Snowflake
Last updated
Was this helpful?
Last updated
Was this helpful?
CARTO can connect to your Snowflake Data Warehouse, allowing you to use your data for building Maps and Workflows. There are three methods available for connecting to Snowflake:
OAuth: Users authenticate into Snowflake using their individual Snowflake credentials, generating an access token for each user. This is the recommended setup, but it needs to be configured by an admin first.
Key-pair: This method requires generating an RSA key pair, where the public key is registered with your Snowflake user account (or service account) and the private key is securely stored in CARTO. Both keys are then used to establish a secure connection to Snowflake. This method provides enhanced security compared to username/password authentication.
Username and password: CARTO will use these credentials to impersonate that user or service account. This is the quickest method to connect to Snowflake.
Snowflake is planning to phase out simple username/password authentication. We strongly suggest considering using key-pair authentication instead.
CARTO is a fully cloud-native platform that runs queries on your behalf to power maps, workflows, etc. We never create or maintain any copies of your data.
CARTO supports connecting to Snowflake with OAuth using one of the following options:
Initial setup required
To connect to Snowflake using OAuth, the organization admin must first set up a Snowflake OAuth integration in CARTO. Once this is done, OAuth for Snowflake will be available to all users within the organization. Read more about setting up a Snowflake OAuth integration.
To connect to Snowflake using OAuth, simply click on Setup connection with OAuth. This will initiate an authentication flow where you can enter your individual credentials. Once authenticated, you will be asked to provide consent for CARTO to access your Snowflake data on your behalf.
If the OAuth connection is successful, you'll be taken to a form where the Snowflake user and Account name are already pre-filled. To complete the connection setup, provide the following details:
Connection name: To identify the connection in CARTO.
Database: The Snowflake database your connection will use when running queries.
Warehouse (optional): The Snowflake warehouse your connection will use when running queries. This parameter is optional.
Once you provide these details, the Connect button at the top right corner will become enabled. Click it and CARTO will validate your setup. If the setup is correct and the connection is successful, the connection will be added to the workspace and you can start using it right away.
OAuth connections are tied to an individual's personal credentials. They can be shared, but other users must authenticate using their own credentials to gain access. For more information, see Requiring viewer credentials on shared connections.
Connections to Snowflake using OAuth can be set up to require viewer credentials. This means that when the connection is shared, other users trying to access it will have to provide their own credentials to use it, instead of using the credentials of the user that created the connection.
For more information, see Requiring viewing credentials for shared connections.
CARTO supports using Key-pair authentication and key rotation for Snowflake connections. This method is considered to be a better alternative to basic username/password authentication since it provides more robust security in comparison.
To connect to Snowflake using key-pair, follow the steps below. A more detailed breakdown of these steps and more information about Snowflake's key pair authentication in general can be found in Snowflake's official documentation:
Generate a private key
The first step is to generate a private RSA key. CARTO supports both unencrypted and encrypted private keys, although the latter is recommended.
Encrypted private keys are protected with a passphrase, which is used for protecting the private key and will never be sent to Snowflake. Use this command in your terminal to generate a private key:
After pressing enter, a new key will be created in the directory where you ran the command. You will also need to establish a passphrase for the key, since this is an encrypted key. Store it as you will need it later. The resulting key will look something like this:
Generate a public key
Next, you need to generate a public key. You can do so from your terminal by referencing your private key. The following command assumes the private key is encrypted and contained in the file named rsa_key.p8 created in the step before:
The resulting key will look like this:
Assign the public key to a Snowflake user
Once you have created the key pair, the public key needs to be associated with your Snowflake user (or the service account). Copy the public key created in the step above and use it in the following command in your Snowflake terminal:
Make sure to exclude the public key delimiters (-----BEGIN PUBLIC KEY-----) in the command above. Only owners of a user, or users with the SECURITYADMIN role or higher can alter a user.
Create the key-pair connection in CARTO
Lastly, create the connection in CARTO from the connection settings, selecting key-pair as an option under the Snowflake card.
Make sure to paste the entire private key (including its delimiters) in the box. If you're using an encrypted key, you'll also need to enter the passphrase. For the account name, you can either enter your Snowflake account identifier or your complete Account URL (e.g., https://test.west-us-2.azure.snowflakecomputing.com).
Click connect to validate the setup and create the connection.
CARTO users with a Snowflake key-pair connection can choose to rotate keys periodically for additional security. To do so, simply click the Change private key button in the connection settings to replace the private key (and passphrase, if used). Please note that the new key must be associated with the existing public key that you have established in Snowflake.
CARTO supports connecting to Snowflake with the username and password of a user or a service account. These are the parameters you need to provide:
Snowflake is planning to phase out simple username/password authentication. We strongly suggest considering using OAuth or key-pair authentication instead.
Connection name: To identify the connection in CARTO.
Username
Password
Account name: The Snowflake account identifier, following this format: <account_name>.snowflakecomputing.com. Alternatively, you can provide the full Account URL here (i.e. https://test.us-east-2.aws.snowflakecomputing.com).
Warehouse (optional): The Snowflake warehouse your connection will use when running queries. This parameter is optional.
Database: The Snowflake database your connection will use when running queries.
Role: The Snowflake role your connection will use when running queries.
Once you provide these details, the Connect button at the top right corner will become enabled. Click it and CARTO will validate your setup. If the setup is correct and the connection is successful, the connection will be added to the workspace and you can start using it right away.
Analytics Toolbox location: This setting controls the location of the Analytics Toolbox used in SQL queries generated by Workflows components, Builder SQL Analyses, 'Create Tileset', 'Geocode Table' and 'Enrich Data' functionalities.
By default, CARTO.CARTO will be used.
Data Observatory location: This settings controls the location of the Data Observatory subscriptions. This setting will be observed by Data Explorer, Workflows and Enrichment to access your data subscriptions.
By default, CARTO-DATA.CARTOwill be used.
Workflows temp. location: This setting controls the location (DATABASE.SCHEMA) where Workflows will create temporal tables for each node. By default, it's a WORKFLOWS_TEMP schema that will be created in the connection's project during the execution of a workflow. Learn more about it here.
Max number of concurrent queries: This setting controls the maximum number of simultaneous queries that CARTO will send to Snowflake using this connection.
Max query timeout: This setting controls the maximum allowed duration of queries that CARTO runs in Snowflake using this connection.
Restrict this connection to only use Named Sources: When this setting is enabled, this connection will only work within apps that use Named Sources, and it will NOT work in Data Explorer, Builder and Workflows. This prevents the usage of arbitrary SQL in applications for this connection.
If you're using the cloud version of CARTO (SaaS), CARTO will connect to Snowflake using a set of static IPs for each region. Check this guide to find the IPs you need to allow for your specific region.
