Snowflake Permissions Configuration

If you aren't directly running the setup script in the Arize UI, this page goes over the permissions necessary to setup the Snowflake connector.

One-Time Setup

One-time setup for the Arize File Importer Role and Snowflake Warehouse.

Scroll down to the Dataset Setup if you've already completed the steps in this section.

Make sure you're using the securityadmin Snowflake role, and create a Snowflake role called ARIZE_FILE_IMPORTER_ROLE .
Create a Snowflake user called ARIZE_FILE_IMPORTER
1. Set the default role for the user as the ARIZE_FILE_IMPORTER_ROLE role
2. Set the default warehouse for the user as the warehouse that was provisioned for Arize (see here if you have not done this yet)
Grant the ARIZE_FILE_IMPORTER_ROLE role to the ARIZE_FILE_IMPORTER user

-- create variables for user / password / role / warehouse / database (needs to be uppercase for objects)
set role_name = 'ARIZE_FILE_IMPORTER_ROLE';
set user_name = 'ARIZE_FILE_IMPORTER';
set warehouse_name = '[PROVISIONED_WAREHOUSE_FOR_ARIZE]';

-- change role to securityadmin for user / role steps
use role securityadmin;

-- create role for arize
create role if not exists identifier($role_name);

-- create  a user for arize
create user if not exists identifier($user_name);
alter user identifier($user_name) set default_role = $role_name;
alter user identifier($user_name) set default_warehouse = $warehouse_name;

grant role identifier($role_name) to user identifier($user_name);

Set the RSA_PUBLIC_KEY for the ARIZE_FILE_IMPORTER user
1. You can find the RSA Public Key in the Arize UI when setting up the Snowflake import job.

-- set user public key
ALTER USER identifier($user_name) SET RSA_PUBLIC_KEY='[ARIZE_PUBLIC_KEY]';

Grant the ARIZE_FILE_IMPORTER_ROLE role USAGE on the warehouse provisioned for Arize.

-- grant arize role access to warehouse
grant USAGE
on warehouse identifier($warehouse_name)
to role identifier($role_name);

Dataset Setup

Follow the below steps when configuring access for new tables/schemas for Arize.

You can skip over steps 1 + 2 if you've already done those for the Snowflake database that contains your table/schema.

Create a Snowflake schema called arize in your database if it doesn't already exist.
1. CREATE SCHEMA IF NOT EXISTS [DATABASE_NAME].arize;
Create a table within the arize schema called arize_ingestion_keys with the following columns: object_name [string], object_type [string], tag_name [string], tag_value [string]. This table is used to store the Arize Ingestion Keys. These keys act as challenge keys to prove ownership of Snowflake tables/schemas.

CREATE TABLE IF NOT EXISTS [DATABASE_NAME].arize.arize_ingestion_keys(
    object_name string, 
    object_type string, 
    tag_name string, 
    tag_value string
);

Insert a record into the arize_ingestion_keys table for the table/schema you want to give Arize access to. The record should contain the Snowflake table/schema name as the object_name , table or schema as the object_type , arize-ingestion-key as the tag_name , and your Arize Ingestion Key (you can find this in the Arize UI when setting up the Snowflake import job) as the tag_value .

-- Assign challenge key to table to prove ownership (idempotently)
MERGE INTO [DATABASE_NAME].arize.arize_ingestion_keys t
USING (SELECT
    '[TABLE_NAME]' as object_name,
    'table' as object_type,
    'arize-ingestion-key' as tag_name,
    '[ARIZE_INGESTION_KEY]' as tag_value
) s
ON t.object_name = s.object_name
WHEN MATCHED THEN UPDATE SET tag_value = '[ARIZE_INGESTION_KEY]'
WHEN NOT MATCHED THEN
INSERT VALUES ('[TABLE_NAME]', 'table', 'arize-ingestion-key', '[ARIZE_INGESTION_KEY]');

Grant the following permissions to the ARIZE_FILE_IMPORTER_ROLE :
1. USAGE on the database (skip this if done previously)
2. USAGE on the Snowflake schema that contains the table with your data
3. SELECT on the Snowflake table that contains your data
4. USAGE on the arize Snowflake schema (skip this if done previously)
5. SELECT on the arize_ingestion_keys Snowflake table (skip this if done previously)

-- Grant permissions to Arize role
set role_name = 'ARIZE_FILE_IMPORTER_ROLE';
set DATABASE_NAME = '[DATABASE_NAME]';

grant USAGE
on database identifier($database_name)
to role identifier($role_name);

grant USAGE
on schema [DATABASE_NAME].[SCHEMA_NAME]
to role identifier($role_name);

grant SELECT
on table [DATABASE_NAME].[SCHEMA_NAME].[TABLE_NAME]
to role identifier($role_name);

grant USAGE
on schema [DATABASE_NAME].arize
to role identifier($role_name);

grant SELECT
on table [DATABASE_NAME].arize.arize_ingestion_keys
to role identifier($role_name);

If you are still running into issues with connecting to Snowflake, please check your Snowflake network policy. You may need to whitelist the general Arize IPs found here.

PreviousSnowflake NextDatabricks

Last updated 2 months ago

Was this helpful?

