Snowflake

Overview

Cisco Identity Intelligence can connect directly to Snowflake warehouses to gather data on user accounts, activity, and other events. These instructions will guide you through the process of connecting your Snowflake account to Identity Intelligence.

Before you begin...

Make sure you have the following:

• An Identity Intelligence account with Admin permissions that can add integrations to your Identity Intelligence tenant

• A Snowflake login that has ACCOUNTADMIN privileges to grant read access to the SNOWFLAKE database in your Snowflake account

• The name of your Snowflake warehouse

• A computer with openssl or an equivalent that can generate RSA keys

Configuration Steps

Generate an RSA key

Identity Intelligence will use an RSA key pair to securely communicate with your Snowflake account. Use the following command to generate the private key:

openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt

Use the following command to generate the public key by referencing the private key:

openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

For more information on RSA keys in Snowflake, see the Snowflake docs.

Provision a Identity Intelligence user in Snowflake

Once the RSA key pair has been generated, to provision the user, you will need to:

1. Create a role for Identity Intelligence to use and grant it the necessary privileges

   1. Choose a name for the role that you will assign to the Identity Intelligence user's role

   2. In the examples below, replace <cii_integration_role> with the name you choose. Replace <warehouse name> with the name of your Snowflake warehouse.

   3. Using the "Query Data" UI in Snowflake, enter each of the following lines individually to provision the role:

CREATE ROLE <cii_integration_role>;

GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE <cii_integration_role>;

GRANT USAGE ON WAREHOUSE <warehouse name> TO ROLE <cii_integration_role>;

1. Create a service account user identified by the RSA key and give it access to the role

   1. Choose a name for the role that you will assign to the Identity Intelligence service account user

   2. In the examples below, replace <cii_service_user> with the name you choose. Replace <cii_integration_role> with the name of the role you created in the previous step. Replace <generated public key> with the contents of the RSA key pair you created at the beginning of this process

      1. Copy

         CREATE USER <cii_service_user>
         DEFAULT_ROLE = <cii_integration_role>
         TYPE = SERVICE
         RSA_PUBLIC_KEY = '<generated public key>';

         For an example of how the public key must be formatted in this command, see the Snowflake documents on assigning a public key to a user.

   3. Next, execute the following command to give the new service account user access to the role:

      1. GRANT ROLE <cii_integration_role> TO USER <cii_service_user>;

   4. If you would like to further secure CII's access to your warehouse by restricting the allowed IP addresses, you may also add a network policy to the user you just created. In the example below, replace the <nat_ip> placeholders with the IPs for your region (found in the Initial Setup for Snowflake in CII):

      1. Copy

         CREATE OR REPLACE NETWORK POLICY <cii_service_network_policy>
         ALLOWED_IP_LIST = ('<nat_ip_1>', '<nat_ip_2>')
         COMMENT = 'Created for CII. Only allows access from known CII NAT gateways';

         Copy

         ALTER USER <cii_service_user> SET NETWORK_POLICY = <cii_service_network_policy>;

         For more information, see the Snowflake documentation on network policies and the alter user command

Create your integration in Identity Intelligence

The last step is to create your integration in Identity Intelligence. For this, you will need:

• The name of the service account user you created in Snowflake

• The name of the role you assigned to the service account user in Snowflake

• The account locator and region for your Snowflake account. Please note that your organization and account name will NOT work instead.

  • If you are having trouble finding this, you can run SELECT current_account(), current_region(); in your Snowflake account. You should see that the account is a string of letters and numbers like SF12345 and the region is something like AWS_US_WEST_2. For these values, the combined identifier would be sf12345.us-west-2.aws

• The name of your Snowflake warehouse

• The private key file for the public key associated with the service account user above. This will be a file with a .p8 extension. If you used the exact commands above, it will be called rsa_key.p8

1. Navigate to the Integrations page in Identity Intelligence and click "Add Integration" at the top right

1. Find the Snowflake tile and click "Add Integration"

1. Click "Done" below the instructions to go to the General Settings configuration

1. You should now see the form in the screenshot
2. Choose and enter a name for your integration within Identity Intelligence that relates to the specific Snowflake warehouse that will be monitored into the "Name" field

3. In the "Service Account Name for CII" field, enter the name of the service account user you created in Snowflake

4. In the "Service Account Role" field, enter the name of the role you assigned to the service account user in Snowflake

5. In the "Your Snowflake Account Identifier" field, enter the account locator and region for your Snowflake account

6. In the "Your Snowflake Warehouse" field, enter the name of your Snowflake warehouse

7. In the "Private Key" field, drag and drop the private key file into the banner, or click the banner and select the private key file for upload

8. Once you have entered the necessary information, click "Connect" to initialize your Snowflake integration and begin monitoring

Configuring Key Rotation for Identity Intelligence Snowflake User

If desired, the RSA keypair created for the service account can be rotated or updated.

1. Simply create a new keypair for the service account and use the alter user command in Snowflake to set the new public key for the CII Snowflake user

2. In the Identity Intelligence console, click the 3 dot menu for the Snowflake integration and select Edit Settings

3. Click Reset Credentials. Then upload the new private key file and click Save

4. Test connectivity to ensure a successful connection