Contents x
    Snowflake
    • 3 Minutes to read
    • Print
    • PDF
    Contents

    Snowflake

    • 3 Minutes to read
    • Print
    • PDF
    Article summary

    About this document

    This document provides the step-by-step procedure to configure Snowflake in SAFE.

    Introduction

    SAFE integrates with Snowflake, and fetches the security misconfiguration of the Snowflake account in SAFE.

    Prerequisites

    • Access required in SAFE:

      • SAFE Admin Access

    • Access required in Snowflake:

      • Snowflake Admin Account

    • Required User Inputs:

      • API Instance URL

      • Client ID

      • Client Secret

      • Refresh Token

      • Asset Name in SAFE (optional)

    • Scope:

      • Manage Grants

      • Import Share

    Generate Connection Details

    • How to generate Client ID and Client Secret

      • Login to the Snowflake dashboard as an Admin.

      • On the worksheets page, click on the + button and select SQL Worksheet.

      • Name the worksheet.

      • Run the following query

        • Using the Account Admin role, create a new user with the Safe_Rbac role. Run the below command line-by-line. You will be displayed a success message upon every successful execution.

          USE ROLE ACCOUNTADMIN;

//Create a user (change the password) and a role with manage grants and import shares permissions
CREATE OR REPLACE ROLE Safe_Rbac;
CREATE OR REPLACE USER <username> PASSWORD='userpass' EMAIL='user@domain.com' DEFAULT_ROLE = Safe_Rbac;
GRANT MANAGE GRANTS, IMPORT SHARE ON ACCOUNT TO ROLE Safe_Rbac;
GRANT ROLE Safe_Rbac TO USER <username>;

        • Create an OAuth integration for authenticating the user to send the request

          //Create an OAuth security integration
CREATE OR REPLACE SECURITY INTEGRATION SAFE_INTEGRATION_CLIENT
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = 'https://us.safeone.ai/callback'
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE;

        • Use the DESC command to retrieve the OAuth Authorization Endpoint, OAuth Token Endpoint, and OAuth Client ID. Copy and save these values to use them for creating refresh token and to be used while onboarding Snowflake in SAFE.

        • The base URL of the Authorization/Token endpoint will be used as API Instance URL. Copy and save the Instance URL to be used while onbaording Snowflake in SAFE. (eg, https://myaccount.us-west-2.snowflakecomputing.com)

          DESC SECURITY INTEGRATION SAFE_INTEGRATION_CLIENT;

        • Generate OAuth Client Secret by using the SHOW_OAUTH_CLIENT_SECRETS command. Copy and save the Client Secret to be used while onboarding Snowflake in SAFE.

          SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS( 'SAFE_INTEGRATION_CLIENT' );

      • How to generate Refresh token:

        • We will now generate code grant value using the previously generated values.

        • You need to send the Client ID and Redirect URL in URL Encoded format. You can use any online URL Encoder like the following.

          <OAUTH_AUTHORIZATION_ENDPOINT>?response_type=code&client_id=<OAUTH_CLIENT_ID Encoded>&redirect_uri=<Redirect URI Encoded>

        • While requesting the URL you will be asked to log in using the USERNAME and PASSWORD created in the first step. After successful login, allow the prompt to provide the required permissions.

        • You will be presented with a 404 Not Found page. Do not close the tab and check the URL bar carefully. You will find the code value as shown in the exhibit below.

        • Using the retrieved grant value, generate the Refresh token using the following curl command. Save the refresh token for onboarding Snowflake on SAFE.

        • It's important to regularly update the Token in SAFE according to its expiration date.

          curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
--user "<OAUTH_CLIENT_ID Encoded>:<OAUTH_CLIENT_SECRET Encoded>" \
--data-urlencode "grant_type=authorization_code" \
--data-urlencode "code=<Auth Code Grant from Step4>" \
--data-urlencode "redirect_uri=<OAUTH_REDIRECT_URI>" \
<OAUTH_TOKEN_ENDPOINT>

    Configure Snowflake in SAFE

    • Log in to your SAFE account as Admin.

    • Click on the Integrations option from the left navigation.

    • Scroll to find the Snowflake integration card or search for Snowflake in the search bar.

    • Hover over the Snowflake integration card and click on the Configure button.

    • Enter the following:

      • API Instance URL

      • Client ID

      • Client Secret

      • Refresh Token

      • Asset Name in SAFE (optional) - Provide a unique identifier which can uniquely identify the asset

    • Enter the Auto Sync Frequency.

    • Click on the Test Connection button.

    • Once the connection is successful, click on the Save button.

    • Once the configuration is saved successfully, click on the Sync Now button to trigger an on-demand sync.

    • Upon a successful sync, the system pulls the Snowflake assets and their findings in SAFE. You can track the status of the sync in the History table.

    View Results

    • Go to the integration homepage.

    • Scroll to find the Snowflake integration card or search for Snowflake in the search bar.

    • Click on the Snowflake integration card for Finding View and Asset View.

      • Finding View: This tab displays all the findings details pulled from Snowflake.

      • Asset View: This tab displays all the assets pulled from Snowflake.

    History

    Learn More about Integration History here.

    SAFE's Outgoing IP Addresses

    Click here to find the outgoing IP addresses of SAFE. All traffic to any integrations in SAFE will see one IP address as the source IP of the incoming connection.

    Was this article helpful?
    What's Next