SlateoAPI Reference

Snowflake Setup

Connect Slateo to your Snowflake data warehouse using a dedicated user with read-only permissions. This guide walks you through creating a user, role, and warehouse configuration with least-privilege access.

Overview

Snowflake supports fine-grained access control through users, roles, and grants. This allows Slateo to securely access your data without write permissions. You can control access at the database, schema, or table level, and configure dedicated compute resources for Slateo queries.

Best practice: Create a dedicated role and warehouse for Slateo. This provides clear separation of concerns and makes it easier to monitor usage and costs.

Prerequisites

Before setting up the connection, ensure you have:

  • An active Snowflake account
  • ACCOUNTADMIN or SECURITYADMIN role to create users and roles
  • SYSADMIN role or higher to grant database and warehouse access
  • At least one database and schema with tables you want Slateo to access
  • A warehouse for query execution (or permissions to create one)

Setup steps

Step 1: Create a dedicated role and user

Create a dedicated role and user for Slateo with read-only permissions.

Connect to your Snowflake account using the Snowflake web console or a SQL client, then run:

-- Switch to the appropriate role
USE ROLE SECURITYADMIN;

-- Create a dedicated role for Slateo
CREATE ROLE IF NOT EXISTS SLATEO_READONLY_ROLE
  COMMENT = 'Read-only role for Slateo data analytics';

-- Create a dedicated user for Slateo
CREATE USER IF NOT EXISTS SLATEO_READONLY
  PASSWORD = '<secure-password>'
  DEFAULT_ROLE = SLATEO_READONLY_ROLE
  DEFAULT_WAREHOUSE = '<your_warehouse>'
  COMMENT = 'Slateo read-only user';

-- Grant the role to the user
GRANT ROLE SLATEO_READONLY_ROLE TO USER SLATEO_READONLY;

Replace:

  • <secure-password>: A strong, unique password (minimum 8 characters)
  • <your_warehouse>: The warehouse name for query execution (created in Step 3)

Snowflake user management documentation →

Password requirements: Snowflake passwords must be at least 8 characters and contain at least one uppercase letter, one lowercase letter, and one number. Use a strong, unique password and store it securely.

Step 2: Grant database and schema access

Grant the role read-only access to your databases and schemas.

-- Switch to the appropriate role
USE ROLE SYSADMIN;

-- Grant usage on the database
GRANT USAGE ON DATABASE <your_database> TO ROLE SLATEO_READONLY_ROLE;

-- Grant usage on the schema
GRANT USAGE ON SCHEMA <your_database>.<your_schema> TO ROLE SLATEO_READONLY_ROLE;

-- Grant SELECT on all existing tables and views in the schema
GRANT SELECT ON ALL TABLES IN SCHEMA <your_database>.<your_schema> TO ROLE SLATEO_READONLY_ROLE;
GRANT SELECT ON ALL VIEWS IN SCHEMA <your_database>.<your_schema> TO ROLE SLATEO_READONLY_ROLE;

-- Grant SELECT on all future tables and views in the schema
GRANT SELECT ON FUTURE TABLES IN SCHEMA <your_database>.<your_schema> TO ROLE SLATEO_READONLY_ROLE;
GRANT SELECT ON FUTURE VIEWS IN SCHEMA <your_database>.<your_schema> TO ROLE SLATEO_READONLY_ROLE;

-- Verify the grants
SHOW GRANTS TO ROLE SLATEO_READONLY_ROLE;

Replace:

  • <your_database>: Your database name
  • <your_schema>: Your schema name (typically PUBLIC unless you use custom schemas)

Snowflake access control documentation →

Future grants are critical for dbt and ELT workflows.

If your ELT tool (dbt, Fivetran, Airbyte, etc.) drops and recreates tables on each run, GRANT SELECT ON ALL TABLES only covers tables that exist at the time the command runs. Each time your ELT tool recreates a table, Slateo loses access.

GRANT SELECT ON FUTURE TABLES ensures that new tables created in the schema automatically get the grant, regardless of which user creates them.

Multiple databases or schemas:

If you have multiple databases or schemas, repeat the grants for each one:

-- Example: Grant access to multiple schemas
GRANT USAGE ON DATABASE ANALYTICS TO ROLE SLATEO_READONLY_ROLE;
GRANT USAGE ON SCHEMA ANALYTICS.PRODUCTION TO ROLE SLATEO_READONLY_ROLE;
GRANT USAGE ON SCHEMA ANALYTICS.STAGING TO ROLE SLATEO_READONLY_ROLE;

GRANT SELECT ON ALL TABLES IN SCHEMA ANALYTICS.PRODUCTION TO ROLE SLATEO_READONLY_ROLE;
GRANT SELECT ON FUTURE TABLES IN SCHEMA ANALYTICS.PRODUCTION TO ROLE SLATEO_READONLY_ROLE;

GRANT SELECT ON ALL TABLES IN SCHEMA ANALYTICS.STAGING TO ROLE SLATEO_READONLY_ROLE;
GRANT SELECT ON FUTURE TABLES IN SCHEMA ANALYTICS.STAGING TO ROLE SLATEO_READONLY_ROLE;

Step 3: Configure warehouse access

Grant the role access to a warehouse for query execution. You can use an existing warehouse or create a dedicated one for Slateo.

