Connect to and manage Snowflake in Microsoft Purview

This article outlines how to register Snowflake, and how to authenticate and interact with Snowflake in Microsoft Purview. For more information about Microsoft Purview, read the introductory article.

Supported capabilities

Metadata Extraction	Full Scan	Incremental Scan	Scoped Scan	Classification	Labeling	Access Policy	Lineage	Data Sharing	Live view
Yes	Yes	No	Yes	Yes	Yes	No	Yes	No	No

When scanning Snowflake source, Microsoft Purview supports:

• Extracting technical metadata including:

  • Server
  • Databases
  • Schemas
  • Tables including the columns, foreign keys and unique constraints
  • Views including the columns
  • Stored procedures including the parameter dataset and result set
  • Functions including the parameter dataset
  • Pipes
  • Stages
  • Streams including the columns
  • Tasks
  • Sequences

• Fetching static lineage on assets relationships among tables, views, streams, and stored procedures.

For stored procedures, you can choose the level of details to extract on scan settings. Stored procedure lineage is supported for Snowflake Scripting (SQL) and JavaScript languages, and generated based on the procedure definition.

When setting up scan, you can choose to scan one or more Snowflake database(s) entirely based on the given name(s) or name pattern(s), or further scope the scan to a subset of schemas matching the given name(s) or name pattern(s).

Known limitations

• When object is deleted from the data source, currently the subsequent scan won't automatically remove the corresponding asset in Microsoft Purview.
• Stored procedure lineage is not supported for the following patterns:
  • Stored procedure defined in Java, Python and Scala languages.
  • Stored procedure using SQL EXECUTE IMMEDIATE with static SQL query as variable.

Prerequisites

• An Azure account with an active subscription. Create an account for free.
• An active Microsoft Purview account.
• You need Data Source Administrator and Data Reader permissions to register a source and manage it in the Microsoft Purview governance portal. For more information about permissions, see Access control in Microsoft Purview.

Note

If your data store is not publicly accessible (if your data store limits access from on-premises network, private network or specific IPs, etc.), you will need to configure a self hosted integration runtime to connect to it. Learn more from Choose the right integration runtime configuration for your scenario.

• If your data store isn't publicly accessible, set up the latest self-hosted integration runtime. For more information, see the create and configure a self-hosted integration runtime guide.
  • Ensure JDK 11 is installed on the machine where the self-hosted integration runtime is installed. Restart the machine after you newly install the JDK for it to take effect.
  • Ensure Visual C++ Redistributable (version Visual Studio 2012 Update 4 or newer) is installed on the self-hosted integration runtime machine. If you don't have this update installed, you can download it here.

Required permissions for scan

Microsoft Purview supports basic authentication (username and password) for scanning Snowflake. The default role of the given user will be used to perform the scan. The Snowflake user must have usage rights on a warehouse and the database(s) to be scanned, and read access to system tables in order to access advanced metadata.

Here's a sample walkthrough to create a user specifically for Microsoft Purview scan and set up the permissions. If you choose to use an existing user, make sure it has adequate rights to the warehouse and database objects.

1. Set up a purview_reader role. You need ACCOUNTADMIN rights to do this.

   USE ROLE ACCOUNTADMIN;
   
   --create role to allow read only access - this will later be assigned to the Microsoft Purview user
   CREATE OR REPLACE ROLE purview_reader;
   
   --make sysadmin the parent role
   GRANT ROLE purview_reader TO ROLE sysadmin;
   

2. Create a warehouse for Microsoft Purview to use and grant rights.

   --create warehouse - account admin required
   CREATE OR REPLACE WAREHOUSE purview_wh WITH 
       WAREHOUSE_SIZE = 'XSMALL' 
       WAREHOUSE_TYPE = 'STANDARD' 
       AUTO_SUSPEND = 300 
       AUTO_RESUME = TRUE 
       MIN_CLUSTER_COUNT = 1 
       MAX_CLUSTER_COUNT = 2 
       SCALING_POLICY = 'STANDARD';
   
   --grant rights to the warehouse
   GRANT USAGE ON WAREHOUSE purview_wh TO ROLE purview_reader;
   

3. Create a user purview for Microsoft Purview scan.

   CREATE OR REPLACE USER purview 
       PASSWORD = '<password>'; 
   
