Skip to main content

Setup

Grant Metadata Access

The Snowflake integration setup already includes the required SNOWFLAKE.SECURITY_VIEWER grant for reading role and grant metadata. Make sure the integration is configured before continuing.

Grants Management

The data plane applies grants in Snowflake on Ryft’s behalf, using Workload Identity Federation (WIF) - a passwordless mechanism that allows the Ryft AWS IAM role to authenticate directly to Snowflake without storing credentials. Please use the SQL snippet below to create the role. Before using the snippet, you will need to populate the following parameters:
  • ryft_role_manager_name - name for the Ryft grant management role
  • ryft_wif_username - name for the WIF service user
  • ryft_aws_role_arn - ARN of the Ryft data plane IAM role (provided by Ryft)
Run the following commands as an account admin: 
set ryft_role_manager_name = 'RYFT_ROLE_MANAGER';
set ryft_wif_username = 'RYFT_WIF_USER';
set ryft_aws_role_arn = '<arn:aws:iam::<account>:role/Ryft-DataPlaneRole>';

USE ROLE ACCOUNTADMIN;

CREATE ROLE IF NOT EXISTS identifier($ryft_role_manager_name);
GRANT MANAGE GRANTS ON ACCOUNT TO ROLE identifier($ryft_role_manager_name);
GRANT CREATE ROLE ON ACCOUNT TO ROLE identifier($ryft_role_manager_name);

CREATE USER identifier($ryft_wif_username)
  WORKLOAD_IDENTITY = (TYPE = AWS ARN = $ryft_aws_role_arn)
  TYPE = SERVICE
  DEFAULT_ROLE = PUBLIC;

GRANT ROLE identifier($ryft_role_manager_name) TO USER identifier($ryft_wif_username);
ALTER USER identifier($ryft_wif_username) SET DEFAULT_ROLE = $ryft_role_manager_name;

Prerequisites

SCIM Integration

Ryft enforces access policies using IdP group names. For Snowflake to recognize these groups and correctly evaluate group-based role assignments, a SCIM integration must be active between your IdP and Snowflake. This ensures group memberships are synchronized so that the grants Ryft applies take effect as expected. See Snowflake SCIM documentation for setup instructions.

Network Connectivity

The Ryft data plane Lambda runs in your BYOC AWS account and connects to Snowflake over the network. AWS PrivateLink (recommended) Keeps all traffic private with no internet exposure. Note that PrivateLink is a Business Critical feature in Snowflake. To set this up:
  1. Enable PrivateLink on your Snowflake account
  2. Ryft creates a VPC endpoint in your BYOC account targeting the Snowflake PrivateLink endpoint
If PrivateLink is not an option for your setup, please reach out to your Ryft representative to discuss alternatives.