Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.actioneer.com/llms.txt

Use this file to discover all available pages before exploring further.

Snowflake

Step 1: Create service account and provision a Personal Access Token

Create a service account with read-only permissions to your database. Here’s a quick script for you to run it yourself. This provisions a new user called AI_ANALYST_USER and grants them a role AI_ANALYST_ROLE -- ======================================================= -- 1. ROLE + USER for the AI tool (least-privilege, read-only) -- ======================================================= USE ROLE ACCOUNTADMIN; CREATE ROLE IF NOT EXISTS AI_ANALYST_ROLE; CREATE USER IF NOT EXISTS AI_ANALYST_USER   TYPE              = SERVICE                    -- service user, no password login   DEFAULT_ROLE      = AI_ANALYST_ROLE   DEFAULT_WAREHOUSE = <<YOUR_WAREHOUSE>>         -- e.g. COMPUTE_WH   DEFAULT_NAMESPACE = <<YOUR_DB>>.<<YOUR_SCHEMA>>   COMMENT           = 'Service user for Actioneer'; GRANT ROLE AI_ANALYST_ROLE TO USER AI_ANALYST_USER; -- ======================================================= -- 2. PRIVILEGES (warehouse + read on all tables/views) -- ======================================================= GRANT USAGE ON WAREHOUSE <<YOUR_WAREHOUSE>>     TO ROLE AI_ANALYST_ROLE; GRANT USAGE ON DATABASE  <<YOUR_DB>>            TO ROLE AI_ANALYST_ROLE; GRANT USAGE ON ALL SCHEMAS IN DATABASE <<YOUR_DB>> TO ROLE AI_ANALYST_ROLE; GRANT USAGE ON FUTURE SCHEMAS IN DATABASE <<YOUR_DB>> TO ROLE AI_ANALYST_ROLE; GRANT SELECT ON ALL TABLES    IN DATABASE <<YOUR_DB>> TO ROLE AI_ANALYST_ROLE; GRANT SELECT ON FUTURE TABLES IN DATABASE <<YOUR_DB>> TO ROLE AI_ANALYST_ROLE; GRANT SELECT ON ALL VIEWS     IN DATABASE <<YOUR_DB>> TO ROLE AI_ANALYST_ROLE; GRANT SELECT ON FUTURE VIEWS  IN DATABASE <<YOUR_DB>> TO ROLE AI_ANALYST_ROLE; -- ======================================================= -- 3. NETWORK POLICY — whitelist the AI tool's IP -- ======================================================= USE ROLE SECURITYADMIN; CREATE NETWORK RULE IF NOT EXISTS AI_ANALYST_INGRESS_RULE   TYPE       = IPV4   MODE       = INGRESS   VALUE_LIST = ('35.244.14.238/32'); CREATE NETWORK POLICY IF NOT EXISTS AI_ANALYST_NETWORK_POLICY   ALLOWED_NETWORK_RULE_LIST = ('AI_ANALYST_INGRESS_RULE'); -- ======================================================= -- 4. AUTH POLICY — required for PAT (MFA replacement) -- ======================================================= CREATE AUTHENTICATION POLICY IF NOT EXISTS AI_ANALYST_AUTH_POLICY   AUTHENTICATION_METHODS = ('PROGRAMMATIC_ACCESS_TOKEN'); -- Bind both policies to the user (NOT account-wide) ALTER USER AI_ANALYST_USER SET NETWORK_POLICY        = AI_ANALYST_NETWORK_POLICY; ALTER USER AI_ANALYST_USER SET AUTHENTICATION POLICY = AI_ANALYST_AUTH_POLICY; -- ======================================================= -- 5. GENERATE THE PAT — copy the secret immediately -- ======================================================= ALTER USER AI_ANALYST_USER ADD PROGRAMMATIC ACCESS TOKEN AI_ANALYST_PAT   ROLE_RESTRICTION = 'AI_ANALYST_ROLE'   DAYS_TO_EXPIRY   = 365   COMMENT          = 'Token for external AI data analyst tool';

-- ⚠️ Copy token_secret from the result row. Snowflake will NEVER show it again.

Step 2: Fill in the onboarding form with the following details:

FieldSampleWhere to find
Connection NameAnything descriptiven/a
Hostmyorg-prod123.snowflakecomputing.comAccount Name > Details > Account URL (first part)
Port443n/a
Database NameDefault Namespacen/a
User NameAI_ANALYST_USERFill from previous code block
PasswordLeave blankn/a
Personal Access TokenFill from previous code blockn/a
SSH TunnelNot neededSnowflake filters from the ingress policy we set earlier in the code block
There you go, Snowflake onboarded!