Skip to main content
Analytics pipelines can fail in subtle ways. OpenSRE connects to your Snowflake warehouse to help investigate issues by querying warehouse metadata, reviewing query history, checking warehouse health, and identifying performance bottlenecks.

Before you start

You’ll need:
  • A Snowflake account (trial or production)
  • A configured warehouse
  • Snowflake credentials with appropriate permissions
  • A database and schema to query
  • Network access from your OpenSRE environment to Snowflake

Connecting to Snowflake

The guided way

For a step-by-step walkthrough: 
opensre integrations setup
Choose Snowflake and follow the prompts.

The direct way: Environment variables

Or add these to your .env: 
SNOWFLAKE_ACCOUNT_IDENTIFIER=xy12345.us-east-1
SNOWFLAKE_USER=opensre_user
SNOWFLAKE_TOKEN=your_programmatic_access_token
SNOWFLAKE_PASSWORD=your_password
SNOWFLAKE_WAREHOUSE=COMPUTE_WH
SNOWFLAKE_DATABASE=analytics
SNOWFLAKE_SCHEMA=public
SNOWFLAKE_ROLE=viewer
VariableDefaultDescription
SNOWFLAKE_ACCOUNT_IDENTIFIERRequired. Snowflake account identifier
SNOWFLAKE_ACCOUNTAlternative Snowflake account variable
SNOWFLAKE_USERSnowflake username
SNOWFLAKE_TOKENRequired. Programmatic access token for API authentication
SNOWFLAKE_PASSWORDOptional password (used alongside token where configured)
SNOWFLAKE_WAREHOUSEWarehouse name (for example, COMPUTE_WH)
SNOWFLAKE_DATABASEDefault database
SNOWFLAKE_SCHEMADefault schema
SNOWFLAKE_ROLERole with appropriate permissions
OpenSRE requires SNOWFLAKE_ACCOUNT_IDENTIFIER and SNOWFLAKE_TOKEN to activate the integration. Generate a programmatic access token in Snowflake under your user’s security settings.

Option 3: Persistent store

{
  "version": 1,
  "integrations": [
    {
      "id": "snowflake-prod",
      "service": "snowflake",
      "status": "active",
      "credentials": {
        "account": "xy12345.us-east-1",
        "user": "opensre_user",
        "token": "your_programmatic_access_token",
        "password": "your_password",
        "warehouse": "COMPUTE_WH",
        "database": "analytics",
        "schema": "public",
        "role": "viewer"
      }
    }
  ]
}

Finding your account identifier

Snowflake account identifiers can vary depending on your region and organization setup.
  1. Open the Snowflake web interface
  2. Open your account or profile settings
  3. Locate your account identifier
  4. Use the full value for SNOWFLAKE_ACCOUNT_IDENTIFIER
Examples: 
xy12345
xy12345.us-east-1
myorg-myaccount
myorg-myaccount.eu-west-1
Use the full account identifier shown by Snowflake. Do not remove region or organization information unless your Snowflake deployment documentation explicitly instructs you to do so.

Best practice: Create a dedicated role for OpenSRE

Instead of using an administrative account, create a role with only the permissions OpenSRE requires. 
CREATE ROLE opensre_viewer;

GRANT SELECT ON ALL TABLES IN DATABASE analytics TO ROLE opensre_viewer;
GRANT MONITOR ON WAREHOUSE COMPUTE_WH TO ROLE opensre_viewer;

CREATE USER opensre_user PASSWORD = 'strong_secure_password';

GRANT ROLE opensre_viewer TO USER opensre_user;
Then use those credentials in your OpenSRE configuration.

Investigation tools

When OpenSRE investigates a Snowflake-related alert, this tool is available:

Query history

Runs bounded, read-only queries against Snowflake query history to surface recent failed queries, long-running statements, and warehouse usage patterns during an incident.

Security recommendations

  • Use a dedicated Snowflake user for OpenSRE
  • Grant only the permissions required for investigations
  • Rotate credentials regularly
  • Monitor access through Snowflake audit logs

Test the connection

Let’s verify everything is working: 
opensre integrations verify snowflake
Expected output: 
Service: snowflake
Status: passed
Detail: Configured for Snowflake account xy12345.us-east-1

Troubleshooting

SymptomFix
Missing token credentialsSet SNOWFLAKE_TOKEN. Password alone does not activate the integration.
Invalid account identifierUse the full identifier from Snowflake (including region/org suffix if shown).
Warehouse suspendedResume the warehouse in Snowflake or grant OPERATE on the warehouse to the OpenSRE role.
Insufficient privilegesGrant MONITOR on the warehouse and SELECT on ACCOUNT_USAGE.QUERY_HISTORY.