> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ryft.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Snowflake

> Connect Snowflake to Ryft by creating a dedicated user, role, and warehouse. Grant permissions for query history and Iceberg metadata access.

### Creating the User and Role

Please use the SQL snippet below to create a user for Ryft. Before using the snippet, you will need to populate the following parameters:

* `ryft_username`
* `ryft_warehouse_size`
* `ryft_warehouse_name`
* `ryft_role_name`

Run the following commands as an account admin:

```sql theme={null}
set ryft_username='RYFT';
set ryft_warehouse_size='XSMALL';
set ryft_warehouse_name='RYFT_WH';
set ryft_role_name='RYFT_ROLE';

USE ROLE ACCOUNTADMIN;

CREATE WAREHOUSE IF NOT EXISTS identifier($ryft_warehouse_name) WAREHOUSE_SIZE=$ryft_warehouse_size INITIALLY_SUSPENDED=TRUE
    AUTO_SUSPEND = 1 AUTO_RESUME = TRUE;

-- Create Ryft role
CREATE ROLE IF NOT EXISTS identifier($ryft_role_name);

-- Create Ryft user
CREATE USER IF NOT EXISTS identifier($ryft_username) DEFAULT_ROLE=$ryft_role_name TYPE=SERVICE;
GRANT ROLE identifier($ryft_role_name) TO USER identifier($ryft_username);

-- Grant permissions to the WH
GRANT USAGE ON WAREHOUSE identifier($ryft_warehouse_name) TO ROLE identifier($ryft_role_name);

-- Grant privileges to allow access to query history and metadata
GRANT IMPORTED PRIVILEGES ON DATABASE "SNOWFLAKE" TO ROLE identifier($ryft_role_name);
GRANT MONITOR ON ACCOUNT TO ROLE identifier($ryft_role_name);

-- Grant privileges to to audit the current access state
GRANT DATABASE ROLE SNOWFLAKE.SECURITY_VIEWER TO ROLE identifier($ryft_role_name);
```

### Creating a key-pair for the service user

Follow Snowflake's key-pair [authentication guide](https://docs.snowflake.com/en/user-guide/key-pair-auth#generate-the-private-key) to create a private and public key for the service user you just created.

* The private key will be needed during the onboarding.
* Ryft supports using an encrypted or unencrypted private key.

Use this SQL command to assign the public key to the service user in Snowflake:

```jsx theme={null}
ALTER USER identifier($ryft_username) SET RSA_PUBLIC_KEY='<pub key>';
```

<aside>
  💡

  Exclude the public key delimiters in the SQL statement

  When you generate the public key the output will be in PEM format and look like:

  ```
  -----BEGIN PUBLIC KEY-----
  MIIBIj...
  -----END PUBLIC KEY-----
  ```

  In the SQL command do not include the delimiters:

  ```jsx theme={null}
  ALTER USER ($ryft_username) SET RSA_PUBLIC_KEY='MIIBIj...';
  ```
</aside>

### Providing user credentials during onboarding:

* **User**: The name of the user created, ***RYFT*** by default
* **Private key** and optional **Private key passphrase** for the encrypted private key
* **Account**: This would be the part that precedes *snowflakecomputing.com* in your Snowflake console URL. For example, if you use the URL [*https://xyz12345.us-east-1.snowflakecomputing.com/*](https://xyz12345.us-east-1.snowflakecomputing.com/) to access Snowflake, your account name will be `xyz12345.us-east-1`
* **Organization** - your snowflake organization ID
* **Warehouse**: Please provide the name of the warehouse you chose (default: ***RYFT\_WH***).
* **Role** - Please provide the name of the role you chose (default: **RYFT\_ROLE**)

### IP Access Lists

If you are restricting network access to specific IP addresses, please allow the following IP addresses:

```
18.211.150.201
52.45.62.176
35.174.30.119
```