LogoLogo
HomeAcademyLoginTry for free
  • Welcome
  • What's new
    • Q2 2025
    • Q1 2025
    • Q4 2024
    • Q3 2024
    • Q2 2024
    • Q1 2024
    • Q4 2023
    • Q3 2023
    • Q2 2023
    • Q1 2023
    • Q4 2022
    • Q3 2022
  • FAQs
    • Accounts
    • Migration to the new platform
    • User & organization setup
    • General
    • Builder
    • Workflows
    • Data Observatory
    • Analytics Toolbox
    • Development Tools
    • Deployment Options
    • CARTO Basemaps
    • CARTO for Education
    • Support Packages
    • Security and Compliance
  • Getting started
    • What is CARTO?
    • Quickstart guides
      • Connecting to your data
      • Creating your first map
      • Creating your first workflow
      • Developing your first application
    • CARTO Academy
  • CARTO User Manual
    • Overview
      • Creating your CARTO organization
      • CARTO Cloud Regions
      • CARTO Workspace overview
    • Maps
      • Data sources
        • Simple features
        • Spatial Indexes
        • Pre-generated tilesets
        • Rasters
        • Defining source spatial data
        • Managing data freshness
        • Changing data source location
      • Layers
        • Point
          • Grid point aggregation
          • H3 point aggregation
          • Heatmap point aggregation
          • Cluster point aggregation
        • Polygon
        • Line
        • Grid
        • H3
        • Raster
        • Zoom to layer
      • Widgets
        • Formula widget
        • Category widget
        • Pie widget
        • Histogram widget
        • Range widget
        • Time Series widget
        • Table widget
      • SQL Parameters
        • Date parameter
        • Text parameter
        • Numeric parameter
        • Publishing SQL parameters
      • Interactions
      • Legend
      • Basemaps
        • Basemap selector
      • AI Agents
      • SQL analyses
      • Map view modes
      • Map description
      • Feature selection tool
      • Search locations
      • Measure distances
      • Exporting data
      • Download PDF reports
      • Managing maps
      • Sharing and collaboration
        • Editor collaboration
        • Map preview for editors
        • Map settings for viewers
        • Comments
        • Embedding maps
        • URL parameters
      • Performance considerations
    • Workflows
      • Workflow canvas
      • Results panel
      • Components
        • Aggregation
        • Custom
        • Data Enrichment
        • Data Preparation
        • Generative AI
        • Input / Output
        • Joins
        • Parsers
        • Raster Operations
        • Spatial Accessors
        • Spatial Analysis
        • Spatial Constructors
        • Spatial Indexes
        • Spatial Operations
        • Statistics
        • Tileset Creation
        • BigQuery ML
        • Snowflake ML
        • Google Earth Engine
        • Google Environment APIs
        • Telco Signal Propagation Models
      • Data Sources
      • Scheduling workflows
      • Sharing workflows
      • Using variables in workflows
      • Executing workflows via API
      • Temporary data in Workflows
      • Extension Packages
      • Managing workflows
      • Workflows best practices
    • Data Explorer
      • Creating a map from your data
      • Importing data
        • Importing rasters
      • Geocoding data
      • Optimizing your data
    • Data Observatory
      • Terminology
      • Browsing the Spatial Data Catalog
      • Subscribing to public and premium datasets
      • Accessing free data samples
      • Managing your subscriptions
      • Accessing your subscriptions from your data warehouse
        • Access data in BigQuery
        • Access data in Snowflake
        • Access data in Databricks
        • Access data in Redshift
        • Access data in PostgreSQL
    • Connections
      • Google BigQuery
      • Snowflake
      • Databricks
      • Amazon Redshift
      • PostgreSQL
      • CARTO Data Warehouse
      • Sharing connections
      • Deleting a connection
      • Required permissions
      • IP whitelisting
      • Customer data responsibilities
    • Applications
    • Settings
      • Understanding your organization quotas
      • Activity Data
        • Activity Data Reference
        • Activity Data Examples
        • Activity Data Changelog
      • Users and Groups
        • Inviting users to your organization
        • Managing user roles
        • Deleting users
        • SSO
        • Groups
        • Mapping groups to user roles
      • CARTO Support Access
      • Customizations
        • Customizing appearance and branding
        • Configuring custom color palettes
        • Configuring your organization basemaps
        • Enabling AI Agents
      • Advanced Settings
        • Managing applications
        • Configuring S3 Bucket for Redshift Imports
        • Configuring OAuth connections to Snowflake
