Skip to main content

πŸš€ Snowflake Data Destination Setup Guide

Automated Snowflake warehouse, database, schema, OAuth authentication, and S3 bucket configuration

Openbridge Support avatar
Written by Openbridge Support
Updated this week

Snowflake is quick to configure, especially with our fully automated Snowflake Worksheet commands. Please note that the process detailed in this document will not work without an active, billing-enabled Snowflake account. If you have not done so, please make sure you have updated your billing information in Snowflake.

πŸ“ Prerequisites

Before running the setup script, there are a few key connection details that are needed to configure Snowflake destination properly:

  • Snowflake Account
    You should have access to a Snowflake account with ACCOUNTADMIN or equivalent privileges. Snowflake account name can be found in your Snowflake account details

  • Warehouse
    The script in the docs will create one if it doesn't exist, but ensure naming conventions and sizes meet your org's policies.

  • Username, Password, Database & Schema
    All will be created in the script. Modify names as needed.

  • OAuth Integration

    • The script in the docs will creates and provides the Client ID and Client Secret used for authenticating Openbridge. You can retrieve them after creating a security integration using:

      SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('OPENBRIDGE_OAUTH2');

    • The Authorization URL can be found in your Snowflake account details and typically follows this format:
      ​https://<your-account-name>.snowflakecomputing.com

  • Stage
    The script creates a named stage for storing Parquet files. Ensure your environment supports required file formats and S3 policies if using external staging.

  • S3 Bucket with Permissions
    Use the Openbridge CloudFormation template (see below) to create a bucket with required access policies.

πŸͺ£ Setting Up the S3 Bucket (via CloudFormation)

To support external staging for your Snowflake destination, Openbridge provides a pre-configured AWS CloudFormation template. This template will automatically create an S3 bucket with the necessary read/write permissions for Openbridge.


β€‹βœ… What It Does:

  • Creates a secure S3 bucket

  • Sets required bucket policies

  • Configures permissions for Openbridge access

πŸš€ Launch the Template:

Use the link below to deploy the CloudFormation stack in your AWS account:

πŸ‘‰ Download Openbridge Snowflake S3 Bucket Template

(⚠️ Make sure you have appropriate AWS IAM privileges to deploy CloudFormation stacks.)

After deployment, you will have:

  • An S3 bucket ready to use in Step 3, make sure you save the bucket name.

  • Permissions already in placeβ€”no manual bucket policy changes needed

πŸ”§ Step 1: Automated Setup via SQL Script

Run the following SQL script to automatically provision everything required for the Openbridge Snowflake destination:
​

What this script sets up:

  • βœ… Role

  • βœ… Warehouse

  • βœ… Database & Schema

  • βœ… OAuth Integration (provides Client ID and Client Secret)

  • βœ… Stage

  • βœ… Permissions

  • βœ… Test operations (create, insert, update, delete)

βš™οΈ Before You Run the Script

Make sure to replace all placeholder values with those specific to your Snowflake environment:

  • YOUR_OPENBRIDGE_ROLE

  • YOUR_OPENBRIDGE_WAREHOUSE

  • YOUR_OPENBRIDGE_DATABASE

  • YOUR_OPENBRIDGE_SCHEMA

  • YOUR_OPENBRIDGE_STAGE

πŸ“ Save These Values β€” You’ll Need Them Later in Openbridge

πŸ” For OAuth Login

(When prompted by the Snowflake OAuth login screen during authorization)

Make sure to copy the values you used in the script for:

  • openbridge_username

  • openbridge_password

πŸ“₯ For Snowflake Destination Setup (Step 3 in Openbridge UI)

Save the following values as well β€” you’ll need them to complete the destination configuration:

  • Account Name (e.g., xy12345.us-east-1)

  • Database

  • Schema

  • Warehouse

  • Stage

  • S3 Bucket (created using the CloudFormation template earlier)

-- Set variables (Replace placeholders with your actual values)
SET openbridge_role = 'YOUR_OPENBRIDGE_ROLE';          -- e.g., 'BUXZZ_ROLE'
SET openbridge_username = 'YOUR_OPENBRIDGE_USER';      -- e.g., 'BUXZZ_USER'
SET openbridge_password = 'YOUR_PASSWORD';             -- e.g., '12BUXZZ!@'
SET openbridge_warehouse = 'YOUR_OPENBRIDGE_WAREHOUSE';-- e.g., 'BUXZZ_WAREHOUSE'
SET openbridge_database = 'YOUR_OPENBRIDGE_DATABASE';  -- e.g., 'BUXZZ_DATABASE'
SET openbridge_schema = 'YOUR_OPENBRIDGE_SCHEMA';      -- e.g., 'BUXZZ_SCHEMA'
SET openbridge_stage = 'YOUR_OPENBRIDGE_STAGE';        -- e.g., 'BUXZZ_STAGE'
SET openbridge_namespace = $openbridge_database || '.' || $openbridge_schema;

-- Use the ACCOUNTADMIN role to ensure sufficient privileges
USE ROLE ACCOUNTADMIN;

-- Step 1: Setup
-- Create the Openbridge role if it doesn't exist
CREATE ROLE IF NOT EXISTS IDENTIFIER($openbridge_role);

