/
Working with a Snowflake warehouse connection

Working with a Snowflake warehouse connection

✅ Enterprise: AWS, Azure, GCP, and On-Premises

✅ Marketplace: AWS, Azure, and GCP

✅ SaaS: AWS, Azure, and GCP

✅ Single Node Installation (SNI)

You can set up a data connection to connect to your Snowflake data warehouse for all clouds (AWS, Azure, and GCP).

Note

  • From Kyvos 2025.8 onwards, for AWS SaaS, you can manage a Snowflake account in Kyvos.

  • You can include the username in the Snowflake query as a comment in the SQL statement. To do this, you need to set the value of the kyvos.connection.sql.addcomment to ‘True’ in the Snowflake connection.

  • If you have enabled Network policies in Snowflake, you must use a Databricks workspace with the option Deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) as Yes. Additionally, add the NAT Gateway Public IP of Databricks VNet to the Network policies of Snowflake.

  • For Kyvos data security, if you want to use external security configured at the cluster level, such as user impersonation to enforced role and permissions while viewing Snowflake semantic model, you must change the property value from 2 to 1 in the QUERYING_SECURITY_LEVEL property (biserver.properties). 

  • You can create multiple Snowflake connections for raw data querying. The connections are available on the semantic model designer page, where you can select the connection to be used for a particular semantic model.
    See the Working with non-materialized or raw data semantic models section for more details. 

Prerequisites for creating a Snowflake connection

  1. The Access role used for creating the connection must have the following permissions assigned to your Snowflake staging database.
    Grant usage on the database:
    GRANT USAGE ON DATABASE <database> TO ROLE <role>;
    Grant usage on the schema:
    GRANT USAGE ON SCHEMA <database>.public TO ROLE <role>;
    Grant create stage on the public schema:
    GRANT CREATE STAGE ON SCHEMA <database>.public TO ROLE <role>;

  2. In OAuth token-based authentication, you need an access token to access Snowflake resources and a refresh token to be used to get a new access token in case it expires.
    To be able to fetch tokens from any Snowflake server, the Kyvos application should be registered with the target Snowflake server and this configuration must be done by the Snowflake Admin user (outside of Kyvos). Once this is done, Admin gets client_id, client_secret, authorization URL, and token URL. You need these property values when creating a Kyvos connection to enable the Kyvos server to fetch tokens from the Snowflake server.

  3. If you have deployed VPC with Internet Gateway, then you must assign an elastic IP to the Analytical Server.

To set up or view a Snowflake warehouse connection, perform the following steps. 

  1. From the Toolbox, click Connections.

  2. From the Actions menu (  ) click Add Connection.

  3. Enter a name or select it from the Connection list.

  4. After you finish configuring the settings using the table shown below, click the  Test  button from the top left to validate the connection settings.

  5. If the connection is valid, click the  Save  button. 

  6. To refresh connections, click the Actions menu ( ⋮ ) at the top of the Connections column and select Refresh.

 

Cross-Account Export Directory Support for Snowflake Connection

This feature enables exporting data from Snowflake to an Amazon S3 bucket located in a different AWS account (cross-account bucket). With this configuration, Snowflake writes the exported data directly to the target S3 bucket (refer to as Account- B) while Kyvos (refer to as Account- A) manages the temporary and export files with the required permissions.

Snowflake Configuration

Perform the following steps in Snowflake.

1. Create a Storage Integration - Account-B

Create a storage integration that references:

  • The Account-B S3 bucket

  • The IAM role ARN from the Account-B that has access to the bucket

Example:

CREATE STORAGE INTEGRATION <integration_name> TYPE = EXTERNAL_STAGE STORAGE_PROVIDER = S3 ENABLED = TRUE STORAGE_AWS_ROLE_ARN = '<cross_account_role_arn>' STORAGE_ALLOWED_LOCATIONS = ('s3://<CrossAccountS3Bucket>');

2. Create an External Stage

Create an external stage using the storage integration created above.

CREATE STAGE <stage_name> STORAGE_INTEGRATION = <integration_name> URL = 's3://<CrossAccountS3Bucket>/<Path>/temp/' FILE_FORMAT = (TYPE=parquet);

Kyvos Configuration - Account-A

Configure the Snowflake connection in Kyvos:

  1. Configure Snowflake Stage: In the Snowflake connection, specify the external stage created in Snowflake.
    kyvos.connection.snowflake.stage=<stage_name>
    The stage must point to the cross-account S3 location: s3://<CrossAccountS3Bucket>/<Path>/temp/

  2. Configure the export directory: Specify the cross-account export directory in the Snowflake connection properties.
    kyvos.connection.data.export.dir=s3://<CrossAccountS3Bucket>/<Path>

Required Permissions and Policies

Ensure the following permissions are configured for successful data export.

1. Kyvos AWS Account (Account-A)

On the EC2 IAM role used by Kyvos, attach a policy that allows access to the Account-B S3 bucket.

Required permissions:

  • s3:PutObject

  • s3:DeleteObject

  • s3:AbortMultipartUpload

  • s3:ListBucket (if required)

2. Account-B S3 Bucket

On the Account-B S3 bucket, configure a bucket policy that allows access to the Account-A EC2 IAM role.

The bucket policy must allow:

Principal

  • Kyvos EC2 IAM Role ARN

Actions

  • s3:PutObject

  • s3:DeleteObject

  • s3:AbortMultipartUpload

Copyright Kyvos, Inc. 2026. All rights reserved.