Guides

Features

Advanced

Connect a Snowflake Database

This page describes how ALTR connects to Snowflake databases. It includes a walkthrough of how to connect Snowflake databases to ALTR as well as a detailed overview of what objects ALTR creates in Snowflake to support the connection. It also includes common troubleshooting steps for users who have trouble connecting Snowflake databases.

What does ALTR do when it connects a Snowflake Database?

When you connect a Snowflake database to ALTR, ALTR creates a variety of Snowflake-Side objects that enable data governance. These include:

  1. An API integration that enables Snowflake to communicate directly with ALTR’s SaaS governance engine
  2. The ALTR_DSAAS schema that ALTR uses to house schema-level governance objects, like Dynamic Data Masking Policies

Additionally, ALTR executes a variety of processes in its SaaS platform in order to ensure it can properly access the Snowflake database and its schema objects. This includes:

  1. Executing a “Database Status Check”, where ALTR ensures that it can connect to your Snowflake account. This check also ensures that the Service User for this database is appropriately permissioned.
  2. Identifying all schemas and tables available in the Snowflake database to accelerate ALTR’s UI.

Note: ALTR only accesses and persists account and schema object information relating to your Snowflake Database. ALTR does not automatically access or persist any data stored in Snowflake.

How to Connect Snowflake Databases to ALTR

To unlock ALTR’s data governance tools for Snowflake databases, you must connect that database to ALTR. ALTR’s Snowflake Partner Connect Onboarding offers a guided walkthrough for connecting your first databases. This section covers how to connect Snowflake Databases after onboarding.

Note: ALTR can only connect to Snowflake Databases if the Service User has permission to access that database. In order to ensure you can successfully connect a database, ALTR recommends re-running the Stored Procedure to ensure the Service User can access all databases in your Snowflake account.

Note: In order for ALTR to connect to a database from a new Snowflake account, that account must be Snowflake Enterprise Edition or higher. Additionally, Snowflake must be able to send and receive data from ALTR’s Cloud Governance tools. If your Snowflake Account has restricted network policies, please ensure that ALTR’s IP addresses are whitelisted. This information can be found on our onboarding documentation.

Note: Snowflake does not support External Functions on shared databases. Because of this, any Snowflake databases created from a Snowflake Share such as “Snowflake Sample Data” cannot be connected to ALTR.

ALTR offers two routes for connecting Snowflake Databases:

  1. Snowflake Partner Connect, containing a streamlined form to connect any database in a Snowflake Account connected through Snowflake Partner Connect
  2. User Authentication, containing a detailed form to connect any Snowflake Databases from any Snowflake Account using any Service User

Connecting Snowflake Partner Connect Databases

If you joined ALTR through Snowflake Partner Connect, ALTR remembers the Snowflake Hostname and Service User information from your Snowflake account. Connecting a database in the Partner Connect form is as simple as selecting the database from a dropdown, giving it a name in ALTR, and choosing optional features for the databases such as:

  1. Classify and Tag Data
  2. If selected, ALTR will attempt to classify your columnar data to allow you to more easily identify sensitive data. These classifications will also result in Data Tags, and Enterprise ALTR feature that enables you to create Column Access Policies at scale.
  3. Import Access History
  4. If selected, ALTR will access the database’s query history in order to show the last 30 days of data access for Data Usage Analytics

Connecting Snowflake Databases Manually

If you signed up for ALTR though altr.com or if you want to connect a database from a Snowflake account other than the one used for Partner Connect, you can manually connect a database by providing ALTR with the Snowflake Hostname and Service User information for the database’s Snowflake Account. To manually create and permission a non-Partner Connect Service User, see this guide.

When manually connecting a Snowflake database, ALTR requires the following information:

  1. A Name for that database in ALTR
  2. The Snowflake Account Hostname. This can be found in the URL for Snowflake’s Classic Console. If you are using the Snowsight UI, this can be found by clicking the link icon when hovering over your account information int he bottom left corner of the Snowsight UI.
  1. The Username and Password for the Snowflake Service User
  2. To generate and automatically permission a Snowflake Service User outside of Snowflake Partner Connect, see this guide.
  3. The name of the Snowflake Database
  4. This must exactly match the name of the database in Snowflake
  5. Optional: Classify and Tag Data
  6. If selected, ALTR will attempt to classify your columnar data to allow you to more easily identify sensitive data. These classifications will also result in Data Tags, and Enterprise ALTR feature that enables you to create Column Access Policies at scale.
  7. Optional: Import Access History
  8. If selected, ALTR will access the database’s query history in order to show the last 30 days of data access for Data Usage Analytics

Advanced Settings when Connecting Data Sources

ALTR offers some different advanced configuration options when connecting a database or modifying database connections. Most users do not need to worry about these settings.

  1. Port: This is the network port used to communicate with Snowflake. The default value is 443.
  2. Warehouse Name: This is the warehouse that ALTR will use when the Snowflake Service User is executing queries in Snowflake. If this is left blank, ALTR will use the default warehouse for the Service User (this is configured in Snowflake).
  3. Role Name: This is the role that ALTR will use when the Snowflake Service User is executing queries in Snowflake. If this is left blank, ALTR will use the default role for the Service User (this is configured in Snowflake).
  4. Maximum Data Source Connections: This is the maximum amount of simultaneous open connects ALTR will have open with the Snowflake Database. The default and recommended value is 5.

Troubleshooting and FAQs

  1. I changed the password for my Snowflake Partner Connect Service User, how do I change it in ALTR?
    If you change the password for PC_ALTR_USER, please reach out to support@altr.com for assistance.
  2. I’m trying to connect a database via the Snowflake Partner Connect form, but it isn’t appearing in the dropdown.
    ALTR can only connect databases that the Service User has access to. Try re-executing the stored procedure in order to ensure the service user can see all of the databases in your Snowflake Account.
    Due to limitations in Snowflake Data Sharing, ALTR does not support governing databases created from a Data Share. Because of this, shared databases are not included in the dropdown.
    ALTR automatically excludes the automatically created databases PC_ALTR_DB from the list, as this database is auto-generated by Snowflake and serves no purpose.
  3. I’m getting errors when trying to connect a Snowflake Database via the Partner Connect form.
    Ensure that your service user permissions are up to date by re-executing the Stored Procedure
    Check that no one has changed the password for PC_ALTR_USER in Snowflake. If that password has changed, please reach out to support@altr.com.
    ALTR must be able to communicate with Snowflake over the internet to create database connections. Please ensure that ALTR’s IP addresses are whitelisted in your Snowflake Network Policies. Information on ALTR's IP addresses can be found in our onboarding guide.
    If you continue to have problems, reach out to support@altr.com
  4. I’m getting errors when trying to connect a Snowflake Database via the Manual Configuration form.
    Ensure that you have a valid service user, and re-execute the Stored Procedure to ensure that the service user has permission to the database
    Ensure that you correctly entered the hostname for the Snowflake account in the format loremipsum.snowflakecomputing.com. See the section earlier in this page for help identifying your Snowflake hostname.
    Ensure that you are entering the correct Service User Username and Password
    If you continue to have issues, reach out to support@altr.com.
  5. I accidentally removed some of ALTR’s Snowflake-side account or schema objects for my database, and now some governance features aren’t working.
    Please reach out to support@altr.com.


First section of content