Connect: Snowflake¶

Command¶

skippr-dbt connect warehouse snowflake \
  --database ANALYTICS \
  --schema RAW \
  --warehouse COMPUTE_WH \
  --role ACCOUNTADMIN

Or run without flags to be prompted interactively.

Flag	Description
`--database`	Snowflake database name
`--schema`	Bronze/raw schema where extracted data lands
`--warehouse`	Compute warehouse
`--role`	Role with appropriate grants

Running connect warehouse snowflake writes the following to skippr-dbt.yaml:

warehouse:
  kind: snowflake
  database: ANALYTICS
  schema: RAW
  warehouse: COMPUTE_WH
  role: ACCOUNTADMIN

Authentication is always via environment variables -- credentials are never stored in the config file.

Variable	Description
`SNOWFLAKE_ACCOUNT`	Account identifier (e.g. `MYORG-MYACCOUNT` or `xy12345.us-east-1`)
`SNOWFLAKE_USER`	Login username
`SNOWFLAKE_PRIVATE_KEY_PATH`	Path to `.p8` private key file (key-pair auth, recommended)
`SNOWFLAKE_PASSWORD`	Password (only when MFA is not enforced)

Key-pair auth is recommended and required when MFA is enabled on the Snowflake account.

Generate an RSA key pair:

openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out snowflake_key.p8 -nocrypt
openssl rsa -in snowflake_key.p8 -pubout -out snowflake_key.pub

Assign the public key in Snowflake:

ALTER USER myuser SET RSA_PUBLIC_KEY='MIIBIjANBgkqh...';

Set the environment variable:

export SNOWFLAKE_PRIVATE_KEY_PATH="/path/to/snowflake_key.p8"

The role needs:

Symptom	Fix
`Failed to connect: 250001`	Check the `SNOWFLAKE_ACCOUNT` format -- use the org-account form (e.g. `MYORG-MYACCOUNT`) or include the region (e.g. `xy12345.us-east-1`)
`Incorrect username or password`	Verify `SNOWFLAKE_USER` and auth env vars
`Insufficient privileges`	Ensure the role has the grants listed above
`390197 -- Multi-factor authentication is required`	Switch to key-pair auth -- password auth cannot work when MFA is enforced