Cloud Portal ONE Desktop ONE DQ&C ONE MDM ONE RDM ONE Runtime Server
User Community Service Desk Downloads

Snowflake Connection

This article describes how to connect to Snowflake for data processing and catalog.

If you’re looking to connect Snowflake for lineage, see Snowflake Lineage Scanner.

Availability

Data processing & catalog Edge processing Lineage Exceptions

None

Pushdown processing

With Snowflake, Ataccama ONE profiling jobs always run in pushdown in Snowflake and not in Ataccama’s cloud runtime.

You can also configure pushdown processing for DQ evaluation jobs (see Enable pushdown for DQ evaluation).

To learn more about pushdown processing and when to use it, see Snowflake Pushdown Processing and When to Use Snowflake Pushdown for DQ Evaluation.

Prerequisites

Add a connection

  1. Go to [your source] > Connections and select Add Connection.

  2. In Connection type, select Snowflake.

  3. Fill in the following:

    • Name: A meaningful name for your connection. Used to indicate the location of catalog items.

    • Description (Optional): A short description of the connection.

    • JDBC: A JDBC connection string pointing to the IP address or the URL where your data source can be reached. See JDBC connection string format.

  4. Configure pushdown settings. See Enable pushdown for DQ evaluation.

  5. Optionally, select Enable analytical queries if you want to create data visualizations in ONE Reports based on catalog items from this connection.

JDBC connection string format

jdbc:snowflake://<account_identifier>.snowflakecomputing.com/?db=<database>&schema=<schema>&warehouse=<warehouse>&role=<role>

Replace the following:

  • <account_identifier>: Your Snowflake account identifier (for example, myorganization-myaccount or the account locator like xy12345).

  • <database>: The name of the database to connect to.

  • <schema>: The schema to use within the database.

  • <warehouse>: The virtual warehouse to use for queries.

  • <role>: The role to use for the session (must have appropriate privileges).

Your account identifier can be found in Snowsight under Account Details. For more information, see Account identifiers in the Snowflake documentation.

Enable pushdown for DQ evaluation

Pushdown settings

In Data quality evaluation, select where DQ evaluation jobs will run:

  • Pushdown to process data in Snowflake.

  • Cloud to process data in Ataccama’s cloud runtime.

To help you decide, see When to Use Snowflake Pushdown for DQ Evaluation.

In Data-based term detection, select whether to skip data-based term detection or run it on the Ataccama platform. Data-based term detection can only be run in Ataccama’s cloud runtime.

Stage settings

If you enable pushdown for DQ evaluation, you need to specify where reference data files are stored in Snowflake. For details about what these files contain, see Why Ataccama uses a Snowflake stage.

  • Use default stage: Uses the allocated user stage @~/ataccama_cache/ in the Snowflake user account you connected with. No further configuration is required.

  • Specify a custom stage: Uses a named stage instead of the default user stage. If selected, in Stage location enter the path to the stage starting with the @ prefix.

We recommend using a dedicated stage for Ataccama files. For details about stage types and creating a named stage, see Staging files in the Snowflake documentation.

Add credentials

Credentials must be for a Snowflake user with write permissions because pushdown processing requires creating temporary tables in the working database.

  1. Select Add Credentials.

  2. Choose an authentication method and continue with the corresponding step:

    • Username and password: Basic authentication using your username and password.

    • Snowflake OAuth credentials: Snowflake OAuth 2.0 tokens for secure delegated access.

    • Key-pair authentication: Enhanced security authentication as an alternative to username and password authentication.

    • Entra ID: Authentication using Microsoft Entra ID (formerly Azure Active Directory) for OAuth 2.0 authentication.

One set of credentials must be defined as default for each connection. Otherwise, DQ evaluation fails and previewing data in the catalog is not possible.

Username and password

Consider using key-pair authentication instead of username and password.

Password-only authentication is no longer supported for new accounts according to Snowflake’s “secure by default” policy. See Key-pair authentication in the Snowflake documentation.

To authenticate using a username and password:

  1. Fill in the following:

    • Name: Provide a clear name for this set of credentials.

    • Description (Optional): Explain what the credentials are used for or provide other useful information.

    • Username: The username for the data source.

    • Password: The password for the data source.

  2. To use this set of credentials by default when connecting to the data source, select Set as default.

Key-pair authentication

To authenticate using key-pair authentication:

  1. Fill in the following:

    • Name: Provide a clear name for this set of credentials.

    • Description (Optional): Explain what the credentials are used for or provide other useful information.

    • Username: The username for the data source.

    • Service account key: Upload your private key. For instructions about how to generate a private key, see Key-pair authentication > Generate the private keys in the Snowflake documentation.

  2. To use this set of credentials by default when connecting to the data source, select Set as default.

Snowflake OAuth credentials

For setup instructions in Snowflake, see Configure Snowflake OAuth in the Snowflake documentation.

To authenticate using Snowflake OAuth credentials:

  1. Fill in the following:

    • Name: Provide a clear name for this set of credentials.

    • Description (Optional): Explain what the credentials are used for or provide other useful information.

    • Redirect URL: This field is predefined and read-only. This URL is required for receiving the refresh token from Snowflake.

    • Client ID: The Snowflake OAuth 2.0 client ID.

    • Client secret: The client secret used to authenticate to the authorization server.

    • Authorization endpoint: The Snowflake OAuth 2.0 authorization endpoint. Required only if you need to generate a new refresh token.

    • Token endpoint: The Snowflake OAuth 2.0 token endpoint. Used to receive a token or a refresh token.

    • Refresh token valid till: Optionally, manually specify the token validity period.

    • Refresh token: The Snowflake OAuth 2.0 refresh token. Allows the application to authenticate after the access token has expired without having to request user credentials.

      Select Generate to create a new token. Once you do this, the expiration date of the refresh token is updated in Refresh token valid till.

  2. To use this set of credentials by default when connecting to the data source, select Set as default.

Entra ID

Entra ID authentication requires an External OAuth security integration in Snowflake and an OAuth application configured in Microsoft Entra ID.

If these are not already set up in your environment, contact your Snowflake and Azure administrators, or see Configure Microsoft Entra ID for External OAuth for setup instructions.

To authenticate using Entra ID:

  1. Fill in the following:

    • Name: Provide a clear name for this set of credentials.

    • Description (Optional): Explain what the credentials are used for or provide other useful information.

    • Client ID: The application (client) ID registered in the Microsoft Entra portal.

      This appears as a GUID (for example, 4701c7e7-1178-4006-a1fc-b4c3ee5cfef7) and is found in the Entra ID portal in App registrations > [app name] > Overview.

    • Client Secret: The secret value generated for the application in the Microsoft Entra portal (App registrations > [app name] > Certificates & secrets).

    • Tenant ID: The directory (tenant) ID of your Microsoft Entra instance.

      This appears as a GUID (for example, 12345678-1234-1234-1234-123456789012) and is found in the Entra ID portal in App registrations > [app name] > Overview, or in Azure Active Directory > Overview.

      For details about registering an application and generating credentials, see Register an application with Microsoft Entra ID.

    • Application ID URI: The Application ID URI for your Snowflake OAuth resource application. This can be in the format api://<GUID> or <web-resource>;.

      It is configured in Entra ID in App registrations > [OAuth resource app] > Expose an API. The Application ID URI must be unique within your organization’s directory.

  2. To use this set of credentials by default when connecting to the data source, select Set as default.

Add write credentials

If you want to export data to this source, add write credentials. Select Add Credentials and follow the instructions in Add credentials.

Next steps

Test and save your connection to complete setup.

Was this page useful?