Snowflake Actions Setup - Glean Help Center

The Snowflake action pack contains the following actions:

Search Snowflake with SQL
Search Snowflake with Cortex

Action Pack setup instructions

Create a Snowflake role with read-only access

A role is basically a group that grants specific permissions on certain resources. You may grant a role to a user or to another role (nested roles).

First, we will create a new role called GLEAN_QUERY_SNOWFLAKE_ROLE (kindly do not modify the role name). To do this, run the following queries with the ACCOUNTADMIN role or any role that can create roles and grant access to resources such as tables and Cortex:

CREATE ROLE IF NOT EXISTS GLEAN_QUERY_SNOWFLAKE_ROLE;

Then, we will grant permissions to the required tables and access to Cortex. Here are some templated commands that you can use:

-- Grant usage to a database
GRANT USAGE ON DATABASE <SET_DATABASE_NAME> TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

-- Grant usage to a schema
GRANT USAGE ON SCHEMA <SET_DATABASE_NAME>.<SET_SCHEMA_NAME> TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

-- Grant read access for a table
GRANT SELECT ON TABLE <SET_DATABASE_NAME>.<SET_SCHEMA_NAME>.<SET_TABLE_NAME> to ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

-- Grant read access for all tables in a schema
GRANT SELECT ON ALL TABLES IN SCHEMA <SET_DATABASE_NAME>.<SET_SCHEMA_NAME> TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

-- Grant access to Cortex.
GRANT DATABASE ROLE SNOWFLAKE.CORTEX_USER TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

Finally, grant the role to specific users or roles:

-- Grant role access to a user.
GRANT ROLE GLEAN_QUERY_SNOWFLAKE_ROLE TO USER <SET_USER_NAME>;

-- Grant role access to another role. This will apply to all users who have the role.
GRANT ROLE GLEAN_QUERY_SNOWFLAKE_ROLE TO ROLE <SET_ROLE_NAME>;

You should also be able to revoke the roles you just granted. See documentation.

Create a Snowflake OAuth application

We will use the CREATE SECURITY INTEGRATION command to create the OAuth application. Use the ACCOUNTADMIN or any role that has permission to create a security integration:

-- Create the OAuth application
CREATE SECURITY INTEGRATION GLEAN_QUERY_SNOWFLAKE_INTEGRATION
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = CONFIDENTIAL
  OAUTH_REDIRECT_URI = 'https://domain-be.glean.com/tools/oauth' -- dummy URL, will be updated after action pack is created
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE;

-- Retrieve the client credentials and secret, use this to create the action pack in the next step.
SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('GLEAN_QUERY_SNOWFLAKE_INTEGRATION');

Create Snowflake action pack

We will now set up the Snowflake action pack and update the redirect URI in the OAuth application:

Open Glean Settings page
Go to Platforms > Actions
Click on Add button for creating a new action
Click on the Snowflake Actions box
Populate the Configuration section
1. Set the account identifier field in the configuration. You may set it to the account identifier or account locator. This information can be found by navigating to the account details:
2. Replace the account identifiers in the OAuth authorization and client urls below.
3. Set the OAuth client id and client secret obtained from the previous step.
Save the action.
A callback URL is generated after saving the action. Use that to replace the redirect URL using the below command (with the same role as used for creating the OAuth app).

ALTER SECURITY INTEGRATION 'GLEAN_QUERY_SNOWFLAKE_INTEGRATION' SET OAUTH_REDIRECT_URI = '<INSERT_CALLBACK_URL>';

Setup is now complete. Refer to the end user documentation on how to test this action pack in the agent builder.

On this page

Action Pack setup instructions
Create a Snowflake role with read-only access
Create a Snowflake OAuth application
Create Snowflake action pack

The Snowflake action pack contains the following actions:

Search Snowflake with SQL
Search Snowflake with Cortex

Action Pack setup instructions

Create a Snowflake role with read-only access

A role is basically a group that grants specific permissions on certain resources. You may grant a role to a user or to another role (nested roles).

CREATE ROLE IF NOT EXISTS GLEAN_QUERY_SNOWFLAKE_ROLE;

Then, we will grant permissions to the required tables and access to Cortex. Here are some templated commands that you can use:

-- Grant usage to a database
GRANT USAGE ON DATABASE <SET_DATABASE_NAME> TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

-- Grant usage to a schema
GRANT USAGE ON SCHEMA <SET_DATABASE_NAME>.<SET_SCHEMA_NAME> TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

-- Grant read access for a table
GRANT SELECT ON TABLE <SET_DATABASE_NAME>.<SET_SCHEMA_NAME>.<SET_TABLE_NAME> to ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

-- Grant read access for all tables in a schema
GRANT SELECT ON ALL TABLES IN SCHEMA <SET_DATABASE_NAME>.<SET_SCHEMA_NAME> TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

-- Grant access to Cortex.
GRANT DATABASE ROLE SNOWFLAKE.CORTEX_USER TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

Finally, grant the role to specific users or roles:

-- Grant role access to a user.
GRANT ROLE GLEAN_QUERY_SNOWFLAKE_ROLE TO USER <SET_USER_NAME>;

-- Grant role access to another role. This will apply to all users who have the role.
GRANT ROLE GLEAN_QUERY_SNOWFLAKE_ROLE TO ROLE <SET_ROLE_NAME>;

You should also be able to revoke the roles you just granted. See documentation.

Create a Snowflake OAuth application

We will use the CREATE SECURITY INTEGRATION command to create the OAuth application. Use the ACCOUNTADMIN or any role that has permission to create a security integration:

-- Create the OAuth application
CREATE SECURITY INTEGRATION GLEAN_QUERY_SNOWFLAKE_INTEGRATION
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = CONFIDENTIAL
  OAUTH_REDIRECT_URI = 'https://domain-be.glean.com/tools/oauth' -- dummy URL, will be updated after action pack is created
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE;

-- Retrieve the client credentials and secret, use this to create the action pack in the next step.
SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('GLEAN_QUERY_SNOWFLAKE_INTEGRATION');

Create Snowflake action pack

We will now set up the Snowflake action pack and update the redirect URI in the OAuth application:

Open Glean Settings page
Go to Platforms > Actions
Click on Add button for creating a new action
Click on the Snowflake Actions box
Populate the Configuration section
1. Set the account identifier field in the configuration. You may set it to the account identifier or account locator. This information can be found by navigating to the account details:
2. Replace the account identifiers in the OAuth authorization and client urls below.
3. Set the OAuth client id and client secret obtained from the previous step.
Save the action.
A callback URL is generated after saving the action. Use that to replace the redirect URL using the below command (with the same role as used for creating the OAuth app).

ALTER SECURITY INTEGRATION 'GLEAN_QUERY_SNOWFLAKE_INTEGRATION' SET OAUTH_REDIRECT_URI = '<INSERT_CALLBACK_URL>';

Setup is now complete. Refer to the end user documentation on how to test this action pack in the agent builder.

On this page

Action Pack setup instructions
Create a Snowflake role with read-only access
Create a Snowflake OAuth application
Create Snowflake action pack

​Action Pack setup instructions

​Create a Snowflake role with read-only access

​Create a Snowflake OAuth application

​Create Snowflake action pack

help-glean

​Action Pack setup instructions

​Create a Snowflake role with read-only access

​Create a Snowflake OAuth application

​Create Snowflake action pack

Action Pack setup instructions

Create a Snowflake role with read-only access

Create a Snowflake OAuth application

Create Snowflake action pack

Action Pack setup instructions

Create a Snowflake role with read-only access

Create a Snowflake OAuth application

Create Snowflake action pack