   --note the default role will be used during scan
   ALTER USER purview SET DEFAULT_ROLE = purview_reader;
   
   --add user to purview_reader role
   GRANT ROLE purview_reader TO USER purview;
   

4. Grant reader rights to the database objects.

   GRANT USAGE ON DATABASE <your_database_name> TO purview_reader;
   
   --grant reader access to all the database structures that purview can currently scan
   GRANT USAGE ON ALL SCHEMAS IN DATABASE <your_database_name> TO role purview_reader;
   GRANT USAGE ON ALL FUNCTIONS IN DATABASE <your_database_name> TO role purview_reader;
   GRANT USAGE ON ALL PROCEDURES IN DATABASE <your_database_name> TO role purview_reader;
   GRANT SELECT ON ALL TABLES IN DATABASE <your_database_name> TO role purview_reader;
   GRANT SELECT ON ALL VIEWS IN DATABASE <your_database_name> TO role purview_reader;
   GRANT USAGE, READ on ALL STAGES IN DATABASE <your_database_name> TO role purview_reader;
   
   --grant reader access to any future objects that could be created
   GRANT USAGE ON FUTURE SCHEMAS IN DATABASE <your_database_name> TO role purview_reader;
   GRANT USAGE ON FUTURE FUNCTIONS IN DATABASE <your_database_name> TO role purview_reader;
   GRANT USAGE ON FUTURE PROCEDURES IN DATABASE <your_database_name> TO role purview_reader;
   GRANT SELECT ON FUTURE TABLES IN DATABASE <your_database_name> TO role purview_reader;
   GRANT SELECT ON FUTURE VIEWS IN DATABASE <your_database_name> TO role purview_reader;
   GRANT USAGE, READ ON FUTURE STAGES IN DATABASE <your_database_name> TO role purview_reader;
   

Register

This section describes how to register Snowflake in Microsoft Purview using the Microsoft Purview governance portal.

Steps to register

To register a new Snowflake source in your data catalog, follow these steps:

1. Navigate to your Microsoft Purview account in the Microsoft Purview governance portal.
2. Select Data Map on the left navigation.
3. Select Register
4. On Register sources, select Snowflake. Select Continue.

On the Register sources (Snowflake) screen, follow these steps:

1. Enter a Name that the data source will be listed within the Catalog.

2. Enter the server URL used to connect to the Snowflake account in the form of <account_identifier>.snowflakecomputing.com, for example, orgname-accountname.snowflakecomputing.com. Learn more about Snowflake account identifier.

3. Select a collection from the list.

4. Finish to register the data source.

   

Scan

Follow the steps below to scan Snowflake to automatically identify assets. For more information about scanning in general, see our introduction to scans and ingestion.

Authentication for a scan

The supported authentication type for a Snowflake source is Basic authentication.

Create and run scan

To create and run a new scan, follow these steps:

1. If your server is publicly accessible, skip to step two. Otherwise, you'll need to make sure your self-hosted integration runtime is configured:

   1. In the Microsoft Purview governance portal, got to the Management Center, and select Integration runtimes.
   2. Make sure a self-hosted integration runtime is available. If one isn't set up, use the steps mentioned here to set up a self-hosted integration runtime.

2. In the Microsoft Purview governance portal, navigate to Sources.

3. Select the registered Snowflake source.

4. Select + New scan.

5. Provide the below details:

   1. Name: The name of the scan

   2. Connect via integration runtime: Select the Azure auto-resolved integration runtime, Managed VNet IR or SHIR according to your scenario. Learn more from Choose the right integration runtime configuration for your scenario.

   3. Credential: Select the credential to connect to your data source. Make sure to:

      • Select Basic Authentication while creating a credential.
      • Provide the user name used to connect to Snowflake in the User name input field.
      • Store the user password used to connect to Snowflake in the secret key.

   4. Warehouse: Specify the name of the warehouse instance used to empower scan in capital case. The default role assigned to the user specified in the credential must have USAGE rights on this warehouse.

   5. Databases: Specify one or more database instance names to import in capital case. Separate the names in the list with a semi-colon (;). For example, DB1;DB2. The default role assigned to the user specified in the credential must have adequate rights on the database objects.

