Snowflake

Measured supports Snowflake as a data source using both username/password and key-pair authentication.

Note: Snowflake has deprecated password-based authentication for service accounts in many configurations. Key-pair authentication is recommended for production deployments.

Connection parameters

| Parameter | Description | Example | |---|---|---| | Account identifier | Your Snowflake account locator | xy12345.us-east-1 or myorg-myaccount | | Username | Snowflake user name | DQ_CLOUD_SVC | | Warehouse | Virtual warehouse to use | COMPUTE_WH | | Database | Default database | ANALYTICS | | Schema | Default schema | PUBLIC | | Role | Snowflake role | ANALYST_ROLE |

Account identifier format

Snowflake supports two account identifier formats:

# Legacy (account locator + region)
xy12345.us-east-1.snowflakecomputing.com

# New (organization + account name)
myorg-myaccount.snowflakecomputing.com

Use whichever format appears in your Snowflake URL.

Password authentication

snowflake://USERNAME:PASSWORD@ACCOUNT_IDENTIFIER/DATABASE/SCHEMA?warehouse=WAREHOUSE&role=ROLE

Example:

snowflake://DQ_CLOUD_SVC:mysecretpass@xy12345.us-east-1/ANALYTICS/PUBLIC?warehouse=COMPUTE_WH&role=ANALYST_ROLE

Key-pair authentication (recommended)

1. Generate a key pair

# Generate private key (no passphrase for service account use)
openssl genrsa -out rsa_key.pem 2048

# Extract public key
openssl rsa -in rsa_key.pem -pubout -out rsa_key.pub

2. Assign the public key to a Snowflake user

ALTER USER DQ_CLOUD_SVC SET RSA_PUBLIC_KEY='MIIBIjANBgkq...';

Copy the key content from rsa_key.pub, removing the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- headers.

3. Configure Measured

In the Measured UI, select Key-pair authentication and paste the contents of rsa_key.pem.

Or via connection string (URL-encode the private key):

snowflake://DQ_CLOUD_SVC@xy12345.us-east-1/ANALYTICS/PUBLIC?warehouse=COMPUTE_WH&role=ANALYST_ROLE&private_key_path=/path/to/rsa_key.pem

Required permissions

Create a dedicated service account with minimal permissions:

-- Create a dedicated role
CREATE ROLE DQ_CLOUD_ROLE;

-- Grant read access to the databases you want to monitor
GRANT USAGE ON DATABASE ANALYTICS TO ROLE DQ_CLOUD_ROLE;
GRANT USAGE ON SCHEMA ANALYTICS.PUBLIC TO ROLE DQ_CLOUD_ROLE;
GRANT SELECT ON ALL TABLES IN SCHEMA ANALYTICS.PUBLIC TO ROLE DQ_CLOUD_ROLE;

-- Allow future tables to be accessible
GRANT SELECT ON FUTURE TABLES IN SCHEMA ANALYTICS.PUBLIC TO ROLE DQ_CLOUD_ROLE;

-- Create and configure the service user
CREATE USER DQ_CLOUD_SVC
  DEFAULT_ROLE = DQ_CLOUD_ROLE
  DEFAULT_WAREHOUSE = COMPUTE_WH;

GRANT ROLE DQ_CLOUD_ROLE TO USER DQ_CLOUD_SVC;

Measured only needs SELECT access. It never writes to your warehouse.

Network policy

If your Snowflake account uses an IP allowlist, add your Measured host's egress IP to the Snowflake network policy:

ALTER NETWORK POLICY my_policy ADD ALLOWED_IP_LIST=('203.0.113.42/32');

Testing the connection

In the UI: Data Sources → your datasource → Test connection

A successful test runs a SELECT 1 against Snowflake. If this fails, check:

  1. Account identifier format (try both legacy and org formats)
  2. Network access from your Measured host
  3. User/role permissions
  4. Warehouse is not suspended (Snowflake auto-resumes, but the first query may be slow)

Troubleshooting

250001: Could not connect to Snowflake backend
Usually a wrong account identifier. Double-check the URL in your Snowflake console.

390144: JWT token is invalid
Private key mismatch. Ensure the public key assigned to the user matches the private key in Measured.

002003: SQL compilation error: Object does not exist
The user doesn't have USAGE on the database or schema. Run the grants above.