> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up a Snowflake connector
> C1 provides identity governance for Snowflake. Integrate your Snowflake instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.
**This is an updated and improved version of the Snowflake connector!** If you're setting up Snowflake with C1 for the first time, you're in the right place.
## Capabilities
| Resource | Sync | Provision |
| ------------------------- | ------------------------------------------------------------- | ------------------------------------------------------------- |
| Accounts | | |
| Account roles | | |
| Databases | | |
| Tables | | |
| Secrets - RSA public keys | | |
The Snowflake connector supports [account provisioning](/product/admin/account-provisioning).
[This connector can sync secrets](/product/admin/inventory) and display them on the **Inventory** page.
## Gather Snowflake credentials
Configuring the connector requires you to pass in credentials generated in Snowflake. Gather these credentials before you move on.
**For best results, use a dedicated service account.** C1 will use the `DEFAULT_WAREHOUSE`, `DEFAULT_NAMESPACE`, and `DEFAULT_ROLE` properties of the user used for the integration. For this reason, we recommend creating a dedicated service account in Snowflake for integrating with C1 with these default user properties.
Give the service account the `MONITOR USAGE` and `MANAGE GRANTS` global permissions for the default warehouse and namespace, plus the `MONITOR` privilege on each user secret and database.
### Generate a private key and set the public key on a Snowflake user
Generate an **unencrypted** private key in PEM format by running the following command:
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt
```
Next, use the private key to generate the public key. Run the following command:
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
```
To enable public key authentication for a Snowflake user, execute the following `ALTER USER` command. A user with the `ACCOUNTADMIN` role must perform this operation:
```sql theme={"theme":{"light":"css-variables","dark":"css-variables"}}
ALTER USER SET RSA_PUBLIC_KEY='MIIBIj...';
```
**Tip:** When setting the `RSA_PUBLIC_KEY`, extract the key content between the `-----BEGIN PUBLIC KEY-----` and `-----END PUBLIC KEY-----` lines from your public key file. Do not include the header or footer. The key should be a single continuous string.
Carefully save the private key.
### Look up your account identifier
Find your account identifier by navigating in the Snowflake console to your account, selecting your user, and finding the alphanumeric code listed under **Locator**.
**Done.** Next, move on to the connector configuration instructions.
## Configure the Snowflake connector
To complete this task, you'll need:
* The **Connector Administrator** or **Super Administrator** role in C1
* Access to the set of Snowflake credentials generated by following the instructions above
**Follow these instructions to use a built-in, no-code connector hosted by C1.**
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
Search for **Snowflake v2** and click **Add**.
Choose how to set up the new Snowflake connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
Find the **Settings** area of the page and click **Edit**.
In the **Account URL** field, enter the full URL of your Snowflake instance.
In the **Account ID / Locator** field, enter your Snowflake account identifier.
In the **Username** field, enter your Snowflake username.
In the **RSA Private Key (PEM Format)** field, upload the private key file.
**Optional.** Enable **Sync secrets** to display them on the [Inventory page](/product/admin/inventory).
Click **Save**.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your Snowflake connector is now pulling access data into C1.
**Follow these instructions to use the Snowflake connector, hosted and run in your own environment.**
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
### Resources
* [GitHub repository](https://github.com/conductorone/baton-snowflake): Access the source code, report issues, or contribute to the project.
### Step 1: Set up a new Snowflake connector
In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
Search for **Baton** and click **Add**.
Choose how to set up the new Snowflake connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
In the **Settings** area of the page, click **Edit**.
Click **Rotate** to generate a new Client ID and Secret.
Carefully copy and save these credentials. We'll use them in Step 2.
### Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your Snowflake connector deployment:
#### Secrets configuration
```yaml theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-snowflake-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-snowflake-secrets
type: Opaque
stringData:
# C1 credentials
BATON_CLIENT_ID:
BATON_CLIENT_SECRET:
# Snowflake credentials
BATON_ACCOUNT_IDENTIFIER:
BATON_ACCOUNT_URL:
BATON_PRIVATE_KEY:
# Optional: include if you want C1 to provision access using this connector
BATON_PROVISIONING: true
```
See the connector's README or run `--help` to see all available configuration flags and environment variables.
#### Deployment configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-snowflake.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-snowflake
labels:
app: baton-snowflake
spec:
selector:
matchLabels:
app: baton-snowflake
template:
metadata:
labels:
app: baton-snowflake
baton: true
baton-app: snowflake
spec:
containers:
- name: baton-snowflake
image: ghcr.io/conductorone/baton-snowflake:latest
imagePullPolicy: IfNotPresent
env:
- name: BATON_HOST_ID
value: baton-snowflake
envFrom:
- secretRef:
name: baton-snowflake-secrets
```
### Step 3: Deploy the connector
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Snowflake connector to. Snowflake data should be found on the **Entitlements** and **Accounts** tabs.
**Done.** Your Snowflake connector is now pulling access data into C1.
## Troubleshooting the Snowflake v2 connector
### 4xx errors
If you're seeing a `422 unprocessable entity` or `401 unauthorized` error in the logs, make sure that your service account has the `DEFAULT_WAREHOUSE`property, and that you've correctly looked up your Snowflake account identifier.
### Connector fails when Snowflake IP allowlisting is enabled
If your Snowflake account has a [network policy](https://docs.snowflake.com/en/user-guide/network-policies) configured that restricts access by IP address, you must add C1's egress IP addresses to the allowlist. Otherwise, Snowflake will reject connections from the connector.
For **cloud-hosted connectors**, C1 manages the connector infrastructure. Add C1's connector egress IPs to your Snowflake network policy. See [C1 egress IP addresses](https://www.c1.ai/docs/product/admin/egress-ips) for the current list.
For **self-hosted connectors**, the connector runs on your own infrastructure, so you should add the outbound IP addresses of your own environment instead.
### User fields (LOGIN, DISPLAY\_NAME, etc.) are empty in synced data
If user records are syncing but fields such as `LOGIN`, `DISPLAY_NAME`, and others are empty, with no other errors, checking the following:
* Ensure that the service account has a role granted. If the service account has a default role set, but no roles granted, user data will not sync correctly. Grant the default role to the service account to resolve this issue.
* Ensure the `MANAGE GRANTS` privilege is **granted directly to the service account user** (not inherited via a role). Use the following steps to grant the privilege directly:
```
USE ROLE ACCOUNTADMIN;
GRANT MANAGE GRANTS ON ACCOUNT TO USER ;
```