Skip to main content
The Snowflake action pack contains the following actions:
  • Search Snowflake with SQL
  • Search Snowflake with Cortex

Action Pack setup instructions

Update Snowflake network policy

If your Snowflake instance has network policies configured, you will need to update them to allow connections from Glean. Without this configuration, the actions will not work. Please reach out to your Glean representatives to get the IP addresses that need to be added to your network policy allowlist.

Set up a role to use

Option 1: Create a new Snowflake role with read-only access

A role is basically a group that grants specific permissions on certain resources. You may grant a role to a user or to another role (nested roles). First, we will create a new role called GLEAN_QUERY_SNOWFLAKE_ROLE. To do this, run the following queries with the ACCOUNTADMIN role or any role that can create roles and grant access to resources such as tables and Cortex: 
CREATE ROLE IF NOT EXISTS GLEAN_QUERY_SNOWFLAKE_ROLE;
Then, we will grant permissions to the required tables and access to Cortex. Here are some templated commands that you can use: 
-- Grant usage to a database
GRANT USAGE ON DATABASE <SET_DATABASE_NAME> TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

-- Grant usage to a schema
GRANT USAGE ON SCHEMA <SET_DATABASE_NAME>.<SET_SCHEMA_NAME> TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

-- Grant read access for a table
GRANT SELECT ON TABLE <SET_DATABASE_NAME>.<SET_SCHEMA_NAME>.<SET_TABLE_NAME> to ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

-- Grant read access for all tables in a schema
GRANT SELECT ON ALL TABLES IN SCHEMA <SET_DATABASE_NAME>.<SET_SCHEMA_NAME> TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

-- Grant access to Cortex.
GRANT DATABASE ROLE SNOWFLAKE.CORTEX_USER TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;
Finally, grant the role to specific users or roles: 
-- Grant role access to a user.
GRANT ROLE GLEAN_QUERY_SNOWFLAKE_ROLE TO USER <SET_USER_NAME>;

-- Grant role access to another role. This will apply to all users who have the role.
GRANT ROLE GLEAN_QUERY_SNOWFLAKE_ROLE TO ROLE <SET_ROLE_NAME>;
You should also be able to revoke the roles you just granted. See documentation.

Option 2: Use an existing Snowflake role with read-only access

You can also use an existing role in the Scopes field when setting up your Action Pack. The action would use the access that the specified role has on your Snowflake instance. For example, your Scopes field could look like: 
refresh_token,session:role:GLEAN_YOUR_EXISTING_ROLE

Option 3: Use default user primary role

To use the default primary Snowflake role assigned to the authenticated user, set the Scopes field to just refresh_token.

Create a Snowflake OAuth application

We will use the CREATE SECURITY INTEGRATION command to create the OAuth application. Use the ACCOUNTADMIN or any role that has permission to create a security integration: 
-- Create the OAuth application
CREATE SECURITY INTEGRATION GLEAN_QUERY_SNOWFLAKE_INTEGRATION
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = CONFIDENTIAL
  OAUTH_REDIRECT_URI = '<copy from Glean Snowflake actions setup page>' -- Copy the callback/redirect URL from the Glean Snowflake actions setup page
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE;

-- Retrieve the client credentials and secret, use this to create the action pack in the next step.
SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('GLEAN_QUERY_SNOWFLAKE_INTEGRATION');
Using secondary roles: If you want users to also leverage their default secondary roles, you can configure the security integration with OAUTH_USE_SECONDARY_ROLES = IMPLICIT during setup. This allows the action to utilize multiple roles that have been granted to the user.

Create Snowflake action pack

We will now set up the Snowflake action pack:
  1. Open Glean Settings page
  2. Go to Platforms > Actions
  3. Click on Add button for creating a new action
  4. Click on the Snowflake Actions box
  5. Populate the Configuration section
    1. Set the account identifier field in the configuration. You may set it to the account identifier or account locator. This information can be found by navigating to the account details: The accountIdentifier is the part before .snowflakecomputing.com in your Snowflake URL. For example, if your URL is https://abc12345.us-east-1.snowflakecomputing.com, the account identifier is abc12345.us-east-1.
    2. For the Authorization url and Token url, run the following command in Snowflake to retrieve these values: 
      DESC SECURITY INTEGRATION REPLACE_WITH_YOUR_OAUTH_SECURITY_INTEGRATION_NAME;
      Look for the OAUTH_AUTHORIZATION_ENDPOINT and OAUTH_TOKEN_ENDPOINT fields in the response:
    3. Set the OAuth client id and client secret obtained from the previous step.
  6. Save the action.
Setup is now complete. Refer to the end user documentation on how to test this action pack in the agent builder.