Skip to main content

Manage Service Users

As part of the onboarding process with ALTR, you must create a service user in Snowflake, register that user with ALTR and select an authentication method. Once registered, connect your data source and assign the service user. You can use the same service user across multiple data sources within your Snowflake account.

Note

If you use Snowflake Partner Connect to onboard with ALTR, your Snowflake service user is automatically registered to ALTR. Use this service user when connecting a data source.

Authentication Methods

There are two options to authenticate your service user with ALTR:

  • Key-pair (Recommended) uses a private and a public key to verify the service user

  • Password uses a password to verify the service user

Key-Pair Authentication

Key-pair authentication uses a secure pair of cryptographic keys: a public key and a private key. The public key is stored with the Snowflake service user, and the private key is created and securely stored inside ALTR.

When you log in, ALTR uses the private key to generate a signed token and sends it to Snowflake over an encrypted connection. Snowflake verifies the token using the public key.

Because only the signed token is sent—not the private key itself—your credentials stay protected.

Why we recommend it

  • Phishing‑proof & brute‑force resistant—there’s no guessable secret to steal.

  • Nothing reusable in scripts—no password vaults or environment variables to guard.

  • Future‑proof—Snowflake is taking steps to deprecate password authentication for service users. Learn more.

  • One‑click rotation—generate a new key in ALTR, run the SQL in Snowflake, and you’re done.

Note

We recommend using key-pair authentication with the SERVICE type for the service user.

Password Authentication

Password authentication uses a single password that ALTR stores securely and sends to Snowflake each time the service user logs in. Snowflake checks the password to confirm the user's identity.

Why we don’t recommend it

  • Easy to compromise—short or reused passwords turn one breach into a master key.

  • Phishable & reusable—attackers can harvest or replay leaked credentials in bulk.

  • End‑of‑life—Snowflake is taking steps to deprecate password authentication for service users. Learn more.

Prerequisites

To register your Snowflake service user, you need the following information:

  • Hostname URL. This is the Account/Server URL in Snowflake.

    Tip

    To locate this URL:

    1. Log into your Snowflake account.

    2. Go to your profile.

    3. Click Account to view the accounts you previously signed in to.

    4. Locate the account and click View account details; the Account Details modal displays.

    5. Click the copy icon for Account/Server URL.

  • Login Name for your service user. This is the name used to authenticate to Snowflake.

Register Service Users

To register a service user with ALTR:

  1. Create a service user in Snowflake. Learn more.

  2. Log into ALTR and select Data ConfigurationService Users in the Navigation menu.

  3. Click Register Service User.

  4. Enter a Display Name. This is a user-friendly name to identify your service user.

  5. Enter the Hostname for your Snowflake account.

  6. Enter the Login Name for your service user.

  7. Click Register. Your service user is not fully set up yet; you need to select an authentication method.

  8. Select an authentication method. Options are: Key-Pair or Password.

    Note

    Our recommendation is to use key-pair authentication method because it is more secure than password authentication and Snowflake plans to deprecate password authentication for service users. The following steps are to configure key-pair authentication, but you are still able to use password authentication. Learn more.

  9. Click Generate Key to create the public and private keys. The private key is never surfaced and you must save this public key to your service user in Snowflake in order to register the service user with ALTR.

  10. Copy the SQL command provided in ALTR and run it in Snowflake. This code saves the public key to your service user in Snowflake and sets the type of the user to SERVICE. This step ensures ALTR can authenticate to the Snowflake account.

    Note

    Before running the code

    • If your Login Name is separate from your Username in Snowflake, update the code to use the object name before running it in Snowflake.

    • To execute the command, you must either have OWNERSHIP privileges on the service user or be USERADMIN, SECURITYADMIN or ACCOUNTADMIN.