Option A: Use an existing warehouse

-- Grant usage on an existing warehouse
GRANT USAGE ON WAREHOUSE <your_warehouse> TO ROLE SLATEO_READONLY_ROLE;

Option B: Create a dedicated warehouse (recommended)

Creating a dedicated warehouse provides better cost tracking and resource isolation:

-- Switch to the appropriate role
USE ROLE SYSADMIN;

-- Create a dedicated warehouse for Slateo
CREATE WAREHOUSE IF NOT EXISTS SLATEO_WH
  WAREHOUSE_SIZE = 'X-SMALL'
  AUTO_SUSPEND = 60
  AUTO_RESUME = TRUE
  INITIALLY_SUSPENDED = TRUE
  COMMENT = 'Dedicated warehouse for Slateo queries';

-- Grant usage to the Slateo role
GRANT USAGE ON WAREHOUSE SLATEO_WH TO ROLE SLATEO_READONLY_ROLE;

Snowflake warehouse documentation →

Warehouse sizing: Start with X-SMALL and scale up if needed. Snowflake charges based on warehouse size and runtime. The AUTO_SUSPEND setting automatically suspends the warehouse after 60 seconds of inactivity to minimize costs.

Warehouse configuration best practices:

  • Size: Start with X-SMALL for most workloads
  • Auto-suspend: Set to 60-300 seconds to balance cost and query latency
  • Auto-resume: Enable to automatically start the warehouse when queries are submitted
  • Multi-cluster: Not needed for Slateo (single-cluster is sufficient)

Step 4: Configure network access (optional)

If your Snowflake account uses network policies to restrict access, you may need to allowlist Slateo's IP addresses.

Contact your Slateo account manager for the current list of IP addresses to allowlist.

To add a network policy:

-- Switch to the appropriate role
USE ROLE SECURITYADMIN;

-- Create or alter a network policy
CREATE NETWORK POLICY IF NOT EXISTS SLATEO_NETWORK_POLICY
  ALLOWED_IP_LIST = ('1.2.3.4', '5.6.7.8')
  COMMENT = 'Network policy for Slateo access';

-- Apply the network policy to the user
ALTER USER SLATEO_READONLY SET NETWORK_POLICY = SLATEO_NETWORK_POLICY;

Snowflake network policies documentation →

Most Snowflake accounts don't require network policies. Only configure this if your organization has specific network security requirements.

Step 5: Configure the connection in Slateo

Add your Snowflake connection in the Slateo admin panel.

  1. Log in to your Slateo workspace
  2. Navigate to AdminData SourcesAdd Data Source
  3. Select Snowflake
  4. Enter the connection details:
    • Name: A friendly name for this connection (e.g., Production Analytics)
    • Account: Your Snowflake account identifier (format: xy12345.us-east-1 or xy12345.us-east-1.aws)
    • User: SLATEO_READONLY
    • Password: The password you created in Step 1
    • Warehouse: The warehouse name (e.g., SLATEO_WH or your existing warehouse)
    • Database: Your default database name (optional, can be changed later)
    • Schema: Your default schema name (optional, can be changed later)
    • Role: SLATEO_READONLY_ROLE
  5. Click Test Connection to verify connectivity
  6. Click Save to complete the setup

Finding your Snowflake account identifier →

Account identifier format: Your account identifier can be found in the Snowflake web console URL. For example, if your URL is https://xy12345.us-east-1.snowflakecomputing.com, your account identifier is xy12345.us-east-1.

Next steps

After you complete the setup:

  1. Schema discovery: Slateo automatically scans your accessible databases and schemas to discover available tables and views (typically within 5 minutes)
  2. Verify access: Check that all expected databases, schemas, and tables appear in your Slateo workspace
  3. Monitor warehouse usage: Review warehouse usage in the Snowflake web console to track costs
  4. Start querying: Navigate to your workspace to start analyzing your Snowflake data

Security considerations

Credential management

  • Use strong passwords: Generate passwords with at least 16 characters including uppercase, lowercase, numbers, and special characters
  • Rotate credentials periodically: Update the password every 90 days
  • Store credentials securely: Use a password manager or secure vault
  • Enable MFA (optional): For enhanced security, enable multi-factor authentication on the Snowflake user

To rotate the password:

USE ROLE SECURITYADMIN;
ALTER USER SLATEO_READONLY SET PASSWORD = '<new-secure-password>';

Then update the password in the Slateo admin panel.

