Snowflake

Snowflake is a cloud data warehouse.

User Impersonation

Dremio supports OAuth with impersonation for Snowflake. This allows Dremio users to authenticate via external OAuth and map to Snowflake roles securely. For reference, see Snowflake's Create Security Integration (External OAuth) documentation.

Before configuring a Snowflake connection with user impersonation, perform the following steps:

Run the following curl commands to obtain the Dremio OAuth parameters (issuer and public key):

To get the issuer:

curl --location 'https://<dremio_url>/api/v3/external-oauth/discovery/jwt-issuer' \
--header 'Authorization: Bearer <Token>' \
--header 'Content-Type: application/json' \
--data ''

To get the public key:

curl --location 'https://<dremio_url>/api/v3/external-oauth/discovery/jwks' \
--header 'Authorization: Bearer <Token>' \
--header 'Content-Type: application/json' \
--data ''

The above JWKS response needs to be converted to PEM format, which Snowflake accepts. We recommend using this open-source tool: rsa-jwks-to-pem.

Example conversion:

python rsa-jwks-to-pem.py key_jwks.json

Create a Snowflake external OAuth security integration in Snowflake. Set EXTERNAL_OAUTH_ISSUER to the issuer obtained from Dremio, EXTERNAL_OAUTH_RSA_PUBLIC_KEY to the PEM-formatted key from the script, and EXTERNAL_OAUTH_AUDIENCE_LIST to any additional audience values for token validation beyond your Snowflake account URL.

Create Security Integration

CREATE OR REPLACE SECURITY INTEGRATION snowflake_imp
TYPE = EXTERNAL_OAUTH
ENABLED = TRUE
EXTERNAL_OAUTH_TYPE = CUSTOM
EXTERNAL_OAUTH_ISSUER = '<issuer-from-dremio>'
EXTERNAL_OAUTH_AUDIENCE_LIST = ('<audience-values>')
EXTERNAL_OAUTH_ALLOWED_ROLES_LIST = ('REGRESSION', 'ACCOUNTADMIN', 'PUBLIC')
EXTERNAL_OAUTH_RSA_PUBLIC_KEY = '<PEM-formatted-key>'
EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'sub'
EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'login_name';

To configure Snowflake in any mode (which allows users to assume any role they have access to in Snowflake), enable EXTERNAL_OAUTH_ANY_ROLE_MODE for Snowflake security integration: Alter Security Integration

ALTER SECURITY INTEGRATION snowflake_imp SET EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE';

Connect to Snowflake

In the Dremio console, click Add Data on the Home page.
In the Add Data dialog, select Snowflake.
Configure the connection using the sections below, then click Save.

General

Perform these steps in the General tab:

For Name, specify the name for the connection. The name cannot include the following special characters: /, :, [, or ].
For Host, specify the Snowflake hostname in the format LOCATOR_ID.snowflakecomputing.com.
For Port, enter the port number. The default port is 443.

note

The optional connection parameters are case-sensitive. For example, if the name of a warehouse uses uppercase only (e.g., WAREHOUSE1), specify it the same way in the Warehouse field.

(Optional) For Database, specify the default database to use.
(Optional) For Role, specify the default access-control role to use.
(Optional) For Schema, specify the default schema to use.
(Optional) For Warehouse, specify the warehouse that will provide resources for executing DML statements and queries.
Under Authentication, you must choose one of the following authentication methods:
- Login-password authentication:
  - For Username, enter your Snowflake username.
  - For Password, enter your Snowflake password.
- Key-pair authentication (see Snowflake's key-pair documentation):
  - For Username, enter your Snowflake username.
  - For Private Key, enter your generated Snowflake private key in Privacy Enhanced Mail (PEM) format.
  - (Optional) For Private key passphrase, enter the passphrase if you are using an encrypted private key.
- OAuth with impersonation: This allows Dremio users to authenticate via external OAuth and map to Snowflake roles securely. If you have not already, complete the steps in User Impersonation for configuring Snowflake with user impersonation.
  - Choose one of the two user impersonation role modes:
    1. Any role: Allows users to assume any role they have access to in Snowflake.
    2. User-defined role: Restricts users to specific predefined roles. The username configured in the Dremio connection must be present in the EXTERNAL_OAUTH_ALLOWED_ROLES_LIST specified in Step 2 under User Impersonation.
  - Set the JWT audience parameter to match Snowflake’s EXTERNAL_OAUTH_AUDIENCE_LIST. This ensures proper token validation and role mapping between Dremio and Snowflake.

Advanced

On the Advanced Options page, you can set values for these optional options:

Option	Description
Maximum Idle Connections	The total number of connections allowed to be idle at a given time. The default is 8.
Connection Idle Time	The amount of time (in seconds) allowed for a connection to remain idle before the connection is terminated. The default is 60 seconds.
Query Timeout	The amount of time (in seconds) allowed to wait for the results of a query. If this time expires, the connection being used is returned to an idle state.