        • Configuring OAuth U2M connections to Databricks
        • Configuring S3 Bucket integration for RDS for PostgreSQL Exports in Builder
        • Configuring Workload Identity Federation for BigQuery
      • Data Observatory
      • Deleting your organization
    • Developers
      • Managing Credentials
        • API Base URL
        • API Access Tokens
        • SPA OAuth Clients
        • M2M OAuth Clients
      • Named Sources
  • Data and Analysis
    • Analytics Toolbox Overview
    • Analytics Toolbox for BigQuery
      • Getting access
        • Projects maintained by CARTO in different BigQuery regions
        • Manual installation in your own project
        • Installation in a Google Cloud VPC
        • Core module
      • Key concepts
        • Tilesets
        • Spatial indexes
      • SQL Reference
        • accessors
        • clustering
        • constructors
        • cpg
        • data
        • http_request
        • import
        • geohash
        • h3
        • lds
        • measurements
        • placekey
        • processing
        • quadbin
        • random
        • raster
        • retail
        • routing
        • s2
        • statistics
        • telco
        • tiler
        • transformations
      • Guides
        • Running queries from Builder
        • Working with Raster data
      • Release notes
      • About Analytics Toolbox regions
    • Analytics Toolbox for Snowflake
      • Getting access
        • Native App from Snowflake's Marketplace
        • Manual installation
      • Key concepts
        • Spatial indexes
        • Tilesets
      • SQL Reference
        • accessors
        • clustering
        • constructors
        • data
        • http_request
        • import
        • h3
        • lds
        • measurements
        • placekey
        • processing
        • quadbin
        • random
        • raster
        • retail
        • s2
        • statistics
        • tiler
        • transformations
      • Guides
        • Running queries from Builder
        • Working with Raster data
      • Release Notes
    • Analytics Toolbox for Databricks
      • Getting access
        • Personal (former Single User) cluster
        • Standard (former Shared) cluster
      • Reference
        • lds
        • tiler
      • Guides
      • Release Notes
    • Analytics Toolbox for Redshift
      • Getting access
        • Manual installation in your database
        • Installation in an Amazon Web Services VPC
        • Core version
      • Key concepts
        • Tilesets
        • Spatial indexes
      • SQL Reference
        • clustering
        • constructors
        • data
        • http_request
        • import
        • lds
        • placekey
        • processing
        • quadbin
        • random
        • s2
        • statistics
        • tiler
        • transformations
      • Guides
        • Running queries from Builder
      • Release Notes
    • Analytics Toolbox for PostgreSQL
      • Getting access
        • Manual installation
        • Core version
      • Key concepts
        • Tilesets
        • Spatial Indexes
      • SQL Reference
        • h3
        • quadbin
        • tiler
      • Guides
        • Creating spatial index tilesets
        • Running queries from Builder
      • Release Notes
    • CARTO + Python
      • Installation
      • Authentication Methods
      • Visualizing Data
      • Working with Data
        • How to work with your data in the CARTO Data Warehouse
        • How to access your Data Observatory subscriptions
        • How to access CARTO's Analytics Toolbox for BigQuery and create visualizations via Python notebooks
        • How to access CARTO’s Analytics Toolbox for Snowflake and create visualizations via Python notebooks
        • How to visualize data from Databricks
      • Reference
    • CARTO QGIS Plugin
  • CARTO for Developers
    • Overview
    • Key concepts
      • Architecture
      • Libraries and APIs
      • Authentication methods
        • API Access Tokens
        • OAuth Access Tokens
        • OAuth Clients
      • Connections
      • Data sources
      • Visualization with deck.gl
        • Basemaps
          • CARTO Basemap
          • Google Maps
            • Examples
              • Gallery
              • Getting Started
              • Basic Examples
                • Hello World
                • BigQuery Tileset Layer
                • Data Observatory Tileset Layer
              • Advanced Examples
                • Arc Layer
                • Extrusion
                • Trips Layer
            • What's New
          • Amazon Location
            • Examples
              • Hello World
              • CartoLayer
            • What's New
        • Rapid Map Prototyping
      • Charts and widgets
      • Filtering and interactivity
      • Summary
    • Quickstart
      • Make your first API call
      • Visualize your first dataset
      • Create your first widget
