Skip to content

Create a Snowflake Connection

Important

If you are using Okera's policy synchronization mechanism for Snowflake policy enforcement, you must configure your Snowflake environment before you create your Snowflake connection in Okera.

To create a Snowflake connection, complete the following steps:

  1. Select Connections from the Okera UI menu. The Connections page appears.

  2. Select . The Create new connection dialog appears.

    New connection

  3. Specify a unique name for the connection in the Connection name box, select the Snowflake button under Select a storage type and then select the Next: Connection details button. The Create new Snowflake connection dialog appears.

    Snowflake connection example

  4. Provide values for these fields on the dialog:

    Warning

    Pay special attention to case and special characters when setting up Snowflake policy synchronization. Make sure the case of a Snowflake object matches the case used in your Snowflake environment. See Limitations and Case Considerations.

    • Account: Your Snowflake account name can be found in your Snowflake URL <accountname>.snowflakecomputing.com.

    • Snowflake warehouse: The Snowflake warehouse you wish to connect to. If none is specified, the default is used. The default Snowflake warehouse is the warehouse assigned to the user in Snowflake when the user was defined.

      Note: When no warehouse default is specified in Snowflake, omitting it in the Okera connection results in an error.

    • Source database: The name of the Snowflake database for the connection.

    • Schema: The name of the Snowflake schema in the database for the connection. If none is specified, the default is used. The default schema is the schema assigned to the user in Snowflake when the user was defined.

      Note: Snowflake tables should only be registered once in an Okera-synced cluster.

    • Username file: Link to your Snowflake username secret file. For more information, see Providing Secure Credentials. If you are using Snowflake policy synchronization, this user should be the secret file for the Snowflake user assigned to Okera's Snowflake role (SERVICE_OKERA_ROLE). By default, this is the secret file for Snowflake user SERVICE_OKERA_USER. See Step 3. Tailor the Script.

    • Password file: Link to your Snowflake username secret file. For more information, see Providing Secure Credentials.

    • Role: If you are using Snowflake with Okera's policy synchronization enforcement, specify the Snowflake role created for Okera to use for the connection (by default SERVICE_OKERA_ROLE). See Step 3. Tailor the Script. If you are using Snowflake with pushdown processing, this field is not present.

    • Permission synchronization: Select the Synchronize permissions for all Snowflake users checkbox if you want this connection synchronized for all Snowflake users. If you only want the connection synchronized for specific list of users, specify either a comma-separated list of Snowflake users (with no spaces) or a Snowflake tag (with an on or off tag value). You cannot specify both a tag and list of user names in a single connection.

      Only one tag can be specified per connection. The syntax for specifying a tag name is tag:<tag-name>:<on or off>. For example, tag:OKERA_UDFS.PUBLIC.OKERA_POLICY_SYNC_TAG:on. To learn how to set up tags for Snowflake users, see Tag Users in Snowflake.

      Policies are synced for Snowflake users with the specified usernames or with the Snowflake tag on or off as specified. Quotes are not required around user or tag names, but the case of these names must match the case of the names in Snowflake. For more information, see Limit Synchronized Users and Limitations and Case Considerations.

    • Advanced properties: Specify any of the following, optional, advanced properties.

      Note: Most of the advanced properties are only available if you integrate Okera with Snowflake using policy synchronization. Only the first property applies to both policy synchronization enforcement and BI gateway enforcement.

      Property
      Description
      Default Valid Values
      okera.policy_sync.enabled Indicates whether the policy synchronization enforcement mechanism should be used by the Snowflake connection.

      Important: This property should not be set by SaaS customers. By default, SaaS customers must use policy synchronization.

      For non-SaaS customers, set this option to false if you are using Snowflake pushdown processing. If you are using policy synchronization processing, set it to true.
      false true or false
      okera.policy_sync.scheduled Indicates whether the scheduled automatic synchronization job is enabled. This option is only available for policy synchronization. true true or false
      okera.policy_sync.audit_logs Indicates whether Snowflake compliance history should be logged in audit logs. This option is only available for policy synchronization. See Audit Log Processing. true true or false
      okera.policy_sync.install_artifacts Indicates whether the Okera UDFs should be automatically installed. This option is only available for policy synchronization and should not be changed at this time. false true or false
      okera.policy_sync.user_allowed_list UI users should no longer use this advanced property. Instead, use the Synchronize permissions for all Snowflake users checkbox and the Synchronize permissions for specific Snowflake users entry box.

      However, if you use the API to create a Snowflake connection, you can use this property to specify the Snowflake usernames or tag for which policy synchronization should occur. See Permission synchronization and Limit Synchronized Users.
      --- When using the API, comma-separated list of Snowflake usernames or tag names (with an on or off tag value).
  1. Test the connection to see if it works. If problems occur, verify that the Snowflake objects have been specified correctly and that the correct case has been used in the connection definition.

After the connection test runs successfully, create a crawler to register the data for the connection. See Create and Run a Crawler and Register Datasets.