> ## Documentation Index
> Fetch the complete documentation index at: https://opensre.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Snowflake

> Connect Snowflake so OpenSRE can query data warehouse and investigate analytics issues

Analytics pipelines can fail in subtle ways. OpenSRE connects to your Snowflake warehouse to help investigate issues by querying warehouse metadata, reviewing query history, checking warehouse health, and identifying performance bottlenecks.

## Before you start

You'll need:

* A Snowflake account (trial or production)
* A configured warehouse
* Snowflake credentials with appropriate permissions
* A database and schema to query
* Network access from your OpenSRE environment to Snowflake

## Connecting to Snowflake

### The guided way

For a step-by-step walkthrough:

```bash theme={null}
opensre integrations setup
```

Choose **Snowflake** and follow the prompts.

### The direct way: Environment variables

Or add these to your `.env`:

```bash theme={null}
SNOWFLAKE_ACCOUNT_IDENTIFIER=xy12345.us-east-1
SNOWFLAKE_USER=opensre_user
SNOWFLAKE_TOKEN=your_programmatic_access_token
SNOWFLAKE_PASSWORD=your_password
SNOWFLAKE_WAREHOUSE=COMPUTE_WH
SNOWFLAKE_DATABASE=analytics
SNOWFLAKE_SCHEMA=public
SNOWFLAKE_ROLE=viewer
```

| Variable                       | Default | Description                                                    |
| ------------------------------ | ------- | -------------------------------------------------------------- |
| `SNOWFLAKE_ACCOUNT_IDENTIFIER` | —       | **Required.** Snowflake account identifier                     |
| `SNOWFLAKE_ACCOUNT`            | —       | Alternative Snowflake account variable                         |
| `SNOWFLAKE_USER`               | —       | Snowflake username                                             |
| `SNOWFLAKE_TOKEN`              | —       | **Required.** Programmatic access token for API authentication |
| `SNOWFLAKE_PASSWORD`           | —       | Optional password (used alongside token where configured)      |
| `SNOWFLAKE_WAREHOUSE`          | —       | Warehouse name (for example, `COMPUTE_WH`)                     |
| `SNOWFLAKE_DATABASE`           | —       | Default database                                               |
| `SNOWFLAKE_SCHEMA`             | —       | Default schema                                                 |
| `SNOWFLAKE_ROLE`               | —       | Role with appropriate permissions                              |

<Info>
  OpenSRE requires `SNOWFLAKE_ACCOUNT_IDENTIFIER` and `SNOWFLAKE_TOKEN` to activate the integration. Generate a programmatic access token in Snowflake under your user's security settings.
</Info>

### Option 3: Persistent store

```json theme={null}
{
  "version": 1,
  "integrations": [
    {
      "id": "snowflake-prod",
      "service": "snowflake",
      "status": "active",
      "credentials": {
        "account": "xy12345.us-east-1",
        "user": "opensre_user",
        "token": "your_programmatic_access_token",
        "password": "your_password",
        "warehouse": "COMPUTE_WH",
        "database": "analytics",
        "schema": "public",
        "role": "viewer"
      }
    }
  ]
}
```

## Finding your account identifier

Snowflake account identifiers can vary depending on your region and organization setup.

1. Open the Snowflake web interface
2. Open your account or profile settings
3. Locate your account identifier
4. Use the full value for `SNOWFLAKE_ACCOUNT_IDENTIFIER`

Examples:

```text theme={null}
xy12345
xy12345.us-east-1
myorg-myaccount
myorg-myaccount.eu-west-1
```

<Info>
  Use the full account identifier shown by Snowflake. Do not remove region or organization information unless your Snowflake deployment documentation explicitly instructs you to do so.
</Info>

## Best practice: Create a dedicated role for OpenSRE

Instead of using an administrative account, create a role with only the permissions OpenSRE requires.

```sql theme={null}
CREATE ROLE opensre_viewer;

GRANT SELECT ON ALL TABLES IN DATABASE analytics TO ROLE opensre_viewer;
GRANT MONITOR ON WAREHOUSE COMPUTE_WH TO ROLE opensre_viewer;

CREATE USER opensre_user PASSWORD = 'strong_secure_password';

GRANT ROLE opensre_viewer TO USER opensre_user;
```

Then use those credentials in your OpenSRE configuration.

## Investigation tools

When OpenSRE investigates a Snowflake-related alert, this tool is available:

### Query history

Runs bounded, read-only queries against Snowflake query history to surface recent failed queries, long-running statements, and warehouse usage patterns during an incident.

## Security recommendations

* Use a dedicated Snowflake user for OpenSRE
* Grant only the permissions required for investigations
* Rotate credentials regularly
* Monitor access through Snowflake audit logs

## Test the connection

Let's verify everything is working:

```bash theme={null}
opensre integrations verify snowflake
```

Expected output:

```
Service: snowflake
Status: passed
Detail: Configured for Snowflake account xy12345.us-east-1
```

## Troubleshooting

| Symptom                        | Fix                                                                                        |
| ------------------------------ | ------------------------------------------------------------------------------------------ |
| **Missing token credentials**  | Set `SNOWFLAKE_TOKEN`. Password alone does not activate the integration.                   |
| **Invalid account identifier** | Use the full identifier from Snowflake (including region/org suffix if shown).             |
| **Warehouse suspended**        | Resume the warehouse in Snowflake or grant `OPERATE` on the warehouse to the OpenSRE role. |
| **Insufficient privileges**    | Grant `MONITOR` on the warehouse and `SELECT` on `ACCOUNT_USAGE.QUERY_HISTORY`.            |
