Skip to main content

Linking Snowflake as a Source

This guide walks through connecting a Snowflake account to Actioneer. The setup creates a dedicated, least-privilege service user with a Programmatic Access Token (PAT) and locks it to Actioneer’s IP address.
  
  Prerequisites  Snowflake account with ACCOUNTADMIN access, Actioneer account
  Access granted  SELECT queries on specified tables and views
  Estimated time  ~20 minutes
  Actioneer IP  35.244.14.238
The service user created below holds only SELECT and USAGE grants — no write, delete, or DDL permissions.
1

Run the setup script in Snowflake

This script creates a read-only service user (AI_ANALYST_USER), grants it SELECT access to your database, restricts connections to Actioneer’s IP, and configures PAT authentication.Open a Snowflake SQL worksheet. Replace the three <<placeholders>> with your actual values and run the entire block as ACCOUNTADMIN.
-- 1. ROLE + USER (least-privilege, read-only)
USE ROLE ACCOUNTADMIN;

CREATE ROLE IF NOT EXISTS AI_ANALYST_ROLE;

CREATE USER IF NOT EXISTS AI_ANALYST_USER
  TYPE              = SERVICE
  DEFAULT_ROLE      = AI_ANALYST_ROLE
  DEFAULT_WAREHOUSE = <<YOUR_WAREHOUSE>>
  DEFAULT_NAMESPACE = <<YOUR_DB>>.<<YOUR_SCHEMA>>
  COMMENT           = 'Service user for Actioneer';

GRANT ROLE AI_ANALYST_ROLE TO USER AI_ANALYST_USER;

-- 2. PRIVILEGES (warehouse + read on all tables/views)
GRANT USAGE  ON WAREHOUSE  <<YOUR_WAREHOUSE>>              TO ROLE AI_ANALYST_ROLE;
GRANT USAGE  ON DATABASE   <<YOUR_DB>>                     TO ROLE AI_ANALYST_ROLE;
GRANT USAGE  ON ALL SCHEMAS       IN DATABASE <<YOUR_DB>>  TO ROLE AI_ANALYST_ROLE;
GRANT USAGE  ON FUTURE SCHEMAS    IN DATABASE <<YOUR_DB>>  TO ROLE AI_ANALYST_ROLE;
GRANT SELECT ON ALL TABLES        IN DATABASE <<YOUR_DB>>  TO ROLE AI_ANALYST_ROLE;
GRANT SELECT ON FUTURE TABLES     IN DATABASE <<YOUR_DB>>  TO ROLE AI_ANALYST_ROLE;
GRANT SELECT ON ALL VIEWS         IN DATABASE <<YOUR_DB>>  TO ROLE AI_ANALYST_ROLE;
GRANT SELECT ON FUTURE VIEWS      IN DATABASE <<YOUR_DB>>  TO ROLE AI_ANALYST_ROLE;

-- 3. NETWORK POLICY (Actioneer IP only)
USE ROLE SECURITYADMIN;

CREATE NETWORK RULE IF NOT EXISTS AI_ANALYST_INGRESS_RULE
  TYPE = IPV4  MODE = INGRESS  VALUE_LIST = ('35.244.14.238/32');

CREATE NETWORK POLICY IF NOT EXISTS AI_ANALYST_NETWORK_POLICY
  ALLOWED_NETWORK_RULE_LIST = ('AI_ANALYST_INGRESS_RULE');

-- 4. AUTH POLICY (PAT replaces password + MFA)
CREATE AUTHENTICATION POLICY IF NOT EXISTS AI_ANALYST_AUTH_POLICY
  AUTHENTICATION_METHODS = ('PROGRAMMATIC_ACCESS_TOKEN');

ALTER USER AI_ANALYST_USER SET NETWORK_POLICY       = AI_ANALYST_NETWORK_POLICY;
ALTER USER AI_ANALYST_USER SET AUTHENTICATION POLICY = AI_ANALYST_AUTH_POLICY;
Replace <<YOUR_WAREHOUSE>> (e.g., COMPUTE_WH), <<YOUR_DB>>, and <<YOUR_SCHEMA>> with your actual values. Everything else can be left as-is.
ACCOUNTADMIN or SECURITYADMIN is required for the network policy section. If you do not have these roles, forward this page to your Snowflake administrator.
2

Generate the Programmatic Access Token

Run the following immediately after the setup script, in the same session.
USE ROLE ACCOUNTADMIN;

ALTER USER AI_ANALYST_USER
  ADD PROGRAMMATIC ACCESS TOKEN AI_ANALYST_PAT
    ROLE_RESTRICTION = 'AI_ANALYST_ROLE'
    DAYS_TO_EXPIRY   = 365
    COMMENT          = 'Token for Actioneer';
Copy the token_secret value from the result row immediately. Snowflake displays it exactly once. If you close the worksheet without copying it, you will need to drop and recreate the token. Store it in a password manager.
3

Connect Snowflake in Actioneer

  1. In Actioneer, click Data in the left sidebar.
  2. Select Snowflake from the list of data sources.
  3. When prompted, select Direct Connection.
  4. Complete the connection form:
  Field  Value
  Connection Name  e.g. Production Snowflake
  Host  Account URL, e.g. myorg-prod123.snowflakecomputing.com
  Port  443
  Database Name  The <<YOUR_DB>> value from Step 1
  Username  AI_ANALYST_USER
  Password  Leave blank — PAT replaces it
  Programmatic Access Token  The token_secret from Step 2
  SSH Tunnel  Not required
Find your Host under Account → Details → Account URL in Snowflake.
Warehouse is not entered here — Actioneer reads it from the DEFAULT_WAREHOUSE set on the user in Step 1. To change it later, update DEFAULT_WAREHOUSE in Snowflake.
  1. Click Connect.

Common questions

No. The AI_ANALYST_ROLE holds only SELECT and USAGE grants. The network policy adds a second layer by restricting requests to Actioneer’s IP address (35.244.14.238).
PATs are Snowflake’s recommended credential for service integrations. They cannot be used for interactive logins, expire on a schedule you control (365 days in the script above), and are scoped to a single role. This is more secure than a shared password.
All credentials are encrypted at rest with AES-256 and encrypted in transit with TLS 1.3. They are never stored in plain text or logged. Actioneer is SOC 2 Type II certified, ISO 27001 certified (audited by Schellman), and GDPR compliant.

Need a hand?

Stuck on a step or running into an error? Reach out at connect@actioneer.com.