Snowflake Setup

Klairr connects to Snowflake via the SQL API v2 with a dedicated read-only role. No native Node SDK is required — the connector is HTTP-only.

Prerequisites

• A Snowflake account (the identifier including region, e.g. xy12345.us-east-1)
• An admin who can CREATE ROLE and GRANT privileges
• A virtual warehouse Klairr can use

Step 1: Provision a read-only role

USE ROLE SECURITYADMIN;

CREATE ROLE ANALYTICS_READ_ONLY;
GRANT USAGE ON WAREHOUSE ANALYTICS_WH TO ROLE ANALYTICS_READ_ONLY;
GRANT USAGE ON DATABASE ANALYTICS TO ROLE ANALYTICS_READ_ONLY;
GRANT USAGE ON SCHEMA ANALYTICS.PUBLIC TO ROLE ANALYTICS_READ_ONLY;
GRANT SELECT ON ALL TABLES IN SCHEMA ANALYTICS.PUBLIC TO ROLE ANALYTICS_READ_ONLY;
GRANT SELECT ON ALL VIEWS IN SCHEMA ANALYTICS.PUBLIC TO ROLE ANALYTICS_READ_ONLY;
GRANT SELECT ON FUTURE TABLES IN SCHEMA ANALYTICS.PUBLIC TO ROLE ANALYTICS_READ_ONLY;

CREATE USER KLAIRR_READER PASSWORD = '...' DEFAULT_ROLE = ANALYTICS_READ_ONLY;
GRANT ROLE ANALYTICS_READ_ONLY TO USER KLAIRR_READER;

The role gets USAGE on warehouse + database + schema and SELECT on tables/views — the minimum surface for read-only analytics. Klairr does not request OPERATE, MODIFY, CREATE, or OWNERSHIP.

Step 2: Add the connector

Notes

• Snowflake bills credits per query — Klairr defaults to a 1-hour query-result cache for Snowflake to keep credit consumption predictable.
• Stage operations (COPY INTO, PUT, GET, REMOVE, LIST, UNLOAD), pipes, tasks, procedures, streams, and EXECUTE IMMEDIATE are all blocked at the SQL guardrail layer regardless of the role.
• For key-pair authentication (recommended for production), contact support — password auth is the v1 path.