Connect Snowflake to Glean
Glean can query Snowflake in Glean using natural language, direct SQL, supported semantic views, and supported Cortex Agent workflows.
This integration gives users governed access to approved Snowflake resources in Glean while letting data teams control which datasets, semantic views, and Cortex Agents are available. Depending on the question and the resource used, results may appear as tables or as interactive charts and dashboards when supported.
After you enable Snowflake for Assistant, users can:
- Query approved datasets with natural language.
- Run read-only SQL queries when SQL actions are enabled.
- Use approved semantic views and Cortex Agents that are available through the configured Snowflake role.
- View results as tables or, when supported, interactive charts and dashboards.
- Review citations that show which Snowflake resource the response used.
Integrate Snowflake in Glean
To securely integrate Snowflake with Glean, you must establish a connection using Snowflake OAuth and a least-privilege role. This ensures Glean can only access the specific data you authorize.
The setup is divided into three main phases:
- Configure Snowflake: Define the appropriate user roles, permissions, and network access within Snowflake.
- Set up authentication: Create the Snowflake OAuth security integration to handle the secure handshake.
- Activate Glean: Enable the Snowflake action pack for Assistant and register your credentials in the Glean Admin Console.
Before you begin
Ensure you have the following ready before starting the configuration:
- You must have administrative privileges in both Glean and Snowflake.
- If your Snowflake instance uses network policies, you must allowlist Glean's IP addresses. Contact your Glean account team to retrieve the specific IPs for your deployment.
- Identify the specific databases, schemas, tables, semantic views, and Cortex Agents you want to make available in Glean agents and assistant.
- Use least-privilege access when you configure Snowflake for Glean. Glean can only access the Snowflake resources granted to the configured role.
Setup instructions
Step 1: Update your Snowflake network policy
If your Snowflake instance uses network policies, you must update them to allow connections from Glean. Without this, the integration will fail to handshake.
You must add IP addresses of Glean to your Snowflake allowlist. If you do not have these IPs, contact your Glean representative.
Step 2: Set up a Snowflake role
Glean requires a role to execute queries. You have three configuration options:
Use the Snowflake role that matches your rollout. You can restrict Glean to specific datasets, semantic views, or Cortex Agents by granting access only to those resources. If a Cortex Agent depends on additional semantic views, tables, stored procedures, or UDFs, grant only the minimum supporting access that agent needs.
Option 1: Create a new read-only role (Recommended)
Create a dedicated role with granular permissions.
CREATE ROLE IF NOT EXISTS GLEAN_QUERY_SNOWFLAKE_ROLE;
GRANT USAGE ON DATABASE <SET_DATABASE_NAME> TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;
GRANT USAGE ON SCHEMA <SET_DATABASE_NAME>.<SET_SCHEMA_NAME> TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;
GRANT SELECT ON ALL TABLES IN SCHEMA <SET_DATABASE_NAME>.<SET_SCHEMA_NAME> TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;
-- Optional: Grant access to Snowflake Cortex
GRANT DATABASE ROLE SNOWFLAKE.CORTEX_USER TO ROLE GLEAN_QUERY_SNOWFLAKE_ROLE;
-- Assign the role to users
GRANT ROLE GLEAN_QUERY_SNOWFLAKE_ROLE TO USER <SET_USER_NAME>;
Option 2: Use an existing role
Pass your existing read-only role in the Scopes field during Step 4.
Scope: refresh_token,session:role:YOUR_EXISTING_ROLE
Option 3: Use the default primary role of the user
To use the own default Snowflake permissions of the user, use the following scope in Step 4.
Scope: refresh_token
Step 3: Create a Snowflake OAuth application
Run the following in Snowflake to create the security integration:
CREATE SECURITY INTEGRATION GLEAN_QUERY_SNOWFLAKE_INTEGRATION
TYPE = OAUTH
ENABLED = TRUE
OAUTH_CLIENT = CUSTOM
OAUTH_CLIENT_TYPE = CONFIDENTIAL
OAUTH_REDIRECT_URI = '<Copy from Glean Snowflake setup page>'
OAUTH_ISSUE_REFRESH_TOKENS = TRUE;
To allow secondary roles, add OAUTH_USE_SECONDARY_ROLES = IMPLICIT to the command above.
Retrieve Credentials:
SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('GLEAN_QUERY_SNOWFLAKE_INTEGRATION');
Step 4: Create the Snowflake action pack in Glean
- In Glean, go to Settings -> Platforms -> Actions.
- Click Add and select Snowflake Actions.
- Enter your Account Identifier, for example,
abc12345.us-east-1. - Enter the Client ID and Secret from Step 3.
- Provide the Authorization and Token URLs which you can find by running
DESC SECURITY INTEGRATION GLEAN_QUERY_SNOWFLAKE_INTEGRATION;in Snowflake.
For detailed steps, see Set up Snowflake actions.
Step 5: Enable Snowflake in Glean Assistant
After the action pack is configured, you must enable the feature:
- Navigate to the Glean Admin Console.
- Under Platform, click Actions and search for Snowflake.
- Under Configuration, go the Enable actions section.
- Click Edit settings.
- Click Chat and define visibility settings to choose who can use it in Glean Assistant and Glean Agents.
To use Snowflake resources in Assistant, enable Execute SQL actions for Assistant. Assistant uses these actions to discover and run the relevant Snowflake datasets, semantic views, and Cortex Agents that are available through the configured Snowflake role.
Step 6: Test the integration
Verify the setup by asking Glean questions about your data.
Example prompts:
- Natural Language: "What was our pipeline by region last quarter?"
- Direct SQL: "Run this SQL:
SELECT region, SUM(arr) FROM sales_summary GROUP BY region;"