❄
Snowflake
Rasgo is a metadata-only product, meaning all of your actual rows and columns stay in your data warehouse and Rasgo interacts with your data via dynamically generating SQL.
Rasgo performs both reads and writes to Snowflake:
- Rasgo catalogs tables and views in any database it has access to
- Rasgo dynamically generates and executes SQL on behalf of the user to transform and analyze data
- Rasgo can publish new tables and views into a single Snowflake database
Rasgo will always connect to your Snowflake account from these IP addresses. Make sure to whitelist them if you have networking restrictions enabled in Snowflake.
IP Address |
---|
54.84.138.60 |
54.84.66.109 |
Rasgo can use 2 different types of user credentials to authenticate to and execute SQL queries in your Snowflake account:
- 1.Service Account
- 2.End User Credentials (via Snowflake OAuth)
Rasgo needs service account user credentials to authenticate to and execute SQL queries in your account. The role you assign to this user will also need access to the source tables or views that you want to transform and visualize in Rasgo.
Here's a setup script to run in Snowflake to create the service account user, if you don't already have one:
----------------------
-- Create Role
----------------------
USE ROLE USERADMIN;
CREATE ROLE IF NOT EXISTS RASGO;
USE ROLE SECURITYADMIN;
GRANT ROLE RASGO TO ROLE SYSADMIN;
----------------------
--Create DB & WH
----------------------
USE ROLE SYSADMIN;
CREATE WAREHOUSE IF NOT EXISTS RASGO_WH WITH WAREHOUSE_SIZE = 'LARGE' WAREHOUSE_TYPE = 'STANDARD' AUTO_SUSPEND = 300 AUTO_RESUME = TRUE;
CREATE DATABASE IF NOT EXISTS RASGO;
----------------------
-- Manage Grants
----------------------
USE ROLE SYSADMIN;
GRANT OPERATE, USAGE ON WAREHOUSE RASGO_WH TO ROLE RASGO;
GRANT USAGE ON DATABASE RASGO TO ROLE RASGO;
GRANT USAGE ON SCHEMA RASGO.PUBLIC TO ROLE RASGO;
GRANT CREATE TABLE, CREATE VIEW, CREATE STAGE ON SCHEMA RASGO.PUBLIC TO ROLE RASGO;
GRANT SELECT ON ALL TABLES IN DATABASE RASGO TO ROLE RASGO;
GRANT SELECT ON ALL VIEWS IN DATABASE RASGO TO ROLE RASGO;
USE ROLE ACCOUNTADMIN;
GRANT SELECT ON FUTURE TABLES IN DATABASE RASGO TO ROLE RASGO;
GRANT SELECT ON FUTURE VIEWS IN DATABASE RASGO TO ROLE RASGO;
----------------------
-- Grant Data Access
----------------------
USE ROLE SYSADMIN;
-- Option 1: Grant access to a schema
GRANT USAGE ON DATABASE <YOUR_DB> TO ROLE RASGO;
GRANT USAGE ON SCHEMA <YOUR_DB>.<YOUR_SCHEMA> TO ROLE RASGO;
GRANT SELECT ON ALL TABLES IN SCHEMA <YOUR_DB>.<YOUR_SCHEMA> TO ROLE RASGO;
-- Option 2: Grant access to individual tables
GRANT USAGE ON DATABASE <YOUR_DB> TO ROLE RASGO;
GRANT USAGE ON SCHEMA <YOUR_SCHEMA> TO ROLE RASGO;
GRANT SELECT ON TABLE <YOUR_DB>.<YOUR_SCHEMA>.<YOUR_TABLE> TO ROLE RASGO;
----------------------
-- Create Service Account
----------------------
USE ROLE USERADMIN;
CREATE USER IF NOT EXISTS RASGOSA
PASSWORD = '***'
MUST_CHANGE_PASSWORD = FALSE
DEFAULT_NAMESPACE = RASGO
DEFAULT_WAREHOUSE = RASGO_WH
DEFAULT_ROLE = RASGO;
-- MANUAL STEP: Share user & password with Rasgo (needed for SSM key)
USE ROLE SECURITYADMIN;
GRANT ROLE RASGO TO USER RASGOSA;
When connecting Rasgo to your Snowflake account, you'll need to provide this info:
Field | Description | Example |
---|---|---|
Account | abc12345.snowflakecomputing.com | |
Database | Snowflake database to create new views and tables in | RASGO |
Warehouse | Compute warehouse to use in Snowflake to run SQL | RASGO_WH |
Schema | Schema to create new views and tables in | PUBLIC |
Role | Snowflake role for the user to use | RASGO |
User | Snowflake username | RASGO_USER |
Password | Snowflake password | i<3rasgo |
To allow users to login with their own Snowflake credentials, and authenticate via an OAuth token with Rasgo, you will need to run the following script as the ACCOUNT ADMIN in snowflake and then contact us directly to work through enabling SSO on your Rasgo account.
------------------------
-- Add OAUTH Integration
------------------------
CREATE SECURITY INTEGRATION RASGO_OAUTH_INT
TYPE = OAUTH
ENABLED = TRUE
OAUTH_CLIENT = CUSTOM
OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
OAUTH_REDIRECT_URI = 'https://app.rasgoml.com/account/integration/snowflake'
OAUTH_ISSUE_REFRESH_TOKENS = TRUE
OAUTH_REFRESH_TOKEN_VALIDITY = 7776000;
------------------------
-- Show Client ID and Secret to give to Rasgo
------------------------
SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('RASGO_OAUTH_INT');
After configuring OAuth Credentials, Rasgo users will go through the following steps:
- 1.Sign in to Rasgo
- 2.Rasgo will redirect them to Snowflake to authenticate
- 3.After successfully authenticating with Snowflake, Snowflake redirects to Rasgo and passes a temporary OAuth token
- 4.Rasgo will use this OAuth token to issue queries on behalf of the user
Unless the user provides a specific role to use within Rasgo, Rasgo will use their default role according to Snowflake. Please make sure that this default role has the necessary permissions to use Rasgo.
If users ever need to change the role that Rasgo is using for them, they can do so within the "My Account" page in the App.
Configuration is complete! You're ready to start using Rasgo. Next up is importing tables:
Last modified 18d ago