Skip to main content
The Snowflake action pack contains the following actions:
  • Search Snowflake with SQL
  • Search Snowflake with Cortex

Action Pack setup instructions

Set up a role to use

Option 1: Create a new Snowflake role with read-only access

A role is basically a group that grants specific permissions on certain resources. You may grant a role to a user or to another role (nested roles). First, we will create a new role called GLEAN_QUERY_SNOWFLAKE_ROLE. To do this, run the following queries with the ACCOUNTADMIN role or any role that can create roles and grant access to resources such as tables and Cortex: 
CREATE ROLE IF NOT EXISTS GLEAN_QUERY_SNOWFLAKE_ROLE;
Then, we will grant permissions to the required tables and access to Cortex. Here are some templated commands that you can use: 
-- Grant usage to a database
GRANT USAGE ON DATABASE <SET_DATABASE_NAME> TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

-- Grant usage to a schema
GRANT USAGE ON SCHEMA <SET_DATABASE_NAME>.<SET_SCHEMA_NAME> TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

-- Grant read access for a table
GRANT SELECT ON TABLE <SET_DATABASE_NAME>.<SET_SCHEMA_NAME>.<SET_TABLE_NAME> to ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

-- Grant read access for all tables in a schema
GRANT SELECT ON ALL TABLES IN SCHEMA <SET_DATABASE_NAME>.<SET_SCHEMA_NAME> TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

-- Grant access to Cortex.
GRANT DATABASE ROLE SNOWFLAKE.CORTEX_USER TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;
Finally, grant the role to specific users or roles: 
-- Grant role access to a user.
GRANT ROLE GLEAN_QUERY_SNOWFLAKE_ROLE TO USER <SET_USER_NAME>;

-- Grant role access to another role. This will apply to all users who have the role.
GRANT ROLE GLEAN_QUERY_SNOWFLAKE_ROLE TO ROLE <SET_ROLE_NAME>;
You should also be able to revoke the roles you just granted. See documentation.

Create a Snowflake OAuth application

We will use the CREATE SECURITY INTEGRATION command to create the OAuth application. Use the ACCOUNTADMIN or any role that has permission to create a security integration: 
-- Create the OAuth application
CREATE SECURITY INTEGRATION GLEAN_QUERY_SNOWFLAKE_INTEGRATION
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = CONFIDENTIAL
  OAUTH_REDIRECT_URI = 'https://domain-be.glean.com/tools/oauth' -- dummy URL, will be updated after action pack is created
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE;

-- Retrieve the client credentials and secret, use this to create the action pack in the next step.
SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('GLEAN_QUERY_SNOWFLAKE_INTEGRATION');

Option 2: Use an existing Snowflake role with read-only access

You can also use an existing role in the Scopes field when setting up your Action Pack. The action would use the access that the specified role has on your Snowflake instance. For example, your Scopes field could look like: 
refresh_token,session:role:GLEAN_YOUR_EXISTING_ROLE

Create Snowflake action pack

We will now set up the Snowflake action pack and update the redirect URI in the OAuth application:
  1. Open Glean Settings page
  2. Go to Platforms > Actions
  3. Click on Add button for creating a new action
  4. Click on the Snowflake Actions box
  5. Populate the Configuration section
    1. Set the account identifier field in the configuration. You may set it to the account identifier or account locator. This information can be found by navigating to the account details: The accountIdentifier is the part before .snowflakecomputing.com in your Snowflake URL. For example, if your URL is https://abc12345.us-east-1.snowflakecomputing.com, the account identifier is abc12345.us-east-1.
    2. For the Client URL and Authorization URL, run the following command in Snowflake to retrieve these values: 
      DESC SECURITY INTEGRATION REPLACE_WITH_YOUR_OAUTH_SECURITY_INTEGRATION_NAME;
      Look for the OAUTH_AUTHORIZATION_ENDPOINT and OAUTH_TOKEN_ENDPOINT fields in the response:
    3. Set the OAuth client id and client secret obtained from the previous step.
  6. Save the action.
  7. A callback URL is generated after saving the action. Use that to replace the redirect URL using the below command (with the same role as used for creating the OAuth app). 
ALTER SECURITY INTEGRATION 'GLEAN_QUERY_SNOWFLAKE_INTEGRATION' SET OAUTH_REDIRECT_URI = '<INSERT_CALLBACK_URL>';
Setup is now complete. Refer to the end user documentation on how to test this action pack in the agent builder.
I