> ## Documentation Index
> Fetch the complete documentation index at: https://docs.thanx.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Snowflake

> Configuring your Snowflake destination.

## Prerequisites

* [ ] In order to complete the following setup steps, you or a Snowflake admin on your team must have the securityadmin and sysadmin roles. (To check your account for these roles, run `SHOW GRANTS TO USER <your_username>;` and review the `role` column.)
* [ ] If your Snowflake data warehouse is using Snowflake Access Policies, you will need to have the data-syncing service's static IP available to complete Step 2.

## Step 1: Create role, user, warehouse, and database in the data warehouse

1. Review and make any changes to the following setup script.

```sql theme={null}
begin;

   -- create variables for user / password / role / warehouse / database
   set role_name = 'TRANSFER_ROLE'; -- all letters must be uppercase
   set user_name = 'TRANSFER_USER'; -- all letters must be uppercase
   set user_password = 'some_password'; -- alphanumeric only, special characters are not allowed
   set warehouse_name = 'TRANSFER_WAREHOUSE'; -- all letters must be uppercase
   set database_name = 'TRANSFER_DATABASE'; -- all letters must be uppercase

   -- change role to securityadmin for user / role steps
   use role securityadmin;

   -- create role for data transfer service
   create role if not exists identifier($role_name);
   grant role identifier($role_name) to role SYSADMIN; -- establish SYSADMIN as the parent of the new role. Note: this does not grant the access privileges of SYSADMIN to the new role.

   -- create a user for data transfer service using key-based authentication
   create user if not exists identifier($user_name)
   -- this public key should be copied from the connection form in the onboarding UI
   RSA_PUBLIC_KEY='MIIBIjANBgkqh...';

   -- set default role and warehouse to new user
   alter user identifier($user_name) SET default_role = $role_name;
   alter user identifier($user_name) SET default_warehouse = $warehouse_name;

   grant role identifier($role_name) to user identifier($user_name);

   -- change role to sysadmin for warehouse / database steps
   use role sysadmin;

   -- create a warehouse for data transfer service
   create warehouse if not exists identifier($warehouse_name)
   warehouse_size = xsmall
   warehouse_type = standard
   auto_suspend = 60
   auto_resume = true
   initially_suspended = true;

   -- create database for data transfer service
   create database if not exists identifier($database_name);

   -- grant service role access to warehouse
   grant USAGE
   on warehouse identifier($warehouse_name)
   to role identifier($role_name);

   -- grant service access to database
   grant CREATE SCHEMA, MONITOR, USAGE
   on database identifier($database_name)
   to role identifier($role_name);

 commit;
```

<Note>
  **Using an existing `schema`**

  By default, a new schema (with a name you provide) will be created in the target Snowflake database upon the initial connection. If instead you create the `schema` ahead of time, you may remove the `CREATE SCHEMA` permission, and instead  `grant ALL PRIVILEGES` on the target `schema` for the designated `role`.

  The script below can be used to complete this step:

  ```sql theme={null}
  set role_name = 'TRANSFER_ROLE';
  set database_name = 'TRANSFER_DATABASE';
  set schema_name = 'PRECREATED_SCHEMA';

  use database identifier($database_name);
  grant ALL PRIVILEGES on schema identifier($schema_name) to role identifier($role_name);
  ```
</Note>

<Note>
  **Using an existing `warehouse` or `database`**

  By default, this script creates a new warehouse and a new database. If you'd prefer to use an existing warehouse/database, change the `warehouse_name` variable from `TRANSFER_WAREHOUSE` to the name of the warehouse to be shared/`database_name` variable from `TRANSFER_DATABASE` to the name of the database to be shared.
</Note>

2. In the Snowflake interface, select the dropdown next to the "Run" button, and click **Run All**. This will run every query in the script at once. If successful, you will see `Statement executed successfully` in the query results.

## Step 2: Configure the Snowflake access policy

If your Snowflake data warehouse is using Snowflake Access Policies, a new policy must be added to allow the transfer service static IP to write to the warehouse.

1. Review current network policies to check for existing IP safelists.

```sql theme={null}
SHOW NETWORK POLICIES;
```

2. If there is no existing Snowflake Network Policies (the `SHOW` query returns no results), you can skip to Step 3.
3. If there is an existing Snowflake Network Policy, you must alter the existing policy or create a new one to safelist the data transfer service static IP address. Use the `CREATE NETWORK POLICY` command to specify the IP addresses that can access your Snowflake warehouse.

```sql theme={null}
CREATE NETWORK POLICY <transfer_service_policy_name> ALLOWED_IP_LIST = ('5.4.7.8/32');
```

<Warning>
  **Creating your first network policy**

  If you have no existing network policies and you create your first as part of this step, all other IPs outside of the `ALLOWED_IP_LIST` will be blocked. Snowflake does not allow setting a network policy that blocks your current IP address. (An error message results while trying to create a network policy that blocks the current IP address.) But be careful when setting your first network policy.
</Warning>

## Step 3: Add your destination

Securely share your **host name**, **database name**, your chosen **schema name**, **username**, and **password** with us to complete the connection.
