Connect Snowflake to Anzenna
Integrate Anzenna with Snowflake to monitor data warehouse access, query activity, and user authentication events.
Prerequisites
- Snowflake ACCOUNTADMIN role access
- Anzenna account
- Ability to execute SQL in Snowflake
- Snowflake account identifier
Overview
The integration provides:
- Query history monitoring
- User authentication logs
- Data access patterns
- Login history tracking
- Optional: Network policy restrictions
- Role and grant auditing
Step-by-Step Instructions
Part 1: Enable Integration in Anzenna
Log into Anzenna at
app.anzenna.ai
Navigate to Settings > Integrations
Find the Snowflake integration card
Toggle the switch to enable the integration
- Copy the public key displayed
The public key will be used to establish secure authentication between Anzenna and Snowflake using key-pair authentication.
Part 2: Create Service User in Snowflake
Open Snowflake in your browser
Navigate to Worksheets and open a new SQL Worksheet
Execute the following SQL script to create the ANZENNA service user:
-- Create Anzenna service user
CREATE USER ANZENNA
TYPE = SERVICE
DEFAULT_ROLE = PUBLIC
RSA_PUBLIC_KEY = '<paste-public-key-here>'
COMMENT = 'Service user for Anzenna integration';
Replace <paste-public-key-here> with the public key you
copied from Anzenna (step 5)
Make sure to click Run All (not just Run) to execute the complete script including all necessary permissions.
Part 3: Grant Permissions
Grant the ANZENNA user access to LOGIN_HISTORY:
-- Grant access to account usage views
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE PUBLIC;
Or, if using a custom role:
-- Create custom role for Anzenna
CREATE ROLE ANZENNA_MONITOR;
-- Grant necessary privileges
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE ANZENNA_MONITOR;
-- Assign role to user
GRANT ROLE ANZENNA_MONITOR TO USER ANZENNA;
-- Set as default role
ALTER USER ANZENNA SET DEFAULT_ROLE = ANZENNA_MONITOR;
Using a custom role provides better security isolation. See Snowflake documentation for detailed role setup.
Part 4: Optional Network Policy (Recommended)
Restrict access to Anzenna's IP for enhanced security:
-- Create network policy for Anzenna
CREATE NETWORK POLICY ANZENNA_POLICY
ALLOWED_IP_LIST = ('35.212.173.22');
-- Apply policy to ANZENNA user ALTER
USER ANZENNA SET NETWORK_POLICY = ANZENNA_POLICY;
This ensures only Anzenna's servers can authenticate as the ANZENNA user.
Part 5: Complete Connection in Anzenna
Return to Anzenna > Integrations > Snowflake
Enter your Snowflake account identifier:
Format: <orgname>-<accountname>
- Examples:
- acme-prod
- company-analytics
- org-account123
Your account identifier appears in your Snowflake URL:
https://<orgname>-<accountname>.snowflakecomputing.comEnter the username:
ANZENNA
Click Connect
Verify the connection shows as Connected successfully
Verification
Check integration status shows Connected
- Wait 15-30 minutes for initial sync
Navigate to Anzenna's Data Warehouse dashboard
Verify Snowflake query activity is appearing
- Review login history events are syncing
What Data is Collected
Login History
- Successful authentications
- Failed login attempts
- Client applications used
- IP addresses
- Timestamps
Query History
- Query text (configurable)
- Execution times
- Data scanned
- User who executed
- Warehouse used
Session Information
- Active sessions
- Session duration
- Authentication methods
- Role switches
Access Patterns
- Database access
- Schema usage
- Table query frequency
- Data export activities
Security Considerations
Key-Pair Authentication
Public key auth - More secure than password
No password storage - Anzenna never has password
Automatic key rotation - Keys can be rotated easily
Audit trail - All access logged in Snowflake
Network Policy
Recommended security measures:
Restrict to Anzenna IP:
35.212.173.22- Monitor for unauthorized access attempts
- Review access logs regularly
- Set up alerts for anomalous activity
Principle of Least Privilege
The ANZENNA user only needs:
- Read access to LOGIN_HISTORY view
- Read access to QUERY_HISTORY view
- No data modification permissions
- No administrative capabilities
Troubleshooting
Connection Fails
Authentication errors:
Verify public key was pasted correctly (no extra spaces/breaks)
- Ensure RSA_PUBLIC_KEY format is correct
Check ANZENNA user was created successfully
Verify account identifier format is correct
Public Key Errors
Invalid key format:
- Copy entire public key from Anzenna
- Remove any line breaks or spaces
- Ensure key starts with proper header
- Try regenerating key in Anzenna
No Data Appearing
Query history not syncing:
- Verify IMPORTED PRIVILEGES were granted
Check that SNOWFLAKE database access is enabled
Ensure account has query activity to monitor
Wait 30 minutes for initial data collection
- Review Snowflake query history directly
Network Policy Issues
Connection blocked:
Verify IP address is exactly:
35.212.173.22Check network policy is applied to correct user
- Ensure no conflicting network rules
Test without network policy first, then add
Account Identifier Problems
Cannot connect:
Verify format is
orgname-accountname- Check for typos in identifier
- Remove any URLs or extra text
- Confirm identifier matches Snowflake URL
Best Practices
Use custom role — Better isolation than PUBLIC role
Enable network policy — Restrict to Anzenna IP
Monitor initially — Check for errors in first 48 hours
Document setup — Record account identifier and configuration
Regular audits — Review integration quarterly
Key rotation — Plan for annual key updates
Test queries — Verify correct data is accessible
Integration Maintenance
Regular Checks
Perform monthly:
- Verify connection status
- Review query coverage
- Check for any errors
- Test sample data queries
Key Rotation
To rotate public keys:
- Generate new key pair in Anzenna
Update ANZENNA user in Snowflake with new public key
- Test connection with new key
- Remove old key after verification
SQL for key update:
ALTER USER ANZENNA SET RSA_PUBLIC_KEY = '<new-public-key>';
Permission Audits
Quarterly review:
Verify ANZENNA user permissions haven't changed
- Check network policy is still applied
- Review access logs for anomalies
Ensure integration still meets security requirements
Advanced Configuration
Custom Role Setup
For organizations requiring stricter access control:
-- Create dedicated role
CREATE ROLE ANZENNA_MONITOR;
-- Grant specific view access
GRANT USAGE ON DATABASE SNOWFLAKE TO ROLE ANZENNA_MONITOR;
GRANT USAGE ON SCHEMA SNOWFLAKE.ACCOUNT_USAGE TO ROLE ANZENNA_MONITOR;
GRANT SELECT ON VIEW SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY TO ROLE ANZENNA_MONITOR;
GRANT SELECT ON VIEW SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY TO ROLE ANZENNA_MONITOR;
-- Assign to user
GRANT ROLE ANZENNA_MONITOR TO USER ANZENNA;
ALTER USER ANZENNA SET DEFAULT_ROLE = ANZENNA_MONITOR;
Monitoring Multiple Accounts
If you have multiple Snowflake accounts:
Create separate integrations in Anzenna for each
Use different service users in each account
- Apply consistent security policies
Monitor all accounts from single Anzenna dashboard
Snowflake Editions
The integration works with all Snowflake editions:
Standard - Basic monitoring
Enterprise - Enhanced features
Business Critical - Full capabilities
VPS - All features with added isolation
Related Resources
Need help? Contact
Anzenna Support
for assistance.