Snowflake

This guide covers how to configure Snowflake as a warehouse in SignalSmith, including account setup, authentication options, and required permissions.

Prerequisites

A Snowflake account with at least one warehouse
A Snowflake user with read access to the data you want to sync
Network access from SignalSmith to your Snowflake account (IP allowlisting may be required)

Connection Configuration

Required Fields

Field	Description	Example
Account	Your Snowflake account identifier, including the region and cloud platform	`xy12345.us-east-1`, `myorg-myaccount`
Warehouse	The compute warehouse to use for queries	`COMPUTE_WH`
Database	The database containing your data	`ANALYTICS`
Schema	The default schema to use	`PUBLIC`

Account Identifier

The account identifier is the most common point of confusion. It varies by Snowflake deployment:

# Standard format
<account_locator>.<region>.<cloud>

# Examples
xy12345.us-east-1           # AWS US East
xy12345.us-east-1.aws       # AWS US East (explicit)
xy12345.west-us-2.azure     # Azure West US 2
xy12345.us-central1.gcp     # GCP US Central

# Organization-based (preferred for new accounts)
<org_name>-<account_name>
myorg-production

You can find your account identifier in the Snowflake web UI under Admin > Accounts, or by running:

SELECT CURRENT_ACCOUNT(), CURRENT_REGION();

Warehouse

Specify the virtual warehouse SignalSmith should use for running queries. The warehouse must be accessible to the configured user and should have auto-resume enabled.

Recommendations:

Use a dedicated warehouse (e.g., SIGNALSMITH_WH) to isolate query costs
X-Small or Small size is sufficient for most workloads
Enable auto-suspend (5 minutes) and auto-resume to control costs

-- Create a dedicated warehouse for SignalSmith
CREATE WAREHOUSE SIGNALSMITH_WH
  WAREHOUSE_SIZE = 'X-SMALL'
  AUTO_SUSPEND = 300
  AUTO_RESUME = TRUE
  INITIALLY_SUSPENDED = TRUE;

Authentication

SignalSmith supports two authentication methods for Snowflake.

Username and Password

The simplest option. Provide a Snowflake username and password.

Field	Description
Username	The Snowflake login name
Password	The password for the user

Key Pair Authentication

For stronger security, use RSA key pair authentication. This eliminates the need to store a password and is recommended for production environments.

Step 1: Generate a key pair

# Generate a 2048-bit RSA private key (encrypted)
openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 aes256 \
  -inform PEM -out rsa_key.p8
 
# Generate the public key from the private key
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

Step 2: Register the public key with Snowflake

ALTER USER CDP_USER SET RSA_PUBLIC_KEY='MIIBIjANBgkqh...';

Copy the public key contents (without the BEGIN/END headers) when running this command.

Step 3: Configure in SignalSmith

Field	Description
Username	The Snowflake login name
Private Key	The PEM-encoded private key (contents of `rsa_key.p8`)
Private Key Passphrase	The passphrase used to encrypt the private key (if encrypted)

Required Permissions

Create a dedicated user and role for SignalSmith with minimal required permissions:

-- Create a role for SignalSmith
CREATE ROLE CDP_ROLE;
 
-- Grant warehouse usage
GRANT USAGE ON WAREHOUSE SIGNALSMITH_WH TO ROLE CDP_ROLE;
 
-- Grant database access
GRANT USAGE ON DATABASE ANALYTICS TO ROLE CDP_ROLE;
 
-- Grant schema access
GRANT USAGE ON SCHEMA ANALYTICS.PUBLIC TO ROLE CDP_ROLE;
 
-- Grant read access to all current tables
GRANT SELECT ON ALL TABLES IN SCHEMA ANALYTICS.PUBLIC TO ROLE CDP_ROLE;
 
-- Grant read access to future tables (so new tables are automatically accessible)
GRANT SELECT ON FUTURE TABLES IN SCHEMA ANALYTICS.PUBLIC TO ROLE CDP_ROLE;
 
-- Grant read access to views
GRANT SELECT ON ALL VIEWS IN SCHEMA ANALYTICS.PUBLIC TO ROLE CDP_ROLE;
GRANT SELECT ON FUTURE VIEWS IN SCHEMA ANALYTICS.PUBLIC TO ROLE CDP_ROLE;
 
-- Create the user
CREATE USER CDP_USER
  PASSWORD = 'strong-password-here'
  DEFAULT_ROLE = CDP_ROLE
  DEFAULT_WAREHOUSE = SIGNALSMITH_WH
  MUST_CHANGE_PASSWORD = FALSE;
 
-- Assign the role
GRANT ROLE CDP_ROLE TO USER CDP_USER;

Multiple Schemas

If your data spans multiple schemas, grant access to each:

GRANT USAGE ON SCHEMA ANALYTICS.MARKETING TO ROLE CDP_ROLE;
GRANT SELECT ON ALL TABLES IN SCHEMA ANALYTICS.MARKETING TO ROLE CDP_ROLE;
GRANT SELECT ON FUTURE TABLES IN SCHEMA ANALYTICS.MARKETING TO ROLE CDP_ROLE;

Models can query across schemas using fully-qualified table names (e.g., MARKETING.CAMPAIGNS), even if the source’s default schema is set to PUBLIC.

Network Configuration

If your Snowflake account has a network policy restricting access by IP address, you must add SignalSmith’s IP addresses to the allowlist.

-- Add SignalSmith IPs to your network policy
ALTER NETWORK POLICY my_policy SET
  ALLOWED_IP_LIST = ('existing-ip', 'signalsmith-ip-1', 'signalsmith-ip-2');

Contact SignalSmith support for the current list of egress IP addresses.

Identifier Casing

Snowflake treats unquoted identifiers as uppercase. SignalSmith normalizes all identifiers (database, schema, table, column names) to match Snowflake’s conventions. When writing models, you can use any casing in your SQL — SignalSmith handles the translation.

-- These are all equivalent in Snowflake
SELECT customer_id FROM customers;
SELECT CUSTOMER_ID FROM CUSTOMERS;
SELECT Customer_Id FROM Customers;

If you have identifiers that were created with double-quote casing (e.g., "myColumn"), you’ll need to use the exact quoted form in your model SQL.

Example Configuration

Here’s a complete example using the API:

curl -X POST https://your-workspace.signalsmith.dev/api/v1/sources \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production Snowflake",
    "type": "snowflake",
    "config": {
      "account": "myorg-production",
      "warehouse": "SIGNALSMITH_WH",
      "database": "ANALYTICS",
      "schema": "PUBLIC",
      "username": "CDP_USER",
      "password": "your-password"
    }
  }'

Troubleshooting

Issue	Solution
”Account identifier not recognized”	Verify the account format includes region (e.g., `xy12345.us-east-1`)
“Warehouse ‘X’ does not exist or is not authorized”	Check the warehouse name and that the role has `USAGE` on it
”Database ‘X’ does not exist or is not authorized”	Verify the database name and role permissions
”Connection timed out”	Snowflake may be blocked by a network policy — add SignalSmith IPs
Queries are slow or timing out	Consider increasing the warehouse size or using a dedicated warehouse
”User is locked”	Too many failed login attempts — unlock via `ALTER USER ... SET MINS_TO_UNLOCK = 0`

Next Steps

Create a model using your Snowflake warehouse
Configure column types for your model
Set up a sync to activate your data

Testing Connections BigQuery