Snowflake Setup

This guide connects Snowflake to Klairr. The connection uses the SQL API v2 over HTTPS with a dedicated read-only role — Klairr never has write access to your data and never requires a native Node driver on your side.

Prerequisites

• A Snowflake account, including the region segment (e.g. xy12345.us-east-1).
• An admin who can CREATE ROLE and GRANT privileges (typically SECURITYADMIN or ACCOUNTADMIN).
• A virtual warehouse Klairr can USE for queries.
• Snowflake Standard, Enterprise, or Business Critical edition. (Standard supports password auth; key-pair auth requires Enterprise+.)

Choose a connection method

Choose an authentication method

The setup form today exposes password auth; key-pair auth is provisioned via support during onboarding for production rollouts. Documenting the path here so you can plan the production cutover from day one.

Step 1: Provision a read-only role

Run as SECURITYADMIN (or another role that can manage roles + grants):

USE ROLE SECURITYADMIN;

-- Role.
CREATE ROLE ANALYTICS_READ_ONLY;

-- Compute.
GRANT USAGE ON WAREHOUSE ANALYTICS_WH TO ROLE ANALYTICS_READ_ONLY;

-- Catalogue access.
GRANT USAGE ON DATABASE ANALYTICS                         TO ROLE ANALYTICS_READ_ONLY;
GRANT USAGE ON SCHEMA   ANALYTICS.PUBLIC                  TO ROLE ANALYTICS_READ_ONLY;

-- Read on existing + future tables and views.
GRANT SELECT ON ALL TABLES    IN SCHEMA ANALYTICS.PUBLIC TO ROLE ANALYTICS_READ_ONLY;
GRANT SELECT ON ALL VIEWS     IN SCHEMA ANALYTICS.PUBLIC TO ROLE ANALYTICS_READ_ONLY;
GRANT SELECT ON FUTURE TABLES IN SCHEMA ANALYTICS.PUBLIC TO ROLE ANALYTICS_READ_ONLY;
GRANT SELECT ON FUTURE VIEWS  IN SCHEMA ANALYTICS.PUBLIC TO ROLE ANALYTICS_READ_ONLY;

-- User.
CREATE USER KLAIRR_READER
  PASSWORD       = '<password>'
  DEFAULT_ROLE   = ANALYTICS_READ_ONLY
  DEFAULT_WAREHOUSE = ANALYTICS_WH;

GRANT ROLE ANALYTICS_READ_ONLY TO USER KLAIRR_READER;

The role gets USAGE on warehouse + database + schema and SELECT on tables and views — the minimum surface for read-only analytics. Klairr does not request OPERATE, MODIFY, CREATE, OWNERSHIP, IMPORTED PRIVILEGES, or admin grants.

If you can’t provision a strict read-only role, see “Allow writable role” below.

Step 2: (Recommended) Restrict the role’s network access

Snowflake network policies attach to a user OR a role. Restricting to Klairr’s egress range is one extra line of defence:

USE ROLE SECURITYADMIN;
CREATE NETWORK POLICY KLAIRR_EGRESS
  ALLOWED_IP_LIST = ('<klairr egress range — see Network Access>');
ALTER USER KLAIRR_READER SET NETWORK_POLICY = KLAIRR_EGRESS;

Step 3: Add the connector in Klairr

Open Settings → Connectors → Add connector, pick Snowflake, and enter:

Setup tests

When you click Connect, Klairr runs the following checks. Each failure maps to the troubleshooting entry below.

1. Account identifier shape — the <account>.<region> form parses correctly.
2. Authentication — the user can log in with the supplied password.
3. Role assumption — the user has been granted the role and can USE ROLE.
4. Warehouse + database + schema reachable — the role has USAGE on each.
5. Read access — the role can SELECT from at least one table or view in the schema.
6. Write probe — Klairr submits a no-op write attempt to confirm rejection.
7. Schema introspection — Klairr enumerates tables and columns from INFORMATION_SCHEMA.

What Klairr queries

• Schema introspection runs against INFORMATION_SCHEMA.TABLES, .COLUMNS, and .VIEWS — no row data leaves your warehouse during introspection.
• Question answering issues plain SELECT statements with a server-enforced LIMIT. Every emitted query is validated against an allow-list before execution: stage operations (COPY INTO, PUT, GET, REMOVE, LIST, UNLOAD), pipes, tasks, procedures, streams, EXECUTE IMMEDIATE, and any DML are rejected at the application layer.
• Snowflake bills credits per query. Klairr defaults to a 1-hour query-result cache for Snowflake connectors to keep credit consumption predictable.

Allow writable role

Same opt-in available on every database connector — set “Allow writable role” to “Yes” if your role can write and you can’t narrow it. Klairr’s executor only emits SELECT; the connect-time probe is belt-and-braces. The acknowledgement is recorded on the connector.

Troubleshooting

• Account identifier rejected — Snowflake account identifiers must include the region (xy12345.us-east-1), not just the account locator. Find the correct form in your Snowflake URL.
• Authentication failed — the user doesn’t exist, the password is wrong, or a network policy is blocking Klairr. Confirm in Snowflake’s web UI from a workstation that has the same egress IP, or check LOGIN_HISTORY for the failure reason.
• Role unauthorized — the user wasn’t granted the role. Re-run GRANT ROLE … TO USER ….
• Warehouse not found / no usage privilege — the role is missing USAGE on the warehouse. Re-run the GRANT USAGE ON WAREHOUSE statement.
• Permission denied on table — the role is missing SELECT on at least one table. Re-run GRANT SELECT ON ALL TABLES and GRANT SELECT ON FUTURE TABLES.
• “Credentials grant write access” — the role has MODIFY or INSERT/UPDATE/DELETE. Either narrow the role, or set “Allow writable role” to Yes.

Related

• Network Access — egress IPs, private-link options, TLS requirements.
• Roles & Permissions — workspace-level access controls.
• Supported Data Sources — every database and SaaS Klairr connects to.
• Security & Data Handling — encryption, logging, what we do and don’t store.