    • Guides
      • Build a public application
      • Build a private application
      • Build a private application using SSO
      • Visualize massive datasets
      • Integrate CARTO in your existing application
      • Use Boundaries in your application
      • Avoid exposing SQL queries with Named Sources
      • Managing cache in your CARTO applications
    • Reference
      • Deck (@deck.gl reference)
      • Data Sources
        • vectorTableSource
        • vectorQuerySource
        • vectorTilesetSource
        • h3TableSource
        • h3QuerySource
        • h3TilesetSource
        • quadbinTableSource
        • quadbinQuerySource
        • quadbinTilesetSource
        • rasterSource
        • boundaryTableSource
        • boundaryQuerySource
      • Layers (@deck.gl/carto)
      • Widgets
        • Data Sources
        • Server-side vs. client-side
        • Models
          • getFormula
          • getCategories
          • getHistogram
          • getRange
          • getScatter
          • getTimeSeries
          • getTable
      • Filters
        • Column filters
        • Spatial filters
      • CARTO APIs Reference
    • Release Notes
    • Examples
    • CARTO for React
      • Guides
        • Getting Started
        • Views
        • Data Sources
        • Layers
        • Widgets
        • Authentication and Authorization
        • Basemaps
        • Look and Feel
        • Query Parameters
        • Code Generator
        • Sample Applications
        • Deployment
        • Upgrade Guide
      • Examples
      • Library Reference
        • Introduction
        • API
        • Auth
        • Basemaps
        • Core
        • Redux
        • UI
        • Widgets
      • Release Notes
  • CARTO Self-Hosted
    • Overview
    • Key concepts
      • Architecture
      • Deployment requirements
    • Quickstarts
      • Single VM deployment (Kots)
      • Orchestrated container deployment (Kots)
      • Advanced Orchestrated container deployment (Helm)
    • Guides
      • Guides (Kots)
        • Configure your own buckets
        • Configure an external in-memory cache
        • Enable Google Basemaps
        • Enable the CARTO Data Warehouse
        • Configure an external proxy
        • Enable BigQuery OAuth connections
        • Configure Single Sign-On (SSO)
        • Use Workload Identity in GCP
        • High availability configuration for CARTO Self-hosted
        • Configure your custom service account
      • Guides (Helm)
        • Configure your own buckets (Helm)
        • Configure an external in-memory cache (Helm)
        • Enable Google Basemaps (Helm)
        • Enable the CARTO Data Warehouse (Helm)
        • Configure an external proxy (Helm)
        • Enable BigQuery OAuth connections (Helm)
        • Configure Single Sign-On (SSO) (Helm)
        • Use Workload Identity in GCP (Helm)
        • Use EKS Pod Identity in AWS (Helm)
        • Enable Redshift imports (Helm)
        • Migrating CARTO Self-hosted installation to an external database (Helm)
        • Advanced customizations (Helm)
        • Configure your custom service account (Helm)
    • Maintenance
      • Maintenance (Kots)
        • Updates
        • Backups
        • Uninstall
        • Rotating keys
        • Monitoring
        • Change the Admin Console password
      • Maintenance (Helm)
        • Monitoring (Helm)
        • Rotating keys (Helm)
        • Uninstall (Helm)
        • Backups (Helm)
        • Updates (Helm)
    • Support
      • Get debug information for Support (Kots)
      • Get debug information for Support (Helm)
    • CARTO Self-hosted Legacy
      • Key concepts
        • Architecture
        • Deployment requirements
      • Quickstarts
        • Single VM deployment (docker-compose)
      • Guides
        • Configure your own buckets
        • Configure an external in-memory cache
        • Enable Google Basemaps
        • Enable the CARTO Data Warehouse
        • Configure an external proxy
        • Enable BigQuery OAuth connections
        • Configure Single Sign-On (SSO)
        • Enable Redshift imports
        • Configure your custom service account
        • Advanced customizations
        • Migrating CARTO Self-Hosted installation to an external database
      • Maintenance
        • Updates
        • Backups
        • Uninstall
        • Rotating keys
        • Monitoring
      • Support
    • Release Notes
  • CARTO Native App for Snowflake Containers
    • Deploying CARTO using Snowflake Container Services
  • Get Help
    • Legal & Compliance
    • Previous libraries and components
    • Migrating your content to the new CARTO platform
Powered by GitBook
On this page
  • Connecting to Snowflake via OAuth
  • Requiring viewer credentials
  • Connecting to Snowflake using Key-pair authentication
  • Key-pair rotation
  • Connecting to Snowflake with Username and Password
  • Advanced options
  • IP Whitelisting

