Connect Snowflake to Glean Assistant [Beta]

Glean Assistant can query Snowflake directly using natural language or SQL. This integration allows users to access governed warehouse data within the Assistant chat interface, eliminating the need to switch to Snowsight or separate agent environments.

Integrate Snowflake in Glean

To enable Snowflake within Glean Assistant, you will establish a secure connection using Snowflake OAuth security integration. This process involves configuring permissions in Snowflake to ensure Glean can only access the specific data you authorize, and then registering those credentials within the Glean Admin Console.

The setup is divided into three main phases:

1. Snowflake configuration: defining roles and network access.

2. Authentication: creating the OAuth handshake.

3. Glean activation: enabling the Snowflake action pack for Assistant users.

Before you begin

Ensure you have the following ready before starting the configuration:

• You must have administrative privileges in both Glean and Snowflake.
• If your Snowflake instance uses network policies, you must allowlist Glean's IP addresses. Contact your Glean account team to retrieve the specific IPs for your deployment.
• Identify the specific databases, schemas, and tables you intend to expose to Assistant users.

Setup instructions

Step 1: Update your Snowflake network policy

If your Snowflake instance uses network policies, you must update them to allow connections from Glean. Without this, the integration will fail to handshake.

• Action: Add IP addresses of Glean to your Snowflake allowlist. If you do not have these IPs, contact your Glean representative.

Step 2: Set up a Snowflake role

Glean Assistant requires a role to execute queries. You have three configuration options:

Option 1: Create a new read-only role (Recommended)

Create a dedicated role with granular permissions.

SQL

CREATE ROLE IF NOT EXISTS GLEAN_QUERY_SNOWFLAKE_ROLE;

GRANT USAGE ON DATABASE <SET_DATABASE_NAME> TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;
GRANT USAGE ON SCHEMA <SET_DATABASE_NAME>.<SET_SCHEMA_NAME> TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;
GRANT SELECT ON ALL TABLES IN SCHEMA <SET_DATABASE_NAME>.<SET_SCHEMA_NAME> TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

-- Optional: Grant access to Snowflake Cortex
GRANT DATABASE ROLE SNOWFLAKE.CORTEX_USER TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;

-- Assign the role to users
GRANT ROLE GLEAN_QUERY_SNOWFLAKE_ROLE TO USER <SET_USER_NAME>;

Option 2: Use an existing role

Pass your existing read-only role in the Scopes field during Step 4.

Scope: refresh_token,session:role:YOUR_EXISTING_ROLE

Option 3: Use the default primary role of the user

To use the own default Snowflake permissions of the user, use the following scope in Step 4.

Scope: refresh_token

Step 3: Create a Snowflake OAuth application

Run the following in Snowflake to create the security integration:

SQL

CREATE SECURITY INTEGRATION GLEAN_QUERY_SNOWFLAKE_INTEGRATION
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = CONFIDENTIAL
  OAUTH_REDIRECT_URI = '<Copy from Glean Snowflake setup page>'
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE;

note

To allow secondary roles, add OAUTH_USE_SECONDARY_ROLES = IMPLICIT to the command above.

Retrieve Credentials:

SQL

SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('GLEAN_QUERY_SNOWFLAKE_INTEGRATION');

Step 4: Create the Snowflake action pack in Glean

1. In Glean, go to Settings -> Platforms -> Actions.
2. Click Add and select Snowflake Actions.
3. Enter your Account Identifier, for example, abc12345.us-east-1.
4. Enter the Client ID and Secret from Step 3.
5. Provide the Authorization and Token URLs which you can find by running DESC SECURITY INTEGRATION GLEAN_QUERY_SNOWFLAKE_INTEGRATION; in Snowflake.

Step 5: Enable Snowflake in Glean Assistant

After the action pack is configured, you must enable the feature:

1. Navigate to the Glean Admin Console.
2. Under Platform, click Actions and search for Snowflake.
3. Under Configuration, go the Enable actions section.
4. Click Edit settings.
5. Click Chat and define visibility settings to choose who can use it in Glean Assistant and Agents.

Step 6: Test the integration

Verify the setup by asking Assistant questions about your data.

Example prompts:

• Natural Language: "What was our pipeline by region last quarter?"
• Direct SQL: "Run this SQL: SELECT region, SUM(arr) FROM sales_summary GROUP BY region;"

Troubleshooting

Verify that Glean's IP addresses are added to your Snowflake Network Policy.

Ensure the Snowflake role has USAGE rights on the Database/Schema and SELECT rights on the Tables.

Double-check that the OAUTH_REDIRECT_URI in Snowflake exactly matches the URI provided in the Glean setup page.

Confirm your deployment is opted into the Snowflake Assistant Open Beta.