Connect to and manage Snowflake in Microsoft Purview

This article outlines how to register Snowflake, and how to authenticate and interact with Snowflake in Microsoft Purview. For more information about Microsoft Purview, read the introductory article.

Supported capabilities

Metadata Extraction Full Scan Incremental Scan Scoped Scan Classification Access Policy Lineage Data Sharing
Yes Yes No Yes No No Yes No

When scanning Snowflake source, Microsoft Purview supports:

  • Extracting technical metadata including:

    • Server
    • Databases
    • Schemas
    • Tables including the columns, foreign keys and unique constraints
    • Views including the columns
    • Stored procedures including the parameter dataset and result set
    • Functions including the parameter dataset
    • Pipes
    • Stages
    • Streams including the columns
    • Tasks
    • Sequences
  • Fetching static lineage on assets relationships among tables, views, and streams.

When setting up scan, you can choose to scan one or more Snowflake database(s) entirely, or further scope the scan to a subset of schemas matching the given name(s) or name pattern(s).

Prerequisites

Note

If your data store is not publicly accessible (if your data store limits access from on-premises network, private network or specific IPs, etc.), you will need to configure a self hosted integration runtime to connect to it.

Required permissions for scan

Microsoft Purview supports basic authentication (username and password) for scanning Snowflake. The default role of the given user will be used to perform the scan. The Snowflake user must have usage rights on a warehouse and the database(s) to be scanned, and read access to system tables in order to access advanced metadata.

Here's a sample walkthrough to create a user specifically for Microsoft Purview scan and set up the permissions. If you choose to use an existing user, make sure it has adequate rights to the warehouse and database objects.

  1. Set up a purview_reader role. You need ACCOUNTADMIN rights to do this.

    USE ROLE ACCOUNTADMIN;
    
    --create role to allow read only access - this will later be assigned to the Microsoft Purview user
    CREATE OR REPLACE ROLE purview_reader;
    
    --make sysadmin the parent role
    GRANT ROLE purview_reader TO ROLE sysadmin;
    
  2. Create a warehouse for Microsoft Purview to use and grant rights.

    --create warehouse - account admin required
    CREATE OR REPLACE WAREHOUSE purview_wh WITH 
        WAREHOUSE_SIZE = 'XSMALL' 
        WAREHOUSE_TYPE = 'STANDARD' 
        AUTO_SUSPEND = 300 
        AUTO_RESUME = TRUE 
        MIN_CLUSTER_COUNT = 1 
        MAX_CLUSTER_COUNT = 2 
        SCALING_POLICY = 'STANDARD';
    
    --grant rights to the warehouse
    GRANT USAGE ON WAREHOUSE purview_wh TO ROLE purview_reader;
    
  3. Create a user purview for Microsoft Purview scan.

    CREATE OR REPLACE USER purview 
        PASSWORD = '<password>'; 
    
    --note the default role will be used during scan
    ALTER USER purview SET DEFAULT_ROLE = purview_reader;
    
    --add user to purview_reader role
    GRANT ROLE purview_reader TO USER purview;
    
  4. Grant reader rights to the database objects.

    GRANT USAGE ON DATABASE <your_database_name> TO purview_reader;
    
    --grant reader access to all the database structures that purview can currently scan
    GRANT USAGE ON ALL SCHEMAS IN DATABASE <your_database_name> TO role purview_reader;
    GRANT USAGE ON ALL FUNCTIONS IN DATABASE <your_database_name> TO role purview_reader;
    GRANT USAGE ON ALL PROCEDURES IN DATABASE <your_database_name> TO role purview_reader;
    GRANT SELECT ON ALL TABLES IN DATABASE <your_database_name> TO role purview_reader;
    GRANT SELECT ON ALL VIEWS IN DATABASE <your_database_name> TO role purview_reader;
    GRANT USAGE, READ on ALL STAGES IN DATABASE <your_database_name> TO role purview_reader;
    
    --grant reader access to any future objects that could be created
    GRANT USAGE ON FUTURE SCHEMAS IN DATABASE <your_database_name> TO role purview_reader;
    GRANT USAGE ON FUTURE FUNCTIONS IN DATABASE <your_database_name> TO role purview_reader;
    GRANT USAGE ON FUTURE PROCEDURES IN DATABASE <your_database_name> TO role purview_reader;
    GRANT SELECT ON FUTURE TABLES IN DATABASE <your_database_name> TO role purview_reader;
    GRANT SELECT ON FUTURE VIEWS IN DATABASE <your_database_name> TO role purview_reader;
    GRANT USAGE, READ ON FUTURE STAGES IN DATABASE <your_database_name> TO role purview_reader;
    

Register

This section describes how to register Snowflake in Microsoft Purview using the Microsoft Purview governance portal.

Steps to register

To register a new Snowflake source in your data catalog, follow these steps:

  1. Navigate to your Microsoft Purview account in the Microsoft Purview governance portal.
  2. Select Data Map on the left navigation.
  3. Select Register
  4. On Register sources, select Snowflake. Select Continue.

On the Register sources (Snowflake) screen, follow these steps:

  1. Enter a Name that the data source will be listed within the Catalog.

  2. Enter the server URL used to connect to the Snowflake account in the form of <account_identifier>.snowflakecomputing.com, for example, xy12345.east-us-2.azure.snowflakecomputing.com. Learn more about Snowflake account identifier.