Snowflake Permissions Configuration

If you aren't directly running the setup script in the Arize UI, this page goes over the permissions necessary to setup the Snowflake connector.

One-Time Setup

One-time setup for the Arize File Importer Role and Snowflake Warehouse.

Scroll down to the Dataset Setup if you've already completed the steps in this section.

Make sure you're using the securityadmin Snowflake role, and create a Snowflake role called ARIZE_FILE_IMPORTER_ROLE .
Create a Snowflake user called ARIZE_FILE_IMPORTER
1. Set the default role for the user as the ARIZE_FILE_IMPORTER_ROLE role
2. Set the default warehouse for the user as the warehouse that was provisioned for Arize (see here if you have not done this yet)
Grant the ARIZE_FILE_IMPORTER_ROLE role to the ARIZE_FILE_IMPORTER user

-- create variables for user / password / role / warehouse / database (needs to be uppercase for objects)
set role_name = 'ARIZE_FILE_IMPORTER_ROLE';
set user_name = 'ARIZE_FILE_IMPORTER';
set warehouse_name = '[PROVISIONED_WAREHOUSE_FOR_ARIZE]';

-- change role to securityadmin for user / role steps
use role securityadmin;

-- create role for arize
create role if not exists identifier($role_name);

-- create  a user for arize
create user if not exists identifier($user_name);
alter user identifier($user_name) set default_role = $role_name;
alter user identifier($user_name) set default_warehouse = $warehouse_name;

grant role identifier($role_name) to user identifier($user_name);

Set the RSA_PUBLIC_KEY for the ARIZE_FILE_IMPORTER user
1. You can find the RSA Public Key in the Arize UI when setting up the Snowflake import job.

-- set user public key
ALTER USER identifier($user_name) SET RSA_PUBLIC_KEY='[ARIZE_PUBLIC_KEY]';

Grant the ARIZE_FILE_IMPORTER_ROLE role USAGE on the warehouse provisioned for Arize.

-- grant arize role access to warehouse
grant USAGE
on warehouse identifier($warehouse_name)
to role identifier($role_name);

Dataset Setup

Follow the below steps when configuring access for new tables/schemas for Arize.

You can skip over steps 1 + 2 if you've already done those for the Snowflake database that contains your table/schema.

Create a Snowflake schema called arize in your database if it doesn't already exist.
1. CREATE SCHEMA IF NOT EXISTS [DATABASE_NAME].arize;
Create a table within the arize schema called arize_ingestion_keys with the following columns: object_name [string], object_type [string], tag_name [string], tag_value [string]. This table is used to store the Arize Ingestion Keys. These keys act as challenge keys to prove ownership of Snowflake tables/schemas.

CREATE TABLE IF NOT EXISTS [DATABASE_NAME].arize.arize_ingestion_keys(
    object_name string, 
    object_type string, 
    tag_name string, 
    tag_value string
);

Insert a record into the arize_ingestion_keys table for the table/schema you want to give Arize access to. The record should contain the Snowflake table/schema name as the object_name , table or schema as the object_type , arize-ingestion-key as the tag_name , and your Arize Ingestion Key (you can find this in the Arize UI when setting up the Snowflake import job) as the tag_value .

-- Assign challenge key to table to prove ownership (idempotently)
MERGE INTO [DATABASE_NAME].arize.arize_ingestion_keys t
USING (SELECT
    '[TABLE_NAME]' as object_name,
    'table' as object_type,
    'arize-ingestion-key' as tag_name,
    '[ARIZE_INGESTION_KEY]' as tag_value
) s
ON t.object_name = s.object_name
WHEN MATCHED THEN UPDATE SET tag_value = '[ARIZE_INGESTION_KEY]'
WHEN NOT MATCHED THEN
INSERT VALUES ('[TABLE_NAME]', 'table', 'arize-ingestion-key', '[ARIZE_INGESTION_KEY]');

Grant the following permissions to the ARIZE_FILE_IMPORTER_ROLE :
1. USAGE on the database (skip this if done previously)
2. USAGE on the Snowflake schema that contains the table with your data
3. SELECT on the Snowflake table that contains your data
4. USAGE on the arize Snowflake schema (skip this if done previously)
5. SELECT on the arize_ingestion_keys Snowflake table (skip this if done previously)

-- Grant permissions to Arize role
set role_name = 'ARIZE_FILE_IMPORTER_ROLE';
set DATABASE_NAME = '[DATABASE_NAME]';

grant USAGE
on database identifier($database_name)
to role identifier($role_name);

grant USAGE
on schema [DATABASE_NAME].[SCHEMA_NAME]
to role identifier($role_name);

grant SELECT
on table [DATABASE_NAME].[SCHEMA_NAME].[TABLE_NAME]
to role identifier($role_name);

grant USAGE
on schema [DATABASE_NAME].arize
to role identifier($role_name);

grant SELECT
on table [DATABASE_NAME].arize.arize_ingestion_keys
to role identifier($role_name);

If you are still running into issues with connecting to Snowflake, please check your Snowflake network policy. You may need to whitelist the general Arize IPs found here.

PreviousSnowflake NextDatabricks

Last updated 2 months ago

Was this helpful?