-- Create the Openbridge user if it doesn't exist
CREATE USER IF NOT EXISTS IDENTIFIER($openbridge_username)
  PASSWORD = $openbridge_password
  DEFAULT_ROLE = $openbridge_role
  DEFAULT_WAREHOUSE = $openbridge_warehouse
  DEFAULT_NAMESPACE = $openbridge_namespace; -- Use pre-built namespace

-- Grant the role to the user
GRANT ROLE IDENTIFIER($openbridge_role) TO USER IDENTIFIER($openbridge_username);

-- Assign the current user's name to a variable
SET current_username = CURRENT_USER();

-- Grant the role to your current user (for testing purposes)
GRANT ROLE IDENTIFIER($openbridge_role) TO USER IDENTIFIER($current_username);

-- Create the warehouse if it doesn't exist
CREATE WAREHOUSE IF NOT EXISTS IDENTIFIER($openbridge_warehouse)
  WAREHOUSE_SIZE = 'XSMALL'
  WAREHOUSE_TYPE = 'STANDARD'
  AUTO_SUSPEND = 60
  AUTO_RESUME = TRUE
  INITIALLY_SUSPENDED = TRUE;

-- Grant usage on the warehouse to the role
GRANT USAGE ON WAREHOUSE IDENTIFIER($openbridge_warehouse) TO ROLE IDENTIFIER($openbridge_role);

-- Create the database if it doesn't exist
CREATE DATABASE IF NOT EXISTS IDENTIFIER($openbridge_database);

-- Grant usage on the database to the role (without CREATE SCHEMA privilege)
GRANT USAGE ON DATABASE IDENTIFIER($openbridge_database) TO ROLE IDENTIFIER($openbridge_role);

-- Use the new database
USE DATABASE IDENTIFIER($openbridge_database);

-- Create the OAuth2 integration
CREATE SECURITY INTEGRATION IF NOT EXISTS
  openbridge_oauth2
  TYPE = OAUTH
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = 'https://oauth.api.openbridge.io/oauth/callback'
  ENABLED = TRUE
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 7776000
  COMMENT = 'Openbridge OAuth';

-- Create the stage
CREATE STAGE IDENTIFIER($openbridge_stage)
  FILE_FORMAT = (TYPE = 'PARQUET');
GRANT ALL PRIVILEGES ON STAGE IDENTIFIER($openbridge_stage) TO ROLE IDENTIFIER($openbridge_role);

-- Create a schema
CREATE SCHEMA IF NOT EXISTS IDENTIFIER($openbridge_schema); 

-- Grant privileges on the schema to the role
GRANT USAGE ON SCHEMA IDENTIFIER($openbridge_schema) TO ROLE IDENTIFIER($openbridge_role);
GRANT CREATE TABLE, CREATE VIEW, CREATE STAGE, CREATE FILE FORMAT ON SCHEMA IDENTIFIER($openbridge_schema) TO ROLE IDENTIFIER($openbridge_role);

-- Step 2: Switch to the Openbridge role for testing
USE ROLE IDENTIFIER($openbridge_role);

-- Set the context to use the Openbridge warehouse, database, and schema
USE WAREHOUSE IDENTIFIER($openbridge_warehouse);
USE DATABASE IDENTIFIER($openbridge_database);
USE SCHEMA IDENTIFIER($openbridge_schema);

-- Step 3: Test Operations

-- Test 1: Create a table
CREATE OR REPLACE TABLE test_table (
  id INT AUTOINCREMENT PRIMARY KEY,
  name STRING,
  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP()
);

-- Test 2: Insert data into the table
INSERT INTO test_table (name) VALUES
  ('Alice'),
  ('Bob'),
  ('Charlie');

-- Test 3: Query data from the table
SELECT * FROM test_table;

-- Test 4: Update data in the table
UPDATE test_table
SET name = 'Alice Updated'
WHERE name = 'Alice';

-- Test 5: Delete data from the table
DELETE FROM test_table
WHERE name = 'Bob';

-- Test 6: Drop the table
DROP TABLE test_table;

-- Retrieve client ID, client secret
SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('OPENBRIDGE_OAUTH2');

πŸ›‚ OAuth-Based Authorization (No Username/Password)

Openbridge now supports secure OAuth 2.0 access. You no longer need to provide Snowflake usernames or passwords.

You Will Need:

  • Client ID

  • Client Secret

  • Authorization URL

These are retrieved from:

SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('OPENBRIDGE_OAUTH2');

The Authorization URL can be found in your Snowflake account details. It typically follows the format:

https://<your-account>.snowflakecomputing.com

βœ… Once Setup is Complete

In the Openbridge UI:

  1. Step 1: Confirm your Snowflake setup is ready.

  2. Step 2:

    • βž• Option A: Use Existing Authorization
      If you have a saved authorization, select it from the list.
      ​

    • πŸ”„ Option B: Create New Authorization
      Choose Authorize β†’ Select "Bring Your Own App" β†’ Enter Client ID, Secret, and Authorization URL β†’ Authorize via direct Snowflake login.
      ​(Once complete, your Snowflake identity will appear and can be selected.)

  3. Step 3: Fill in:

    • Snowflake Account Name (can be found in your Snowflake account details)

    • Database

    • Schema

    • Warehouse

    • Stage

    • S3 Bucket

  4. Step 4: Name your destination and click Save.

You’re done! The Snowflake destination is now fully configured using the latest secure and scalable methods.

Did this answer your question?