Contents x
      Getting Started with Snowflake
      • 25 Jan 2025
      • 3 Minutes to read
      • Dark
        Light
      Contents

      Getting Started with Snowflake

      • Updated on 25 Jan 2025
      • 3 Minutes to read
      • Dark
        Light
      Article summary

      Acante's Data Access Governance platform is specifically tailored to simplify security and governance for the Snowflake platform. To integrate Acante with your Snowflake implementation, Acante has provided a set of scripts to create all the necessary roles, configurations and gather the necessary meta-data. Snowflake documentation: https://docs.snowflake.com/en/guides

      Deployment Prerequisites

      • Step 1 below need to be done by the Okta admin
      • Snowflake Enterprise edition or above
      • Steps 2,3 need to be done by a user with Snowflake administration privileges

      Sequence of Steps

      There are 3 high-level steps:

      1. Setup the external OAuth servers using OAuth 2.0 for accessing Snowflake seamlessly with SSO
      2. Deploy the Acante components in Snowflake
      3. Add the configurations in the Acante UI

      1. Setup the External OAuth Server for Authentication

      We are using Okta as the Identity Provider for this example.

      Create an Okta application using the API Services method.

      Follow the steps as outlined in the Okta documentation to Set up your app

      • Use the Application integration name as Acante-Snowflake Client
      • Under the General section of the client, make sure to diable the DPoP setting.
      • Note the Client ID and Client Secret in the Client Credentials section

      Setup the Okta authorization server as described here

      • Audience: Snowflake Account URL
      • Add an access policy assigning the Client created in the previous step
      • Create a rule which configures the allowed roles as scopes using the session:role as prefix. The required scopes are session:role:acante_management_role and session:role:acante_classification_role

      screenshot
      #### Note the following information for the authorization server

      • OKTA_OAUTH_ISSUER_URL (e.g "https://dev-1234567.okta.com/oauth2/abcdefghijk")
      • OKTA_OAUTH_JWKS_ENDPOINT (e.g https://dev-1234567.okta.com/oauth2/abcdefghijk/v1/keys )
      • OKTA_OAUTH_TOKEN_ENDPOINT (e.g https://dev-1234567.okta.com/oauth2/abcdefghijk/v1/token)

      Deploy the Acante Components in Snowflake

      Log in to the Acante UI

      Navigate to the Configurations --> Snowflake section and Download the Scripts.
      Acante Config - Download Scripts.png

      The downloaded folder has 2 relevant files:

      • Acante Provisioning Script: this script creates the users and the necessary resources (database, stage for metadata, etc.) and worksheet to collect metadata.
      • Discovery Module: this module collects the necessary metadata (schemas, users, configurations, and so on). It does NOT have privileges to read the actual data in your Snowflake account.

      Log in to your Snowflake account as Account Admin

      • Create the following two Snowflake Objects for Acante:.
        • A Snowflake Database called ACANTE_DATABASE
        • A Snowflake Internal stage called ACANTE_STAGE in this database within the PUBLIC schema.

      screenshot

      • Upload the Acante Provisioning Script and Discovery Module into ACANTE_STAGE under the folders acante_deployment/provisioning and acante_deployment/discovery respectively.

        screenshot

      • Create a SQL worksheet from the Acante Provisioning Script. Rename the worksheet to Acante_Provisioning

        **screenshot **

      • Configure the following values into the Acante Provisioning Script: it has the variables section at the top as outlined below

      /* beginning of variables section */
/* OAUTH configuration section */

--- set this variable to the client ID of the application created in your IDP
SET CLIENT_ID='<CLIENT ID>';

--- set this variable to the issuer URL of the authorization server created in your IDP
SET ISSUER_URL='<OKTA_OAUTH_ISSUER_URL>';

--- set this variable to the JWKS URL of the authorization server created in your IDP
SET JWS_KEYS_URL='<OKTA_OAUTH_JWKS_ENDPOINT>';

--- set this variable to the Snowflake Account URL
SET ACCOUNT_URL='<Snowflake Account URL>';

--- set this variable to the Oauth Token endpoint of the authorization server created in your IDP
SET TOKEN_ENDPOINT_URL='<OKTA_OAUTH_TOKEN_ENDPOINT>';

/* ACANTE Variables Section: Modify these variables ONLY IF you want to override the defaults */

- - - 
/* end of common variables section */

      • Run the entire worksheet.

      • Note the output of this worksheet. The JSON output (Account Onboarding Parameters) will be used as a configuration in Acante.
        screenshot

      • Share the worksheet if necessary with other members of the DevOps team

      Add the Configurations in the Acante UI

      Log in to the Acante UI and navigate to the Configurations page → Snowflake tab

      Click on Select Account and Add New Account . Alternately, you can also modify configurations for a previously configured account.
      Acante Config Page - Add New Account.png

      Enter the previously gathered configurations into the input box

      • Snowflake Account Identifier (from the Snowflake console)

      • Client Secret (from Step 1)

      • Add Account Onboarding Parameters, the JSON output from the worksheet. Copy paste the entire JSON into the editor box
        Snowflake Account Config Modal.png

      • Press Save

      • Acante will check and confirm the connection to the account or indicate if any it encountered any error

      Acante Config Page - Success.png

      What's Next