Skip to main content

Snowflake

Snowflake is a cloud data warehouse.

User Impersonation

Dremio supports OAuth with impersonation for Snowflake. This allows Dremio users to authenticate via external OAuth and map to Snowflake roles securely. For reference, see Snowflake's Create Security Integration (External OAuth) documentation.

Before configuring a Snowflake source with user impersonation, perform the following steps:

  1. Run the following curl commands to obtain the Dremio OAuth parameters (issuer and public key):

    To get the issuer:

    curl --location 'https://<dremio_url>/api/v3/external-oauth/discovery/jwt-issuer' \
    --header 'Authorization: Bearer <Token>' \
    --header 'Content-Type: application/json' \
    --data ''

    To get the public key:

    curl --location 'https://<dremio_url>/api/v3/external-oauth/discovery/jwks' \
    --header 'Authorization: Bearer <Token>' \
    --header 'Content-Type: application/json' \
    --data ''

    The above JWKS response needs to be converted to PEM format, which Snowflake accepts. We recommend using this open-source tool: rsa-jwks-to-pem.

    Example conversion:

    python rsa-jwks-to-pem.py key_jwks.json

  2. Create a Snowflake external OAuth security integration in Snowflake. Set EXTERNAL_OAUTH_ISSUER to the issuer obtained from Dremio, EXTERNAL_OAUTH_RSA_PUBLIC_KEY to the PEM-formatted key from the script, and EXTERNAL_OAUTH_AUDIENCE_LIST to any additional audience values for token validation beyond your Snowflake account URL.

    Create Security Integration 
    CREATE OR REPLACE SECURITY INTEGRATION snowflake_imp
    TYPE = EXTERNAL_OAUTH
    ENABLED = TRUE
    EXTERNAL_OAUTH_TYPE = CUSTOM
    EXTERNAL_OAUTH_ISSUER = '<issuer-from-dremio>'
    EXTERNAL_OAUTH_AUDIENCE_LIST = ('<audience-values>')
    EXTERNAL_OAUTH_ALLOWED_ROLES_LIST = ('REGRESSION', 'ACCOUNTADMIN', 'PUBLIC')
    EXTERNAL_OAUTH_RSA_PUBLIC_KEY = '<PEM-formatted-key>'
    EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'sub'
    EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'login_name';

    To configure Snowflake source in any mode (which allows users to assume any role they have access to in Snowflake), enable EXTERNAL_OAUTH_ANY_ROLE_MODE for Snowflake security integration: Alter Security Integration 

    ALTER SECURITY INTEGRATION snowflake_imp SET EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE';

Configure Snowflake as a Source

  1. In the bottom-left corner of the Datasets page, click Add Source.

  2. Under Databases in the Add Data Source dialog, select Snowflake.

    note

    Sources containing a large number of files or tables may take longer to be added. During this time, the source name is grayed out and shows a spinner icon, indicating the source is being added. Once complete, the source becomes accessible.

General

Perform these steps in the General tab:

  1. For Name, specify the name by which you want the Snowflake source to appear in the Databases section. The name cannot include the following special characters: /, :, [, or ].
  2. For Host, specify the hostname of the Snowflake source in the format LOCATOR_ID.snowflakecomputing.com.
  3. For Port, enter the port number. The default port is 443.
note

The optional connection parameters are case-sensitive. For example, if the name of a warehouse uses upper case only (e.g., WAREHOUSE1), specify it the same way in the Warehouse field.

  1. (Optional) For Database, specify the default database to use.
  2. (Optional) For Role, specify the default access-control role to use.
  3. (Optional) For Schema, specify the default schema to use.
  4. (Optional) For Warehouse, specify the warehouse that will provide resources for executing DML statements and queries.
  5. Under Authentication, you must choose one of the following authentication methods:
    • Login-password authentication:
      • For Username, enter your Snowflake username.
      • For Password, enter your Snowflake password.
    • Key-pair authentication (see Snowflake's key-pair documentation):
      • For Username, enter your Snowflake username.
      • For Private Key, enter your generated Snowflake private key in Privacy Enhanced Mail (PEM) format.
      • (Optional) For Private key passphrase, enter the passphrase if you are using an encrypted private key.
    • OAuth with impersonation: This allows Dremio users to authenticate via external OAuth and map to Snowflake roles securely. If you have not already, complete the steps in [User Impersonation](#user-impersonation] for configuring a Snowflake source with user impersonation.
      • Choose one of the two user impersonation role modes:
        1. Any role: Allows users to assume any role they have access to in Snowflake.
        2. User-defined role: Restricts users to specific predefined roles. The username configured in the Dremio source must be present in the EXTERNAL_OAUTH_ALLOWED_ROLES_LIST specified in Step 2 under User Impersonation.
      • Set the JWT audience parameter to match Snowflake’s EXTERNAL_OAUTH_AUDIENCE_LIST. This ensures proper token validation and role mapping between Dremio and Snowflake.

Advanced

On the Advanced Options page, you can set values for these non-required options:

OptionDescription
Maximum Idle ConnectionsThe total number of connections allowed to be idle at a given time. The default maximum idle connections is 8.
Connection Idle TimeThe amount of time (in seconds) allowed for a connection to remain idle before the connection is terminated. The default connection idle time is 60 seconds.
Query TimeoutThe amount of time (in seconds) allowed to wait for the results of a query. If this time expires, the connection being used is returned to an idle state.

