Opal's Snowflake App not only lets you manage access to your Snowflake Roles, but it also allows you to manage a Role's access to Securable Objects such as Databases, Schemas, and Tables.

Our integration supports the following, and more:

• Import and sync Snowflake Roles and Securable Objects into Opal
• View granular Privileges granted to each user and Role
• Manage access to Snowflake Roles and Securable Objects
• Perform User Access Reviews (UAR) assigning managers or group admins to periodically review users with access to Snowflake Roles
• Audit Event logs for any access changes on managed Snowflake Resources
• Request JIT time-bound access enabling end users to self-service access requests to Snowflake Roles

For more information on the feature set, check out our Opal Snowflake Integration blog !

ℹ️

Note for Additional Support

There is a limit to 10,000 users, roles, databases, schemas, and tables each. If you would like to increase this, please reach out to [email protected]

Getting started

Step 1: Configure your Snowflake Service Account

In order for Opal to manage access to your Snowflake Roles, you must first configure a Snowflake User that uses key pair authentication. Within Snowflake,

1. Create a public/private key pair. Follow Snowflake’s Key Pair Authentication instructions.
2. Create a Snowflake User and Role in Snowflake. You can use the below script as a sample:

USE ROLE ACCOUNTADMIN; 

CREATE ROLE OPALSERVICE COMMENT = 'This role is for the Opal Snowflake integration and should not be modified';

--  Allow role to update a user/role's grants
GRANT MANAGE GRANTS ON ACCOUNT TO ROLE OPALSERVICE;
-- Allow role to view query history for usage insights
GRANT DATABASE ROLE SNOWFLAKE.GOVERNANCE_VIEWER TO ROLE OPALSERVICE;

-- Add to the Role Hierarchy as recommended by Snowflake
GRANT ROLE OPALSERVICE TO ROLE SECURITYADMIN;

-- Grant warehouse to role
-- <Warehouse name> should be replaced with your warehouse
GRANT USAGE ON WAREHOUSE <Warehouse name> TO ROLE OPALSERVICE;

-- Create the service account
CREATE USER OPALADMIN
    DEFAULT_ROLE = 'OPALSERVICE'
    DEFAULT_WAREHOUSE = '<Warehouse name>'
    -- Replace <Public key> with the value from the previous step
    RSA_PUBLIC_KEY = '<Public key>'
    COMMENT = 'Service account used by Opal Security to sync user roles';

-- Grant the role to the service account
GRANT ROLE OPALSERVICE TO USER OPALADMIN;

Step 2: Fill out Opal form to Connect to Snowflake

In Opal, head to the "Catalog" page, click the "+App" button on the top right, and select the Snowflake tile. Fill in the details of your Snowflake configuration. You will need the following information:

• Organization
• Account
• Locator
• Account identifier
• Snowflake URL
• Public key
• Private key
• Private key password

You may reference Snowflake's documentation for help finding the above details.

Step 3: Import Snowflake Roles and Securable Objects

Once the Snowflake App is set up, select Import items under the ... on the top right to see a list of available Snowflake Roles and Securable Objects you can import and manage in Opal.

Admins can choose to import only a select Snowflake Role, or automatically import it along with all the Securable Objects it has access to. Importing a Securable Object like a Table will automatically create a resource hierarchy, making it easy to visualize the parent Schema and Database in Opal.

Step 4: View and Manage your Snowflake Resources

Now that you have imported Snowflake Roles and Securable Objects you would like managed in Opal, you can easily:

• navigate to each Role and understand which Users and Groups have access to it, and which Securable Objects it has access to
• add or remove Users to and from the Snowflake Roles
• add or remove Securable Objects to and from Snowflake Roles

In the above example, you can see that this Sales Snowflake Role has 5 Users with access to it, 0 Groups with access to it, and it has access to 0 Securable Object Resources. The image shows an admin who has selected the User Marty and is about to click to Remove, which would revoke Marty's access to the Snowflake Role