Reflection Refresh

On the Reflection Refresh page, set the policy that controls how often Reflections are scheduled to be refreshed automatically, as well as the time limit after which Reflections expire and are removed.

Option	Description
Never refresh	Select to prevent automatic Reflection refresh, default is to automatically refresh.
Refresh every	How often to refresh Reflections, specified in hours, days or weeks. This option is ignored if Never refresh is selected.
Never expire	Select to prevent Reflections from expiring, default is to automatically expire after the time limit below.
Expire after	The time limit after which Reflections expire and are removed from Dremio, specified in hours, days or weeks. This option is ignored if Never expire is selected.

Metadata Options

On the Metadata page, you can configure settings to refresh metadata and handle datasets.

Dataset Handling

These are the optional Dataset Handling parameters.

Parameter	Description
Remove dataset definitions if underlying data is unavailable	By default, Dremio removes dataset definitions if underlying data is unavailable. Useful when files are temporarily deleted and added back in the same location with new sets of files.

Metadata Refresh

These are the optional Metadata Refresh parameters:

Dataset Discovery: The refresh interval for fetching top-level object names such as databases and tables. Set the time interval using this parameter.

Parameter Description
(Optional) Fetch every You can choose to set the frequency to fetch object names in minutes, hours, days, or weeks. The default frequency is 1 hour.

Parameter	Description
(Optional) Fetch every	You can choose to set the frequency to fetch object names in minutes, hours, days, or weeks. The default frequency is 1 hour.

Dataset Details: The metadata that Dremio needs for query planning such as information required for fields, types, shards, statistics, and locality. These are the parameters to fetch the dataset information.

Parameter	Description
Fetch mode	You can choose to fetch only from queried datasets, which is set by default. Dremio updates details for previously queried objects. Fetching from all datasets is deprecated.
Fetch every	You can choose to set the frequency to fetch dataset details in minutes, hours, days, or weeks. The default frequency is 1 hour.
Expire after	You can choose to set the expiry time of dataset details in minutes, hours, days, or weeks. The default expiry time is 3 hours.

Privileges

This connection inherits privileges from Project settings. To grant specific users or roles additional privileges in this connection:

Enter the username or role name that you want to grant access to and click the Add to Privileges button. The added user or role is displayed in the USERS/ROLES table.
For the users or roles in the USERS/ROLES table, toggle the checkmark for each privilege you want to grant on the Dremio source that is being created.
Click Save after setting the configuration.

See Privileges for additional information about privileges.

Edit a Snowflake Connection

On the Open Catalog page, under Connections, right-click the connection and select Settings.
Update the connection configuration as needed.
Click Save.

Delete a Snowflake Connection

On the Open Catalog page, under Connections, right-click the connection and select Delete.
Click Delete to confirm.

Predicate Pushdowns

These operations and functions are performed by Snowflake warehouses:

||, AND, OR
+, -, /, *
<=, <, >, >=, =, <>, !=
ABS
ADD_MONTHS
AVG
BETWEEN
CASE
CAST
CEIL
CEILING
CHARACTER_LENGTH
CHAR_LENGTH
COALESCE
CONCAT
COUNT
COUNT_DISTINCT
COUNT_DISTINCT_MULTI
COUNT_FUNCTIONS
COUNT_MULTI
COUNT_STAR
DATE_ADD
DATE_SUB
DATE_TRUNC
DATE_TRUNC_DAY
DATE_TRUNC_HOUR
DATE_TRUNC_MINUTE
DATE_TRUNC_MONTH
DATE_TRUNC_QUARTER
DATE_TRUNC_WEEK
DATE_TRUNC_YEAR
DAYOFMONTH
DAYOFWEEK
DAYOFYEAR
EXTRACT
FLOOR
ILIKE
IN
IS DISTINCT FROM
IS NOT DISTINCT FROM
IS NOT NULL
IS NULL
LAST_DAY
LEFT
LENGTH
LIKE
LOCATE
LOWER
LPAD
LTRIM
MAX
MEDIAN
MIN
MOD
NOT
PERCENT_CONT
PERCENT_DISC
PERCENT_RANK
POSITION
REGEXP_LIKE
REPLACE
REVERSE
RIGHT
ROUND
RPAD
RTRIM
SIGN
SQRT
STDDEV
STDDEV_POP
STDDEV_SAMP
SUBSTR
SUBSTRING
SUM
TO_CHAR
TO_DATE
TRIM
TRUNC
TRUNCATE
UPPER

User Impersonation​

Connect to Snowflake​

General​

Advanced​

Reflection Refresh​

Metadata Options​

Dataset Handling​

Metadata Refresh​

Privileges​

Edit a Snowflake Connection​

Delete a Snowflake Connection​

Predicate Pushdowns​