  11. Return to ALTR and click Finish.

Use Key-Pair Authentication

Key-pair authentication is the recommended authentication method because it is more secure than password authentication. If your ALTR account was created via Snowflake Partner Connect after May 2025, your service user was automatically created with key-pair authentication. You can update the authentication method to key-pair, but once changed, the authentication method cannot be changed back to password in ALTR.

Update Authentication Method to use Key-Pair

You are able to update your authentication method from password to key-pair. However, once updated to key-pair, you are unable to change the authentication method back to password.

Note

Updating the authentication method may cause in-progress jobs, such as data classification, to fail if they use this service user. Ensure all in-process jobs have finished.

To update the authentication method to use key-pair:

  1. Select Data ConfigurationService Users in the Navigation menu.

  2. Select your service user.

  3. Click Edit Service User.

  4. Click Generate Key to create the public and private keys. The private key is never surfaced and you must save this public key to your service user in Snowflake in order to register the service user with ALTR.

  5. Copy the SQL command provided in ALTR and run it in Snowflake. This code saves the public key to your service user in Snowflake and sets the type of the user to SERVICE. This step ensures ALTR can authenticate to the Snowflake account.

    Note

    Before running the code

    • If your Login Name is separate from your Username in Snowflake, update the code to use the object name before running it in Snowflake.

    • To execute the command, you must either have OWNERSHIP privileges on the service user or be USERADMIN, SECURITYADMIN or ACCOUNTADMIN.

  6. Click Save.

Rotate Key

Periodically rotate the public key to satisfy either internal or external compliance.

Note

Rotating the key may cause in-progress jobs, such as data classification, to fail if they use this service user. Ensure all in-process jobs have finished.

To rotate the key:

  1. Select Data ConfigurationService Users in the Navigation menu.

  2. Select your service user.

  3. Click Edit Service User.

  4. Click Rotate Key; a modal displays to confirm.

  5. Click Rotate Key.

  6. Copy the updated code provided in ALTR. Run the code in Snowflake to save the new public key to your service user in Snowflake. This step ensures ALTR can authenticate to the Snowflake account.

  7. Click Save.

Use Password Authentication

Password authentication uses a password to verify the service user. While this authentication method is convenient and easy to use, we don’t recommend it because passwords are easier to compromise and offer weaker security. With password authentication, you provide your own password, whereas with key-pair authentication, the private key is generated and retained exclusively for internal use—it is never exposed or disclosed to anyone, making key-pair a stronger protection method. Additionally, Snowflake plans to deprecate password authentication for service users. For these reasons, ALTR recommends using key-pair authentication for service users.

Note

Once a service user has been registered and configured to use key-pair authentication, it cannot be updated to use password authentication.

If using password authentication, run the following command to set the type of the user in snowflake to LEGACY_SERVICE:

ALTER USER <USER> SET TYPE = LEGACY_SERVICE;

To register a service user with password authentication:

  1. Create a service user in Snowflake. Learn more.

  2. Log into ALTR and select, Data ConfigurationService Users in the Navigation menu.

  3. Click Register Service User.

  4. Enter a Display Name. This is a user-friendly name to identify your service user.

  5. Enter the Hostname for your Snowflake account.

  6. Enter the Login Name for your service user.

  7. Click Register. Your service user is not fully set up yet; you need to select an authentication method.

  8. Click the Password Authentication tab.

  9. Enter a Service Account Password.

  10. Confirm Service Account Password.

  11. Click Finish.

Remove a Service User

If your service user has been deleted in Snowflake or if it is no longer needed in ALTR, remove the service user.

Note

Removing a service user from ALTR does not delete the user from Snowflake.

To remove a service user from ALTR:

  1. Verify the service user is not assigned to a data source connected to ALTR. If it is, first disconnect the data source or update it to use a different data source , then continue to remove the service user.

  2. Select Data ConfigurationService Users in the Navigation menu.

  3. Select your service user.

  4. Click Edit Service User.

  5. Click Remove; a modal displays to confirm the removal.

  6. Click Remove to confirm.

In this section: