Skip to main content

Overview

The Snowflake integration enables your agents to query and analyze data in your Snowflake data warehouse. Perfect for business intelligence, data analysis, and generating insights from your enterprise data while maintaining Snowflake’s security and performance standards.

Features

  • Enterprise SQL Queries: Execute any SQL query on your Snowflake warehouse
  • Automatic Scaling: Warehouses scale based on query complexity
  • Cost Optimization: Automatic warehouse suspension to control costs
  • Clean Results: Structured, easy-to-read query results
  • Advanced Analytics: Support for complex analytical queries and functions
  • Secure Access: Enterprise-grade security and access controls

Prerequisites

  • Active Snowflake account with data warehouse access
  • User credentials with query permissions on target databases
  • Warehouse name with sufficient compute resources
  • Database and schema access rights for your data
  • Network connectivity to Snowflake servers

Authentication

Aster connects to Snowflake with one of two methods:
  • Programmatic Access Token (PAT) — recommended. A scoped, expiring token tied to a Snowflake user. Best for service accounts: it avoids MFA/SSO prompts, can be restricted to a single read-only role, and is easy to rotate or revoke.
  • Username & password. Supported, but discouraged for automation — passwords trigger MFA on many accounts and can’t be scoped or expired like a PAT.
Key-pair (private key) auth is not supported. Snowflake key-pair authentication uses a private key file — Aster does not accept one. If you have set up a key-pair, you do not need to send the private key; generate a PAT for the service user instead (covered below). The PAT is the only secret Aster needs.

What Aster needs

These are the exact fields on the Control Hub connection form. Everything except the secret is non-sensitive.
FieldRequiredExampleNotes
Authentication MethodYesProgrammatic Access TokenPAT or Username/Password
Account IdentifierYesORGNAME-ACCOUNT_NAMEThe orgname-account_name form (or locator.region, e.g. xy12345.us-east-1). Exclude .snowflakecomputing.com. Run the last line of the script below to get it.
Snowflake UsernameYesASTER_SVCThe service-account user
Programmatic Access TokenPAT auth(the token secret)The only secret. Required when auth method is PAT.
Snowflake PasswordPassword auth(the password)Required only when auth method is Username/Password
Default WarehouseYesASTER_WHWarehouse Aster runs queries on
Default DatabaseYesANALYTICSDatabase the agent queries
Default SchemaYesPUBLICSchema within that database
Default RoleYesASTER_ROThe least-privilege role the token is restricted to
Run this once in a Snowflake worksheet as ACCOUNTADMIN. It creates a dedicated, read-only service user, a small dedicated warehouse, the grants Aster needs, and the PAT. Replace the YOUR_DATABASE placeholder (repeat the data grants for each database you want the agent to read). 
USE ROLE ACCOUNTADMIN;

-- 1. Least-privilege role for Aster
CREATE ROLE IF NOT EXISTS ASTER_RO;

-- 2. A small dedicated warehouse (auto-suspend keeps cost near zero when idle)
CREATE WAREHOUSE IF NOT EXISTS ASTER_WH
  WAREHOUSE_SIZE = 'XSMALL' AUTO_SUSPEND = 60 AUTO_RESUME = TRUE INITIALLY_SUSPENDED = TRUE;
GRANT USAGE, OPERATE ON WAREHOUSE ASTER_WH TO ROLE ASTER_RO;

-- 3. Read-only access to the data the agent should query (repeat per database)
GRANT USAGE  ON DATABASE YOUR_DATABASE                 TO ROLE ASTER_RO;
GRANT USAGE  ON ALL SCHEMAS    IN DATABASE YOUR_DATABASE TO ROLE ASTER_RO;
GRANT USAGE  ON FUTURE SCHEMAS IN DATABASE YOUR_DATABASE TO ROLE ASTER_RO;
GRANT SELECT ON ALL TABLES     IN DATABASE YOUR_DATABASE TO ROLE ASTER_RO;
GRANT SELECT ON FUTURE TABLES  IN DATABASE YOUR_DATABASE TO ROLE ASTER_RO;
GRANT SELECT ON ALL VIEWS      IN DATABASE YOUR_DATABASE TO ROLE ASTER_RO;
GRANT SELECT ON FUTURE VIEWS   IN DATABASE YOUR_DATABASE TO ROLE ASTER_RO;

