
What: Register the public key so Snowflake can verify key-pair logins.
How (as SECURITYADMIN or a role with the proper privilege):
Note: Snowflake requires the base64 content of the public key without the -----BEGIN/END PUBLIC KEY----- lines. Use DESCRIBE USER to confirm the fingerprint.
https://docs.snowflake.com/en/user-guide/key-pair-auth
Optional – you generate the key pair internally
Store the private key securely per your policy.
4) Share the connection metadata
Provide the following to complete the connection: