❄️Snowflake

How does Rasgo work with Snowflake?

Rasgo is a metadata-only product, meaning all of your actual data stay in your data warehouse and Rasgo queries it there via dynamically generating SQL.

Rasgo performs reads-only operations in your Snowflake env:

  • Rasgo reads the information schema for tables and columns it has access to

  • Rasgo dynamically generates and executes SQL on behalf of the user to analyze data

Connecting to Snowflake

IP Restrictions

Rasgo will always connect to your Snowflake account from these IP addresses. Make sure to whitelist them if you have networking restrictions enabled in Snowflake.

IP Address

54.84.138.60

54.84.66.109

Credentials

Rasgo can use 2 different types of user credentials to authenticate to and execute SQL queries in your Snowflake account:

  1. Service Account

  2. End User Credentials (via Snowflake OAuth)

Service Account Credentials

Rasgo needs service account user credentials to authenticate to and execute SQL queries in your account. The role you assign to this user will also need access to the source tables or views that you want to transform and visualize in Rasgo.

Here's a setup script to run in Snowflake to create the service account user, if you don't already have one:

Snowflake Setup Script
  -- Replace <YOUR_> placeholders below with the 
  -- Snowflake resources Rasgo should use to access your data

  ----------------------
  -- Create Role
  ----------------------
  USE ROLE USERADMIN;
  CREATE ROLE IF NOT EXISTS RASGO;

  USE ROLE SECURITYADMIN;
  GRANT ROLE RASGO TO ROLE SYSADMIN;

  ----------------------
  -- Grant WH Access to Role
  ----------------------
  USE ROLE SYSADMIN;
  GRANT OPERATE, USAGE ON WAREHOUSE <YOUR_WH> TO ROLE RASGO;

  ----------------------
  -- Grant Data Access to Role
  ----------------------
  USE ROLE SYSADMIN;
  -- Option 1: Grant access to an entire schema
  GRANT USAGE ON DATABASE <YOUR_DB> TO ROLE RASGO;
  GRANT USAGE ON SCHEMA <YOUR_DB>.<YOUR_SCHEMA> TO ROLE RASGO;
  GRANT SELECT ON ALL TABLES IN SCHEMA <YOUR_DB>.<YOUR_SCHEMA> TO ROLE RASGO;

  -- Option 2: Grant access to individual tables
  GRANT USAGE ON DATABASE <YOUR_DB> TO ROLE RASGO;
  GRANT USAGE ON SCHEMA <YOUR_SCHEMA> TO ROLE RASGO;
  GRANT SELECT ON TABLE <YOUR_DB>.<YOUR_SCHEMA>.<YOUR_TABLE> TO ROLE RASGO;
  -- GRANT SELECT ON TABLE ...

  ----------------------
  -- Create Service Account
  ----------------------
  USE ROLE USERADMIN;
  CREATE USER IF NOT EXISTS RASGOSA
    PASSWORD = '***'
    MUST_CHANGE_PASSWORD = FALSE
    DEFAULT_NAMESPACE = <YOUR_DB>
    DEFAULT_WAREHOUSE = <YOUR_WH>
    DEFAULT_ROLE = RASGO;

  ----------------------
  -- Grant Role to Service Account
  ----------------------
  USE ROLE SECURITYADMIN;
  GRANT ROLE RASGO TO USER RASGOSA;

When connecting Rasgo to your Snowflake account, you'll need to provide this info:

Field
Description
Example

Account

Snowflake account identifier, as described here

abc12345.snowflakecomputing.com

Database

Snowflake database to create new views and tables in

RASGO

Warehouse

Compute warehouse to use in Snowflake to run SQL

RASGO_WH

Schema

Schema to create new views and tables in

PUBLIC

Role

Snowflake role for the user to use

RASGO

User

Snowflake username

RASGO_USER

Password

Snowflake password

i<3rasgo

(Optional) Snowflake OAuth Credentials

To allow users to login with their own Snowflake credentials, and authenticate via an OAuth token with Rasgo, you will need to run the following script Snowflake and enter the values in your Organization's Admin screen.

SSO Setup Script
  ------------------------
  -- Add OAUTH Integration
  ------------------------
  CREATE SECURITY INTEGRATION RASGO_OAUTH_INT
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = 'https://app.rasgoml.com/account/integration/snowflake'
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 7776000;

  ------------------------
  -- Show Client ID and Secret to give to Rasgo
  ------------------------
  SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('RASGO_OAUTH_INT');

After configuring OAuth Credentials, Rasgo users will go through the following steps:

  1. Sign in to Rasgo

  2. Rasgo will redirect them to Snowflake to authenticate

  3. After successfully authenticating with Snowflake, Snowflake redirects to Rasgo and passes a temporary OAuth token

  4. Rasgo will use this OAuth token to issue queries on behalf of the user

Unless the user provides a specific role to use within Rasgo, Rasgo will use their default role according to Snowflake. Please make sure that this default role has the necessary permissions to use Rasgo.

If users ever need to change the role that Rasgo is using for them, they can do so within the "My Account" page in the App.

(Optional) Set up an External Stage for downloads

Rasgo can use an External Stage to download .csv files to a private Cloud Storage location you set up.

If you choose this option, the following things are needed:

  1. Create an External Stage in your Snowflake account (NOTE: The stage should be located in the database.schema you entered with your Service Account credentials)

  2. Grant USAGE access on the Stage to the Snowflake Service Account you set up above

  3. Enter the Stage name into the Rasgo Admin Settings Screen

If you choose to export files to an External Stage, all queries that copy the data will be run by your Snowflake Service Account (even if you have OAuth user access configured).

Ensure that your Service Account has access to all the data objects it will need to export, and usage access to the stage.

Success!

Configuration is complete! You're ready to start using Rasgo.

Last updated