Integrating Snowflake
Capabilities
DataGrail's Snowflake integration provides the following capabilities:
| Product | Capability | ||||
|---|---|---|---|---|---|
| Request Manager |
| ||||
| Live Data Map | Data Discovery |
Before You Start
To successfully configure this integration, please ensure you have sufficient privileges:
- DataGrail User Role: Super Admin, Connections Manager
- Snowflake User Role: Admin
- Secrets Manager: Write Access
Configure Key-Pair Authentication
Utilizing key-pair authentication with Snowflake requires a public and private key to be generated using the following steps. For more information, see Snowflake's documentation.
-
Generate the private key:
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt -
Generate the public key:
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub -
Assign public key to user within Snowflake:
ALTER USER {user} SET RSA_PUBLIC_KEY={public_key}; -
Base64 encode the private key:
openssl base64 -in rsa_key.p8 -out encoded_rsa_key.p8 -
Use the Base64 encoded private key when creating the credentials below.
Connecting with RM Agent
The Request Manager Agent allows you to automate Data Subject Requests by connecting to internal systems within your network, and without requiring ingress from the public network.
The Agent connects to your Snowflake instance using least privileged credentials that you will create and store in a secrets manager. When configuring the Snowflake integration in DataGrail, only the location of that secrets manager entry will be referenced (e.g., AWS Secrets Manager ARN), which ensures that no secrets are shared directly with DataGrail.
Before you can connect to Snowflake, ensure the following:
- RM Agent is deployed and connected in DataGrail.
- Network is configured to allow the Agent to connect with the Snowflake instance.
Create and Store Credentials
-
In Snowflake, create a new user for the agent. Only grant the minimum necessary permissions for executing the request.
-
Configure the following JSON key-value pairs:
{
"user": "<agent user>",
"private_key": "<base64 encoded private key>",
"account": "<Snowflake Account, e.g. EXA*****>",
"warehouse": "<Snowflake Warehouse, e.g. COMPUTE_WH>",
"database": "<Snowflake DB, e.g. SNOWFLAKE_SAMPLE_DATA>"
} -
Store the JSON value in your secrets manager with an entry name like
datagrail.rm-agent.snowflake. -
Ensure that the agent is configured to retrieve the value of this secrets manager entry.
Add the Agent Integration
- In DataGrail, navigate to Agents and select your Agent.
- In the top right, select Add New Integration and search for Snowflake.
- Under Enabled Capabilities and Enabled Identifiers, select only those that will be used for this integration.
- Enter the Credentials Location (e.g. AWS Secrets Manager ARN).
- Select the Data Retrieval behavior for deletion requests.
warning
When using Retrieve Data, the data reviewed may not be exactly what is deleted due to the access and deletion logic executing separately!
- Under Agent Query Configuration, add request logic to be executed within Snowflake for all enabled request types.
- Finally, select Configure Integration. Wait a few moments to ensure that the connection is successful. For failed connections, review the Agent container logs for additional details.
Connecting with RDD Agent
The Responsible Data Discovery Agent allows you to securely perform data classification by connecting to internal systems within your network, and without requiring ingress from the public network.
For the Agent to scan your Snowflake instance, read-only credentials are created and stored in a vault on your network. When configuring the Snowflake integration in DataGrail, only the location of that vault entry will be referenced (e.g., AWS Secrets Manager ARN), which ensures that no secrets are shared directly with DataGrail.
In order to start scanning Snowflake, ensure the following:
- RDD Agent is deployed and connected in DataGrail.
- Network is configured to allow the Agent to connect with the Snowflake instance.
Create and Store Credentials
-
In Snowflake, create a new read-only user (e.g.,
datagrail-rdd-agent). Consult your preferred Snowflake documentation as needed. -
Configure the following JSON key-value pairs:
{
"user": "<agent user>",
"private_key": "<base64 encoded private key>",
"account": "<Snowflake Account, e.g. EXA*****>",
"warehouse": "<Snowflake Warehouse, e.g. COMPUTE_WH>",
"database": "<Snowflake DB, e.g. SNOWFLAKE_SAMPLE_DATA>"
} -
Store the JSON value in your vault with an entry name like
datagrail-rdd-agent-snowflake. -
Ensure that the agent is configured to retrieve the value of this vault entry.
Add the Agent Integration
- In DataGrail, navigate to Agents under Integration network.
- Select your Agent.
- In the top right, select Add New Integration.
- Search for Snowflake, then select Configure.
- Enter an Integration Name, and only enable the Data Discovery capability.
- Enter the Credentials Location (e.g. AWS Secrets Manager ARN).
- (optional) Choose the Business Processes, Region, and System Location.
- Finally, select Configure Integration. Wait a few moments to ensure that the connection is successful. For failed connections, review the Agent container logs for additional details.
Troubleshooting
If you are unable to successfully connect the integration, review these common troubleshooting steps:
Agent Unable to Connect to Snowflake
- Verify that the network is configured to allow the Agent to connect with the Snowflake instance.
- Verify the Agent has permissions to access the Snowflake credentials stored in your vault.
Agent is Not Connected in DataGrail
- Confirm that the Agent is running, and logs do not indicate any errors.
- The DataGrail API Key used by the Agent is valid and not expired.
- The Agent has permissions to access the DataGrail API Key stored in your vault.
- Network egress is permitted from the Agent to your DataGrail domain.
Technical Details
| Access Type | Synchronous |
|---|---|
| Deletion Type | Synchronous (Whole Record) |
| Opt Out Type | Synchronous |
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.