Connect to and manage Snowflake in Microsoft Purview
This article outlines how to register Snowflake, and how to authenticate and interact with Snowflake in Microsoft Purview. For more information about Microsoft Purview, read the introductory article.
|Metadata Extraction||Full Scan||Incremental Scan||Scoped Scan||Classification||Access Policy||Lineage||Data Sharing|
When scanning Snowflake source, Microsoft Purview supports:
Extracting technical metadata including:
- Tables including the columns, foreign keys and unique constraints
- Views including the columns
- Stored procedures including the parameter dataset and result set
- Functions including the parameter dataset
- Streams including the columns
Fetching static lineage on assets relationships among tables, views, and streams.
When setting up scan, you can choose to scan one or more Snowflake database(s) entirely, or further scope the scan to a subset of schemas matching the given name(s) or name pattern(s).
- An Azure account with an active subscription. Create an account for free.
- An active Microsoft Purview account.
- You need Data Source Administrator and Data Reader permissions to register a source and manage it in the Microsoft Purview governance portal. For more information about permissions, see Access control in Microsoft Purview.
If your data store is not publicly accessible (if your data store limits access from on-premises network, private network or specific IPs, etc.), you will need to configure a self hosted integration runtime to connect to it.
- If your data store isn't publicly accessible, set up the latest self-hosted integration runtime. For more information, see the create and configure a self-hosted integration runtime guide.
- Ensure JDK 11 is installed on the machine where the self-hosted integration runtime is installed. Restart the machine after you newly install the JDK for it to take effect.
- Ensure Visual C++ Redistributable for Visual Studio 2012 Update 4 is installed on the self-hosted integration runtime machine. If you don't have this update installed, you can download it here.
Required permissions for scan
Microsoft Purview supports basic authentication (username and password) for scanning Snowflake. The default role of the given user will be used to perform the scan. The Snowflake user must have usage rights on a warehouse and the database(s) to be scanned, and read access to system tables in order to access advanced metadata.
Here's a sample walkthrough to create a user specifically for Microsoft Purview scan and set up the permissions. If you choose to use an existing user, make sure it has adequate rights to the warehouse and database objects.
Set up a
purview_readerrole. You need ACCOUNTADMIN rights to do this.
USE ROLE ACCOUNTADMIN; --create role to allow read only access - this will later be assigned to the Microsoft Purview user CREATE OR REPLACE ROLE purview_reader; --make sysadmin the parent role GRANT ROLE purview_reader TO ROLE sysadmin;
Create a warehouse for Microsoft Purview to use and grant rights.
--create warehouse - account admin required CREATE OR REPLACE WAREHOUSE purview_wh WITH WAREHOUSE_SIZE = 'XSMALL' WAREHOUSE_TYPE = 'STANDARD' AUTO_SUSPEND = 300 AUTO_RESUME = TRUE MIN_CLUSTER_COUNT = 1 MAX_CLUSTER_COUNT = 2 SCALING_POLICY = 'STANDARD'; --grant rights to the warehouse GRANT USAGE ON WAREHOUSE purview_wh TO ROLE purview_reader;
Create a user
purviewfor Microsoft Purview scan.
CREATE OR REPLACE USER purview PASSWORD = '<password>'; --note the default role will be used during scan ALTER USER purview SET DEFAULT_ROLE = purview_reader; --add user to purview_reader role GRANT ROLE purview_reader TO USER purview;
Grant reader rights to the database objects.
GRANT USAGE ON DATABASE <your_database_name> TO purview_reader; --grant reader access to all the database structures that purview can currently scan GRANT USAGE ON ALL SCHEMAS IN DATABASE <your_database_name> TO role purview_reader; GRANT USAGE ON ALL FUNCTIONS IN DATABASE <your_database_name> TO role purview_reader; GRANT USAGE ON ALL PROCEDURES IN DATABASE <your_database_name> TO role purview_reader; GRANT SELECT ON ALL TABLES IN DATABASE <your_database_name> TO role purview_reader; GRANT SELECT ON ALL VIEWS IN DATABASE <your_database_name> TO role purview_reader; GRANT USAGE, READ on ALL STAGES IN DATABASE <your_database_name> TO role purview_reader; --grant reader access to any future objects that could be created GRANT USAGE ON FUTURE SCHEMAS IN DATABASE <your_database_name> TO role purview_reader; GRANT USAGE ON FUTURE FUNCTIONS IN DATABASE <your_database_name> TO role purview_reader; GRANT USAGE ON FUTURE PROCEDURES IN DATABASE <your_database_name> TO role purview_reader; GRANT SELECT ON FUTURE TABLES IN DATABASE <your_database_name> TO role purview_reader; GRANT SELECT ON FUTURE VIEWS IN DATABASE <your_database_name> TO role purview_reader; GRANT USAGE, READ ON FUTURE STAGES IN DATABASE <your_database_name> TO role purview_reader;
This section describes how to register Snowflake in Microsoft Purview using the Microsoft Purview governance portal.
