Skip to Content
DocumentationSnowflakeConnection Setup

Connection Setup

Etleap connects to your Snowflake database using a JDBC driver. Etleap can use an existing Snowflake database and warehouse.

If you’d like to create a new database or warehouse for Etleap, refer to Snowflake’s CREATE DATABASE  and CREATE WAREHOUSE  documentation.

Create a Database User

To create a user that will allow Etleap to connect to your database via key-pair authentication , follow the steps below.

Connect with Key-Pair Authentication

Key-pair authentication is recommended when setting up a new Snowflake destination to prepare for Snowflake’s upcoming multi-factor authentication (MFA) enforcement .

  1. In your command line, generate a private key for your account. This key will be used during connection setup later.

    • To create an unencrypted private key, run the following command: 
      openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out snowflake_etleap_key.p8 -nocrypt
    • To create an encrypted private key with a passphrase, run the following command: 
      openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out snowflake_etleap_key.p8
      Take note of your passphrase as this will be used later in steps 2 and 9.

  2. In your command line, generate the corresponding public key. If you created your private key with a passphrase in step 1, you will be prompted to provide it here.

    openssl rsa -in snowflake_etleap_key.p8 -pubout -out snowflake_etleap_key.pub

  3. Create a new user in Snowflake for the Etleap connection and assign the public key you generated in step 2. Replace <PUBLIC_KEY_GENERATED> with your public key, excluding any delimiters and metadata tags.

    CREATE USER <user_name> RSA_PUBLIC_KEY = '<PUBLIC_KEY_GENERATED>';

  4. [Optional] Set the user as a SERVICE user.

    ALTER USER <user_name> SET TYPE = 'SERVICE';

  5. Grant the user access to a role that you want to use for Etleap’s privileges. You may want to create a specific role for this.

    CREATE ROLE <role_name>;
GRANT ROLE <role_name> TO USER <user_name>;

  6. Grant USAGE permission on the warehouse.

    GRANT USAGE ON WAREHOUSE <warehouse_name> TO ROLE <role_name>;

  7. Grant the following permissions on the database.

    GRANT CREATE SCHEMA, USAGE ON DATABASE <database_name> TO ROLE <role_name>;

  8. Grant ALL on the schemas that you plan to load to.

    GRANT ALL ON SCHEMA <schema_name> TO ROLE <role_name>;

  9. Select Key-Pair Authentication when creating a Snowflake connection in Etleap. When asked, enter the private key from the snowflake_etleap_key.p8 file you generated earlier and your encryption passphrase if applicable. Snowflake Key Pair Authentication.png

  10. [Optional - Key Pair Rotation] Snowflake allows you to associate two public keys with a user simultaneously using the RSA_PUBLIC_KEY and RSA_PUBLIC_KEY_2 parameters, facilitating key pair rotation . To use key pair rotation with Etleap, follow the steps below:

    • Generate a new private and public key set using the above commands.
    • Assign the new public key to the Snowflake user using the parameter that is not currently in use (either RSA_PUBLIC_KEY or RSA_PUBLIC_KEY_2). For example: 
        ALTER USER <SNOWFLAKE_USER_FOR_ETLEAP> SET RSA_PUBLIC_KEY_2='<PUBLIC_KEY_GENERATED>';
    • Update the private key and passphrase (optional) in Etleap. snowflake update private key.png
    • Remove the old public key from the user profile in Snowflake. 
        ALTER USER <SNOWFLAKE_USER_FOR_ETLEAP> UNSET RSA_PUBLIC_KEY;

Connect with Password Authentication

Please note that connections created this way will eventually need to be converted to use key-pair authentication with a SERVICE user type to align with phase 3 of Snowflake’s MFA enforcement for password authentication .

  1. Create a new user in your database for the Etleap connection. The <user_name> and <password> values will be needed when creating the connection in Etleap. 
    CREATE USER <user_name> PASSWORD = '<password>' TYPE = 'LEGACY_SERVICE';
  2. Grant the user access to a role that you want to use for Etleap’s privileges. You may want to create a specific role for this. 
    CREATE ROLE <role_name>;
GRANT ROLE <role_name> TO USER <user_name>;
  3. Grant USAGE permission on the warehouse. 
    GRANT USAGE ON WAREHOUSE <warehouse_name> TO ROLE <role_name>;
  4. Grant the following permissions on the database. 
    GRANT CREATE SCHEMA, USAGE ON DATABASE <database_name> TO ROLE <role_name>;
  5. Grant ALL on the schemas that you plan to load to. 
    GRANT ALL ON SCHEMA <schema_name> TO ROLE <role_name>;
Note

If your Snowflake cluster has network policies limiting access by IP addresses, Etleap’s IP addresses can be found in IP Whitelisting.

Note

Connecting to Snowflake via AWS PrivateLink  is only available for Snowflake accounts that have a Business Critical  plan or higher.

If you would prefer to connect to Snowflake via AWS PrivateLink, follow the steps below.

  1. To enable PrivateLink in your Snowflake account , contact Snowflake Support , and ask them to authorize the following AWS account ID: 223848809711.

  2. Snowflake will provide you with a VPC Endpoint Service ID. Send this to Etleap along with the result of the following query:

    SELECT SYSTEM$GET_PRIVATELINK_CONFIG();

  3. Upon receiving the information from the step above, Etleap support will send over the VPC Endpoint ID.

  4. Provide the Endpoint ID to Snowflake support to allow them to accept the request and establish the link.

    Note

    Setting up PrivateLink must be done using the ACCOUNTADMIN system role.

Type MappingsType Mappings