Was this helpful?

Export as PDF
  1. CARTO User Manual
  2. Connections

Snowflake

PreviousGoogle BigQueryNextDatabricks

Last updated 2 months ago

Was this helpful?

CARTO can connect to your Snowflake Data Warehouse, allowing you to use your data for building Maps and Workflows. There are three methods available for connecting to Snowflake:

  • : Users authenticate into Snowflake using their individual Snowflake credentials, generating an access token for each user. This is the recommended setup, but it needs to be configured by an Admin first.

  • : This method requires generating an RSA key pair, where the public key is registered with your Snowflake user account (or service account) and the private key is securely stored in CARTO. Both keys are then used to establish a secure connection to Snowflake. This method is ideal for developing custom applications and using service accounts.

  • : CARTO will use these credentials to impersonate that user or service account. This is the quickest method to connect to Snowflake, but it provides less security compared to OAuth or Key-pair.

Snowflake is . We strongly suggest using key-pair or OAuth authentication instead.

CARTO is a fully cloud-native platform that runs queries on your behalf to power maps, workflows, etc. We never create or maintain any copies of your data.


Connecting to Snowflake via OAuth

CARTO supports connecting to Snowflake with OAuth using one of the following options:

Initial setup required

To connect to Snowflake using OAuth, an organization Admin must first set up a Snowflake OAuth integration in CARTO. Once this is done, OAuth for Snowflake will be available to all users within the organization. .

To connect to Snowflake using OAuth, simply click on Setup connection with OAuth. This will initiate an authentication flow where you can enter your individual credentials. Once authenticated, you will be asked to provide consent for CARTO to access your Snowflake data on your behalf.

If the OAuth connection is successful, you'll be taken to a form where the Snowflake user and Account name are already pre-filled. To complete the connection setup, provide the following details:

  • Connection name: To identify the connection in CARTO.

  • Database: The Snowflake database your connection will use when running queries.

  • Warehouse (optional): The Snowflake warehouse your connection will use when running queries. This parameter is optional.

Once you provide these details, the Connect button at the top right corner will become enabled. Click it and CARTO will validate your setup. If the setup is correct and the connection is successful, the connection will be added to the workspace and you can start using it right away.

Requiring viewer credentials

Connections to Snowflake using OAuth can be set up to require viewer credentials. This means that when the connection is shared, other users trying to access it will have to provide their own credentials to use it, instead of using the credentials of the user that created the connection.


Connecting to Snowflake using Key-pair authentication

CARTO supports using Key-pair authentication and key rotation for Snowflake connections. This method is considered to be a better alternative to basic username/password authentication since it provides more robust security in comparison.

To connect to Snowflake using key-pair, follow the steps below. A more detailed breakdown of these steps and more information about Snowflake's key pair authentication in general can be found in Snowflake's official documentation:

  1. Generate a private key

The first step is to generate a private RSA key. CARTO supports both unencrypted and encrypted private keys, although the latter is recommended.

Encrypted private keys are protected with a passphrase, which is used for protecting the private key and will never be sent to Snowflake. Use this command in your terminal to generate a private key:

openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key.p8

After pressing enter, a new key will be created in the directory where you ran the command. You will also need to establish a passphrase for the key, since this is an encrypted key. Store it as you will need it later. The resulting key will look something like this:

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIE6T...
-----END ENCRYPTED PRIVATE KEY-----
  1. Generate a public key

Next, you need to generate a public key. You can do so from your terminal by referencing your private key. The following command assumes the private key is encrypted and contained in the file named rsa_key.p8 created in the step before:

openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

The resulting key will look like this:

-----BEGIN PUBLIC KEY-----
MIIBIj...
-----END PUBLIC KEY-----
  1. Assign the public key to a Snowflake user

Once you have created the key pair, the public key needs to be associated with your Snowflake user (or the service account). Copy the public key created in the step above and use it in the following command in your Snowflake terminal:

ALTER USER snowflake_user SET RSA_PUBLIC_KEY='MIIBIjANBgkqh...';

Make sure to exclude the public key delimiters (-----BEGIN PUBLIC KEY-----) in the command above. Only owners of a user, or users with the SECURITYADMIN role or higher can alter a user.