Steps to register
To register a new Snowflake source in your data catalog, follow these steps:
- Navigate to your Microsoft Purview account in the Microsoft Purview governance portal.
- Select Data Map on the left navigation.
- Select Register
- On Register sources, select Snowflake. Select Continue.
On the Register sources (Snowflake) screen, follow these steps:
Enter a Name that the data source will be listed within the Catalog.
Enter the server URL used to connect to the Snowflake account in the form of
<account_identifier>.snowflakecomputing.com, for example,
xy12345.east-us-2.azure.snowflakecomputing.com. Learn more about Snowflake account identifier.
Select a collection or create a new one (Optional)
Finish to register the data source.
Follow the steps below to scan Snowflake to automatically identify assets. For more information about scanning in general, see our introduction to scans and ingestion.
Authentication for a scan
The supported authentication type for a Snowflake source is Basic authentication.
Create and run scan
To create and run a new scan, follow these steps:
If your server is publicly accessible, skip to step two. Otherwise, you'll need to make sure your self-hosted integration runtime is configured:
In the Microsoft Purview governance portal, navigate to Sources.
Select the registered Snowflake source.
Select + New scan.
Provide the below details:
Name: The name of the scan
Connect via integration runtime: Select the Azure auto-resolved integration runtime if your server is publicly accessible, or your configured self-hosted integration runtime if it isn't publicly available.
Credential: Select the credential to connect to your data source. Make sure to:
- Select Basic Authentication while creating a credential.
- Provide the user name used to connect to Snowflake in the User name input field.
- Store the user password used to connect to Snowflake in the secret key.
Warehouse: Specify the name of the warehouse instance used to empower scan in capital case. The default role assigned to the user specified in the credential must have USAGE rights on this warehouse.
Databases: Specify one or more database instance names to import in capital case. Separate the names in the list with a semi-colon (;). The default role assigned to the user specified in the credential must have adequate rights on the database objects.
Schema: List subset of schemas to import expressed as a semicolon separated list. For example,
schema1; schema2. All user schemas are imported if that list is empty. All system schemas and objects are ignored by default.
Acceptable schema name patterns using SQL LIKE expressions syntax include using %. For example:
A%; %B; %C%; D:
- Start with A or
- End with B or
- Contain C or
- Equal D
Usage of NOT and special characters aren't acceptable.
Maximum memory available (applicable when using self-hosted integration runtime): Maximum memory (in GB) available on customer's VM to be used by scanning processes. It's dependent on the size of Snowflake source to be scanned.
As a rule of thumb, please provide 1GB memory for every 1000 tables.
Choose your scan trigger. You can set up a schedule or ran the scan once.
Review your scan and select Save and Run.
View your scans and scan runs
To view existing scans:
- Go to the Microsoft Purview governance portal. Select the Data map tab on the left pane.
- Select the desired data source. You can view a list of existing scans on that data source under Recent scans, or you can view all scans on the Scans tab.
- Select the scan that has results you want to view. The page shows you all of the previous scan runs, along with the status and metrics for each scan run.
- Click the run ID to check more about the scan run details.
Manage your scans - edit, delete, or cancel
To manage or delete a scan:
Go to the Microsoft Purview governance portal. Select the Data Map tab on the left pane.
Select the desired data source. You can view a list of existing scans on that data source under Recent scans, or you can view all scans on the Scans tab.
Select the scan that you want to manage. You can then:
- Edit the scan by selecting Edit scan.
- Cancel an in-progress scan by selecting Cancel scan run.
- Delete your scan by selecting Delete scan.
- Deleting your scan does not delete catalog assets created from previous scans.
- The asset will no longer be updated with schema changes if your source table has changed and you re-scan the source table after editing the description on the Schema tab of Microsoft Purview.
Go to the asset -> lineage tab, you can see the asset relationship when applicable. Refer to the supported capabilities section on the supported Snowflake lineage scenarios. For more information about lineage in general, see data lineage and lineage user guide.
If a view was created by tables from different databases, scan all databases simultaneously using the names in the semicolon (;) list.
- Check your account identifer in the source registration step. Don't include
https://part at the front.
- Make sure the warehouse name and database name are in capital case on the scan setup page.
- Check your key vault. Make sure there are no typos in the password.
- Check the credential you set up in Microsoft Purview. The user you specify must have a default role with the necessary access rights to both the warehouse and the database you're trying to scan. See Required permissions for scan. USE
DESCRIBE USER;to verify the default role of the user you've specified for Microsoft Purview.
- Use Query History in Snowflake to see if any activity is coming across.
- If there's a problem with the account identifer or password, you won't see any activity.
- If there's a problem with the default role, you should at least see a
USE WAREHOUSE . . .statement.
- You can use the QUERY_HISTORY_BY_USER table function to identify what role is being used by the connection. Setting up a dedicated Microsoft Purview user will make troubleshooting easier.
Now that you've registered your source, follow the below guides to learn more about Microsoft Purview and your data.