---
title: "Snowflake"
slug: "snowflake"
updated: 2024-04-26T08:21:26Z
published: 2024-04-26T08:21:26Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.safe.security/llms.txt
> Use this file to discover all available pages before exploring further.

# Snowflake

## About this document

---

This document provides the step-by-step procedure to configure Snowflake in SAFE.

## Introduction

---

SAFE integrates with Snowflake, and fetches the security misconfiguration of the Snowflake account in SAFE.

## Prerequisites

---

- Access required in **SAFE**:
  - SAFE Admin Access
- Access required in **Snowflake**:
  - Snowflake Admin Account
- Required User Inputs:
  - API Instance URL
  - Client ID
  - Client Secret
  - Refresh Token
  - Asset Name in SAFE (optional)
- Scope:
  - Manage Grants
  - Import Share

## Generate Connection Details

---

- How to generate Client ID and Client Secret
  - Login to the Snowflake dashboard as an **Admin**.
  - On the worksheets page, click on the **+** button and select SQL Worksheet.

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/1(18).png)
  - Name the worksheet.

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/2(16).png)
  - Run the following query
    - Using the Account Admin role, create a new user with the Safe_Rbac role. Run the below command line-by-line. You will be displayed a success message upon every successful execution.

```plaintext
USE ROLE ACCOUNTADMIN;

//Create a user (change the password) and a role with manage grants and import shares permissions
CREATE OR REPLACE ROLE Safe_Rbac;
CREATE OR REPLACE USER <username> PASSWORD='userpass' EMAIL='user@domain.com' DEFAULT_ROLE = Safe_Rbac;
GRANT MANAGE GRANTS, IMPORT SHARE ON ACCOUNT TO ROLE Safe_Rbac;
GRANT ROLE Safe_Rbac TO USER <username>;
```

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/3(15).png)
    - Create an OAuth integration for authenticating the user to send the request

```plaintext
//Create an OAuth security integration
CREATE OR REPLACE SECURITY INTEGRATION SAFE_INTEGRATION_CLIENT
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = 'https://us.safeone.ai/callback'
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE;
```

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/4(13).png)
    - Use the **DESC** command to retrieve the **OAuth Authorization Endpoint**, **OAuth Token Endpoint**, and **OAuth Client ID**. **Copy** and **save** these values to use them for creating refresh token and to be used while onboarding Snowflake in SAFE.
    - The base URL of the Authorization/Token endpoint will be used as API Instance URL. Copy and save the Instance URL to be used while onbaording Snowflake in SAFE. (eg, [https://myaccount.us-west-2.snowflakecomputing.com](https://myaccount.us-west-2.snowflakecomputing.com))

```plaintext
DESC SECURITY INTEGRATION SAFE_INTEGRATION_CLIENT;
```

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/5(15).png)
    - Generate **OAuth Client Secret** by using the **SHOW_OAUTH_CLIENT_SECRETS** command. **Copy** and **save** the Client Secret to be used while onboarding Snowflake in SAFE.

```plaintext
SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS( 'SAFE_INTEGRATION_CLIENT' );
```

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/6(15).png)
  - How to generate **Refresh token:**
    - We will now generate code grant value using the previously generated values.
    - You need to send the Client ID and Redirect URL in **URL Encoded** format. You can use any online URL Encoder like the [following](https://www.urlencoder.org/).

```plaintext
<OAUTH_AUTHORIZATION_ENDPOINT>?response_type=code&client_id=<OAUTH_CLIENT_ID Encoded>&redirect_uri=<Redirect URI Encoded>
```
    - While requesting the URL you will be asked to log in using the **USERNAME** and **PASSWORD** created in the first step. After successful login, allow the prompt to provide the required permissions.

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/7(13).png)

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/8(15).png)
    - You will be presented with a 404 Not Found page. Do not close the tab and check the URL bar carefully. You will find the code value as shown in the exhibit below.

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/9(15).png)
    - Using the retrieved grant value, generate the **Refresh token** using the following curl command. **Save** the refresh token for onboarding Snowflake on SAFE.
    - It's important to regularly update the Token in SAFE according to its expiration date.

```plaintext
curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
--user "<OAUTH_CLIENT_ID Encoded>:<OAUTH_CLIENT_SECRET Encoded>" \
--data-urlencode "grant_type=authorization_code" \
--data-urlencode "code=<Auth Code Grant from Step4>" \
--data-urlencode "redirect_uri=<OAUTH_REDIRECT_URI>" \
<OAUTH_TOKEN_ENDPOINT>
```

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/10(13).png)

## Configure Snowflake in SAFE

---

- Log in to your SAFE account as **Admin**.
- Click on the **Integrations**option from the left navigation.
- Scroll to find the Snowflake integration card or search for Snowflake in the search bar.

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/11(11).png)
- Hover over the **Snowflake** integration card and click on the **Configure** button.
- Enter the****following:
  - **API Instance URL**
  - **Client ID**
  - **Client Secret**
  - **Refresh Token**
  - **Asset Name in SAFE (optional) -**Provide a unique identifier which can uniquely identify the asset
- Enter the **Auto Sync Frequency**.
- Click on the **Test Connection** button.
- Once the connection is successful, click on the **Save** button.

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/12(10).png)
- Once the configuration is saved successfully, click on the **Sync** **Now** button to trigger an on-demand sync.

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/13(8).png)
- Upon a successful sync, the system pulls the Snowflake assets and their findings in SAFE. You can track the status of the sync in the **History** table.

## View Results

---

- Go to the integration homepage.
- Scroll to find the Snowflake integration card or search for Snowflake in the search bar.
- Click on the Snowflake integration card for **Finding View** and **Asset View**.
  - **Finding View:** This tab displays all the findings details pulled from Snowflake.

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/14(6).png)
  - **Asset** **View:**This tab displays all the assets pulled from Snowflake.

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/15(5).png)

## History

---

Learn More about Integration History [here](https://docs.safe.security/safe-4/docs/integration-history).

## SAFE's Outgoing IP Addresses

---

Click [here](https://docs.safe.security/safe-4/docs/safes-outgoing-ip-addresses) to find the outgoing IP addresses of SAFE. All traffic to any integrations in SAFE will see one IP address as the source IP of the incoming connection.