  1. Create the key-pair connection in CARTO

Lastly, create the connection in CARTO from the connection settings, selecting key-pair as an option under the Snowflake card.

Make sure to paste the entire private key (including its delimiters) in the box. If you're using an encrypted key, you'll also need to enter the passphrase. For the account name, you can either enter your Snowflake account identifier or your complete Account URL (e.g., https://test.west-us-2.azure.snowflakecomputing.com).

Click connect to validate the setup and create the connection.

Key-pair rotation

CARTO users with a Snowflake key-pair connection can choose to rotate keys periodically for additional security. To do so, simply click the Change private key button in the connection settings to replace the private key (and passphrase, if used). Please note that the new key must be associated with the existing public key that you have established in Snowflake.


Connecting to Snowflake with Username and Password

CARTO supports connecting to Snowflake with the username and password of a user or a service account. These are the parameters you need to provide:

  • Connection name: To identify the connection in CARTO.

  • Username

  • Password

  • Warehouse (optional): The Snowflake warehouse your connection will use when running queries. This parameter is optional.

  • Database: The Snowflake database your connection will use when running queries.

  • Role: The Snowflake role your connection will use when running queries.

Once you provide these details, the Connect button at the top right corner will become enabled. Click it and CARTO will validate your setup. If the setup is correct and the connection is successful, the connection will be added to the workspace and you can start using it right away.


Advanced options

  • Analytics Toolbox location: This setting controls the location of the Analytics Toolbox used in SQL queries generated by Workflows components, Builder SQL Analyses, 'Create Tileset', 'Geocode Table' and 'Enrich Data' functionalities. By default, CARTO.CARTO will be used.

  • Data Observatory location: This settings controls the location of the Data Observatory subscriptions. This setting will be observed by Data Explorer, Workflows and Enrichment to access your data subscriptions. By default, CARTO-DATA.CARTOwill be used.

  • Max number of concurrent queries: This setting controls the maximum number of simultaneous queries that CARTO will send to Snowflake using this connection.

  • Max query timeout: This setting controls the maximum allowed duration of queries that CARTO runs in Snowflake using this connection.

IP Whitelisting

OAuth connections are tied to an individual's personal credentials. They can be shared, but other users must authenticate using their own credentials to gain access. For more information, see .

For more information, see .

Snowflake is . We strongly suggest considering using or instead.

Account name: The , following this format: <account_name>.snowflakecomputing.com. Alternatively, you can provide the full Account URL here (i.e. https://test.us-east-2.aws.snowflakecomputing.com).

Workflows temp. location: This setting controls the location (DATABASE.SCHEMA) where Workflows will create temporal tables for each node. By default, it's a WORKFLOWS_TEMP schema that will be created in the connection's project during the execution of a workflow. Learn more about it .

Restrict this connection to only use Named Sources: When this setting is enabled, this connection will only work within apps that use , and it will NOT work in Data Explorer, Builder and Workflows. This prevents the usage of arbitrary SQL in applications for this connection.

If you're using the cloud version of CARTO (SaaS), CARTO will connect to Snowflake using a set of static IPs for each region. for your specific region.

Snowflake account identifier
Named Sources
Check this guide to find the IPs you need to allow
planning to phase out simple username/password authentication
OAuth
key-pair authentication
planning to phase out basic username/password authentication
What it means to be fully cloud native.
Snowflake OAuth
External OAuth
Read more about setting up a Snowflake OAuth integration
OAuth
Key-pair
Username and password
Requiring viewer credentials on shared connections
Requiring viewing credentials for shared connections
Key-pair authentication and key-pair rotation | Snowflake Documentation
here
Requesting consent when setting up a Snowflake OAuth connection. This consent would be done via Azure AD, Okta or any other identity provider if External OAuth was configured instead.
Connection settings of a Snowflake key-pair connection.
Logo