  3. Select a collection or create a new one (Optional)

  4. Finish to register the data source.

    register sources options

Scan

Follow the steps below to scan Snowflake to automatically identify assets. For more information about scanning in general, see our introduction to scans and ingestion.

Authentication for a scan

The supported authentication type for a Snowflake source is Basic authentication.

Create and run scan

To create and run a new scan, follow these steps:

  1. If your server is publicly accessible, skip to step two. Otherwise, you'll need to make sure your self-hosted integration runtime is configured:

    1. In the Microsoft Purview governance portal, got to the Management Center, and select Integration runtimes.
    2. Make sure a self-hosted integration runtime is available. If one isn't set up, use the steps mentioned here to set up a self-hosted integration runtime.
  2. In the Microsoft Purview governance portal, navigate to Sources.

  3. Select the registered Snowflake source.

  4. Select + New scan.

  5. Provide the below details:

    1. Name: The name of the scan

    2. Connect via integration runtime: Select the Azure auto-resolved integration runtime if your server is publicly accessible, or your configured self-hosted integration runtime if it isn't publicly available.

    3. Credential: Select the credential to connect to your data source. Make sure to:

      • Select Basic Authentication while creating a credential.
      • Provide the user name used to connect to Snowflake in the User name input field.
      • Store the user password used to connect to Snowflake in the secret key.
    4. Warehouse: Specify the name of the warehouse instance used to empower scan in capital case. The default role assigned to the user specified in the credential must have USAGE rights on this warehouse.

    5. Databases: Specify one or more database instance names to import in capital case. Separate the names in the list with a semi-colon (;). The default role assigned to the user specified in the credential must have adequate rights on the database objects.

    6. Schema: List subset of schemas to import expressed as a semicolon separated list. For example, schema1; schema2. All user schemas are imported if that list is empty. All system schemas and objects are ignored by default.

      Acceptable schema name patterns using SQL LIKE expressions syntax include using %. For example: A%; %B; %C%; D:

      • Start with A or
      • End with B or
      • Contain C or
      • Equal D

      Usage of NOT and special characters aren't acceptable.

    7. Maximum memory available (applicable when using self-hosted integration runtime): Maximum memory (in GB) available on customer's VM to be used by scanning processes. It's dependent on the size of Snowflake source to be scanned.

      Note

      As a rule of thumb, please provide 1GB memory for every 1000 tables.

      scan Snowflake

  6. Select Continue.

  7. Choose your scan trigger. You can set up a schedule or ran the scan once.

  8. Review your scan and select Save and Run.

View your scans and scan runs

To view existing scans:

  1. Go to the Microsoft Purview governance portal. Select the Data map tab on the left pane.
  2. Select the desired data source. You can view a list of existing scans on that data source under Recent scans, or you can view all scans on the Scans tab.
  3. Select the scan that has results you want to view. The page shows you all of the previous scan runs, along with the status and metrics for each scan run.
  4. Click the run ID to check more about the scan run details.

Manage your scans - edit, delete, or cancel

To manage or delete a scan:

  1. Go to the Microsoft Purview governance portal. Select the Data Map tab on the left pane.

  2. Select the desired data source. You can view a list of existing scans on that data source under Recent scans, or you can view all scans on the Scans tab.

  3. Select the scan that you want to manage. You can then:

    • Edit the scan by selecting Edit scan.
    • Cancel an in-progress scan by selecting Cancel scan run.
    • Delete your scan by selecting Delete scan.

Note

  • Deleting your scan does not delete catalog assets created from previous scans.
  • The asset will no longer be updated with schema changes if your source table has changed and you re-scan the source table after editing the description on the Schema tab of Microsoft Purview.

Lineage

After scanning your Snowflake source, you can browse data catalog or search data catalog to view the asset details.

Go to the asset -> lineage tab, you can see the asset relationship when applicable. Refer to the supported capabilities section on the supported Snowflake lineage scenarios. For more information about lineage in general, see data lineage and lineage user guide.

Snowflake lineage view

Note

If a view was created by tables from different databases, scan all databases simultaneously using the names in the semicolon (;) list.

Troubleshooting tips

  • Check your account identifer in the source registration step. Don't include https:// part at the front.
  • Make sure the warehouse name and database name are in capital case on the scan setup page.
  • Check your key vault. Make sure there are no typos in the password.
  • Check the credential you set up in Microsoft Purview. The user you specify must have a default role with the necessary access rights to both the warehouse and the database you're trying to scan. See Required permissions for scan. USE DESCRIBE USER; to verify the default role of the user you've specified for Microsoft Purview.
  • Use Query History in Snowflake to see if any activity is coming across.
    • If there's a problem with the account identifer or password, you won't see any activity.
    • If there's a problem with the default role, you should at least see a USE WAREHOUSE . . . statement.
    • You can use the QUERY_HISTORY_BY_USER table function to identify what role is being used by the connection. Setting up a dedicated Microsoft Purview user will make troubleshooting easier.

Next steps

Now that you've registered your source, follow the below guides to learn more about Microsoft Purview and your data.