-- 4. Dedicated service user
CREATE USER IF NOT EXISTS ASTER_SVC
  TYPE = SERVICE
  DEFAULT_ROLE = ASTER_RO
  DEFAULT_WAREHOUSE = ASTER_WH
  COMMENT = 'Service account for Aster Agents';
GRANT ROLE ASTER_RO TO USER ASTER_SVC;

-- 5. Network policy (REQUIRED for PAT auth)
--    Snowflake only honors a PAT if the user is subject to a network policy.
--    Aster queries from a managed cloud backend without a fixed egress IP, so
--    scope an allow-all policy to JUST this service user. The user is read-only,
--    so the blast radius is limited. Tighten the IP list if you proxy through a
--    static egress.
CREATE NETWORK POLICY IF NOT EXISTS ASTER_SVC_NETPOLICY ALLOWED_IP_LIST = ('0.0.0.0/0');
ALTER USER ASTER_SVC SET NETWORK_POLICY = ASTER_SVC_NETPOLICY;

-- 6. Generate the PAT — copy the token_secret it returns (shown only once)
ALTER USER ASTER_SVC ADD PROGRAMMATIC ACCESS TOKEN ASTER_PAT
  ROLE_RESTRICTION = 'ASTER_RO' DAYS_TO_EXPIRY = 365;

-- 7. Your Account Identifier for the Aster connection form
SELECT CURRENT_ORGANIZATION_NAME() || '-' || CURRENT_ACCOUNT_NAME() AS aster_account_field;
A TYPE = SERVICE user cannot have a password — it authenticates by PAT (or key-pair, which Aster doesn’t use). If you specifically want password auth, create a normal user instead and skip the PAT step.
Snowflake does not use Aster’s fixed database-tool IPs. Aster’s Postgres and SQL Server tools connect from two static egress IPs you can allowlist; the Snowflake tool runs on a different backend without a fixed egress set, so allowlisting those IPs here will block the connection. Scope the network policy to the read-only service user instead, as shown above.
Then in Control Hub → Integrations → Snowflake, choose Programmatic Access Token, and fill in: Account = step 7 output, User = ASTER_SVC, Token = the token_secret from step 6, Warehouse = ASTER_WH, Database = YOUR_DATABASE, Schema, Role = ASTER_RO. Click Test Connection.

Sharing the credential securely

The PAT (or password) is the only secret involved — there is no private key to move.
  • Best: whoever provisions Snowflake enters the PAT directly into the Control Hub form themselves. Aster never needs it handed over.
  • If Aster is setting up the connection for you: send the token through a secure channel — your organization’s encryption/secrets service or a one-time secret link (e.g. 1Password, Doppler, onetimesecret.com). Do not send it in plaintext email or chat.
  • Because a PAT is scoped to a read-only role and has an expiry, it’s far safer to transmit than a password or private key — and you can revoke it instantly with ALTER USER ASTER_SVC REMOVE PROGRAMMATIC ACCESS TOKEN ASTER_PAT.

Security Considerations

  • Use a dedicated, read-only service account (the script above) rather than a personal or admin login
  • Restrict the PAT to a least-privilege role with ROLE_RESTRICTION, and grant that role only the databases/schemas the agent needs
  • Set an expiry on the PAT (DAYS_TO_EXPIRY) and rotate it on a schedule
  • Use a small, auto-suspending warehouse to cap compute cost
  • Monitor query history for the service user to audit agent activity
  • Revoke instantly if needed by removing the token or disabling the user

Troubleshooting

  • Verify your account identifier format (should not include .snowflakecomputing.com)
  • Check network connectivity to Snowflake
  • Confirm the warehouse exists and is available
  • Validate you’re using the correct account region
  • PAT rejected even though the token is correct? The most common cause: the service user isn’t subject to a network policy. Snowflake silently refuses PAT auth without one — apply ASTER_SVC_NETPOLICY as shown in the setup script.
  • Confirm the PAT hasn’t expired or been removed, and that its ROLE_RESTRICTION matches the Default Role on the connection
  • For password auth: verify the username/password and that the user isn’t blocked by MFA
  • Check that the user account is active and not suspended
  • Verify the warehouse has sufficient compute resources
  • Check that you have permissions on the tables/views
  • Confirm access to the database and schema
  • Review query syntax and complexity
  • Snowflake SQL - Execute SQL queries on your Snowflake warehouse