Reflection Refresh

On the Reflection Refresh page, set the policy that controls how often Reflections are scheduled to be refreshed automatically, as well as the time limit after which Reflections expire and are removed.

OptionDescription
Never refreshSelect to prevent automatic Reflection refresh, default is to automatically refresh.
Refresh everyHow often to refresh Reflections, specified in hours, days or weeks. This option is ignored if Never refresh is selected.
Never expireSelect to prevent Reflections from expiring, default is to automatically expire after the time limit below.
Expire afterThe time limit after which Reflections expire and are removed from Dremio, specified in hours, days or weeks. This option is ignored if Never expire is selected.

Metadata Options

On the Metadata page, you can configure settings to refresh metadata and handle datasets.

Dataset Handling

These are the optional Dataset Handling parameters.

ParameterDescription
Remove dataset definitions if underlying data is unavailableBy default, Dremio removes dataset definitions if underlying data is unavailable. Useful when files are temporarily deleted and added back in the same location with new sets of files.

Metadata Refresh

These are the optional Metadata Refresh parameters:

  • Dataset Discovery: The refresh interval for fetching top-level source object names such as databases and tables. Set the time interval using this parameter.

    ParameterDescription
    (Optional) Fetch everyYou can choose to set the frequency to fetch object names in minutes, hours, days, or weeks. The default frequency to fetch object names is 1 hour.

  • Dataset Details: The metadata that Dremio needs for query planning such as information required for fields, types, shards, statistics, and locality. These are the parameters to fetch the dataset information.

    ParameterDescription
    Fetch modeYou can choose to fetch only from queried datasets that are set by default. Dremio updates details for previously queried objects in a source. Fetching from all datasets is deprecated.
    Fetch everyYou can choose to set the frequency to fetch dataset details in minutes, hours, days, or weeks. The default frequency to fetch dataset details is 1 hour.
    Expire afterYou can choose to set the expiry time of dataset details in minutes, hours, days, or weeks. The default expiry time of dataset details is 3 hours.

Privileges

On the Privileges page, you can grant privileges to specific users or roles. See Access Control for additional information about user privileges.

  1. (Optional) For Privileges, enter the user name or role name that you want to grant access to and click the Add to Privileges button. The added user or role is displayed in the Users table.
  2. (Optional) For the users or roles in the Users table, toggle the green checkmark for each privilege you want to grant on the Dremio source that is being created.
  3. Click Save after setting the configuration.

Edit a Snowflake Source

To edit a Snowflake source:

  1. On the Datasets page, click External Sources at the bottom-left of the page. A list of sources is displayed.

  2. Hover over the external source and click the Settings This is the icon that represents the Source settings. icon that appears next to the source.

  3. In the Source Settings dialog, you cannot edit the name. Editing other parameters is optional. For parameters and advanced options, see Configuring Snowflake as a Source.

  4. Click Save.

Remove a Snowflake Source

To remove a Snowflake source, perform these steps:

  1. On the Datasets page, click External Sources at the bottom-left of the page. A list of sources is displayed.

  2. Hover over the source and click the More (...) icon that appears next to the source.

  3. From the list of actions, click Remove Source. Confirm that you want to remove the source.

    caution

    Removing a source causes all downstream views dependent on objects in this source to break.

    note

    Sources containing a large number of files or tables may take longer to be removed. During this time, the source name is grayed out and shows a spinner icon, indicating the source is being removed. Once complete, the source disappears.

Predicate Pushdowns

These operations and functions are performed by Snowflake warehouses:

||, AND, OR
+, -, /, *
<=, <, >, >=, =, <>, !=
ABS
ADD_MONTHS
AVG
BETWEEN
CASE
CAST
CEIL
CEILING
CHARACTER_LENGTH
CHAR_LENGTH
COALESCE
CONCAT
COUNT
COUNT_DISTINCT
COUNT_DISTINCT_MULTI
COUNT_FUNCTIONS
COUNT_MULTI
COUNT_STAR
DATE_ADD
DATE_SUB
DATE_TRUNC
DATE_TRUNC_DAY
DATE_TRUNC_HOUR
DATE_TRUNC_MINUTE
DATE_TRUNC_MONTH
DATE_TRUNC_QUARTER
DATE_TRUNC_WEEK
DATE_TRUNC_YEAR
DAYOFMONTH
DAYOFWEEK
DAYOFYEAR
EXTRACT
FLOOR
ILIKE
IN
IS DISTINCT FROM
IS NOT DISTINCT FROM
IS NOT NULL
IS NULL
LAST_DAY
LEFT
LENGTH
LIKE
LOCATE
LOWER
LPAD
LTRIM
MAX
MEDIAN
MIN
MOD
NOT
PERCENT_CONT
PERCENT_DISC
PERCENT_RANK
POSITION
REGEXP_LIKE
REPLACE
REVERSE
RIGHT
ROUND
RPAD
RTRIM
SIGN
SQRT
STDDEV
STDDEV_POP
STDDEV_SAMP
SUBSTR
SUBSTRING
SUM
TO_CHAR
TO_DATE
TRIM
TRUNC
TRUNCATE
UPPER