      Acceptable database name patterns can be static names or contain wildcard %. For example: A%;%B;%C%;D:

      • Start with A or
      • End with B or
      • Contain C or
      • Equal D

   6. Schema: List subset of schemas to import expressed as a semicolon separated list. For example, schema1;schema2. All user schemas are imported if that list is empty. All system schemas and objects are ignored by default.

      Acceptable schema name patterns using can be static names or contain wildcard %. For example: A%;%B;%C%;D:

      • Start with A or
      • End with B or
      • Contain C or
      • Equal D

      Usage of NOT and special characters aren't acceptable.

   7. Stored procedure details: Controls the number of details imported from stored procedures:

      • Signature (default): The name and parameters of stored procedures.
      • Code, signature: The name, parameters and code of stored procedures.
      • Lineage, code, signature: The name, parameters and code of stored procedures, and the data lineage derived from the code.
      • None: Stored procedure details aren't included.

      Note

      If you use Self-hosted Integration Runtime for scan, customized setting other than the default Signature is supported since version 5.30.8541.1. The earlier versions always extract the name and parameters of stored procedures.

   8. Maximum memory available (applicable when using self-hosted integration runtime): Maximum memory (in GB) available on customer's VM to be used by scanning processes. It's dependent on the size of Snowflake source to be scanned.

      Note

      As a rule of thumb, please provide 1GB memory for every 1000 tables.

      

6. Select Test connection to validate the settings (available when using Azure Integration Runtime).

7. Select Continue.

8. Select a scan rule set for classification. You can choose between the system default, existing custom rule sets, or create a new rule set inline. Check the Classification article to learn more.

   Note

   If you are using Self-hosted runtime then you will need to upgrade to version 5.26.404.1 or higher to use Snowflake classification. You can find the latest version of Microsoft Integration runtime here.

9. Choose your scan trigger. You can set up a schedule or ran the scan once.

10. Review your scan and select Save and Run.

View your scans and scan runs

To view existing scans:

1. Go to the Microsoft Purview portal. On the left pane, select Data map.
2. Select the data source. You can view a list of existing scans on that data source under Recent scans, or you can view all scans on the Scans tab.
3. Select the scan that has results you want to view. The pane shows you all the previous scan runs, along with the status and metrics for each scan run.
4. Select the run ID to check the scan run details.

Manage your scans

To edit, cancel, or delete a scan:

1. Go to the Microsoft Purview portal. On the left pane, select Data Map.

2. Select the data source. You can view a list of existing scans on that data source under Recent scans, or you can view all scans on the Scans tab.

3. Select the scan that you want to manage. You can then:

   • Edit the scan by selecting Edit scan.
   • Cancel an in-progress scan by selecting Cancel scan run.
   • Delete your scan by selecting Delete scan.

Note

• Deleting your scan does not delete catalog assets created from previous scans.

Lineage

After scanning your Snowflake source, you can browse data catalog or search data catalog to view the asset details.

Go to the asset -> lineage tab, you can see the asset relationship when applicable. Refer to the supported capabilities section on the supported Snowflake lineage scenarios. For more information about lineage in general, see data lineage and lineage user guide.

Note

If a view was created by tables from different databases, scan all databases simultaneously using the names in the semicolon (;) list.

Troubleshooting tips

• Check your account identifier in the source registration step. Don't include https:// part at the front.
• Make sure the warehouse name and database name are in capital case on the scan setup page.
• Check your key vault. Make sure there are no typos in the password.
• Check the credential you set up in Microsoft Purview. The user you specify must have a default role with the necessary access rights to both the warehouse and the database you're trying to scan. See Required permissions for scan. USE DESCRIBE USER; to verify the default role of the user you've specified for Microsoft Purview.
• Use Query History in Snowflake to see if any activity is coming across.
  • If there's a problem with the account identifer or password, you won't see any activity.
  • If there's a problem with the default role, you should at least see a USE WAREHOUSE . . . statement.
  • You can use the QUERY_HISTORY_BY_USER table function to identify what role is being used by the connection. Setting up a dedicated Microsoft Purview user will make troubleshooting easier.

Next steps

Now that you've registered your source, follow the below guides to learn more about Microsoft Purview and your data.

• Data Estate Insights in Microsoft Purview
• Lineage in Microsoft Purview
• Search Data Catalog