Access control

  • Principle of least privilege: Only grant access to databases and schemas that Slateo needs
  • Use role-based access: Keep permissions on the role, not the user
  • Review grants regularly: Audit role permissions quarterly
  • Enable query logging: Monitor query activity for unusual patterns

To review current grants:

SHOW GRANTS TO ROLE SLATEO_READONLY_ROLE;
SHOW GRANTS TO USER SLATEO_READONLY;

Monitoring and auditing

Enable query history and access logs to monitor Slateo activity:

-- View queries executed by the Slateo user
SELECT
  query_text,
  start_time,
  end_time,
  total_elapsed_time,
  warehouse_name,
  execution_status
FROM SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY
WHERE user_name = 'SLATEO_READONLY'
ORDER BY start_time DESC
LIMIT 100;

Snowflake query history documentation →

Cost management

Monitor warehouse usage and costs:

  • Set resource monitors: Create resource monitors to alert on high usage
  • Review warehouse size: Scale down if queries complete quickly
  • Adjust auto-suspend: Balance cost and query latency based on usage patterns
  • Use query tags: Tag Slateo queries for easier cost attribution

To create a resource monitor:

USE ROLE ACCOUNTADMIN;

CREATE RESOURCE MONITOR SLATEO_MONITOR
  WITH CREDIT_QUOTA = 100
  FREQUENCY = MONTHLY
  START_TIMESTAMP = IMMEDIATELY
  TRIGGERS
    ON 75 PERCENT DO NOTIFY
    ON 90 PERCENT DO SUSPEND
    ON 100 PERCENT DO SUSPEND_IMMEDIATE;

ALTER WAREHOUSE SLATEO_WH SET RESOURCE_MONITOR = SLATEO_MONITOR;

Snowflake resource monitors documentation →

Troubleshooting

Authentication errors

If Slateo reports authentication failures:

  1. Verify the user exists and is not locked: 
    USE ROLE SECURITYADMIN;
SHOW USERS LIKE 'SLATEO_READONLY';
  2. Test the credentials locally: 
    snowsql -a <account> -u SLATEO_READONLY -d <database> -s <schema> -w <warehouse>
  3. Check if the user has the correct default role: 
    DESC USER SLATEO_READONLY;
  4. Verify the password hasn't expired (if password policies are enabled)

Permission errors

If Slateo can connect but cannot query certain tables or views:

  1. Verify the role has the correct grants: 
    SHOW GRANTS TO ROLE SLATEO_READONLY_ROLE;
  2. Check if the role has access to the specific schema: 
    SHOW GRANTS ON SCHEMA <database>.<schema>;
  3. Verify future grants are configured: 
    SHOW FUTURE GRANTS IN SCHEMA <database>.<schema>;
  4. Test access by switching to the Slateo role: 
    USE ROLE SLATEO_READONLY_ROLE;
USE WAREHOUSE <warehouse>;
SELECT * FROM <database>.<schema>.<table> LIMIT 10;

Warehouse errors

If queries fail with warehouse errors:

  1. Verify the warehouse exists and is accessible: 
    SHOW WAREHOUSES LIKE '<warehouse>';
SHOW GRANTS ON WAREHOUSE <warehouse>;
  2. Check if the warehouse is suspended: 
    ALTER WAREHOUSE <warehouse> RESUME;
  3. Verify the role has USAGE privilege on the warehouse: 
    GRANT USAGE ON WAREHOUSE <warehouse> TO ROLE SLATEO_READONLY_ROLE;

Network policy errors

If connection fails due to network policies:

  1. Check which network policy is applied: 
    DESC USER SLATEO_READONLY;
  2. Review the network policy allowed IPs: 
    DESC NETWORK POLICY <policy_name>;
  3. Verify Slateo's IP addresses are in the allowed list
  4. Contact your Slateo account manager for the current IP addresses

Schema not appearing in Slateo

If a schema doesn't appear in Slateo after granting access:

  1. Verify the schema exists and contains tables: 
    SHOW TABLES IN SCHEMA <database>.<schema>;
  2. Check that the role has USAGE on both database and schema: 
    SHOW GRANTS TO ROLE SLATEO_READONLY_ROLE;
  3. Trigger a manual schema refresh in Slateo:
    • Go to AdminData Sources
    • Find your Snowflake connection
    • Click Refresh Schema

Advanced configuration

Using key-pair authentication

For enhanced security without passwords, use key-pair authentication:

-- Generate an RSA key pair (run locally)
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

-- Set the public key on the user
USE ROLE SECURITYADMIN;
ALTER USER SLATEO_READONLY SET RSA_PUBLIC_KEY='<public_key_content>';

Contact your Slateo account manager for guidance on configuring key-pair authentication.

Snowflake key-pair authentication documentation →

Using OAuth authentication

For SSO integration, Snowflake supports OAuth authentication. Contact your Slateo account manager for setup guidance.

Snowflake OAuth documentation →

Using AWS PrivateLink or Azure Private Link

For private connectivity without exposing your Snowflake account to the public internet, Snowflake supports PrivateLink. Contact your Slateo account manager for setup guidance.

Snowflake PrivateLink documentation →

Additional resources

For additional support or questions, contact your Slateo account manager.

Was this page helpful?

Was this page helpful?