Snowflake (Beta)

2025.06.17

Overview

Cisco Identity Intelligence can connect directly to Snowflake warehouses to gather data on user accounts, activity, and other events. These instructions will guide you through the process of connecting your Snowflake account to Identity Intelligence.

Before you begin...

Make sure you have the following:

An Identity Intelligence account with Admin permissions that can add integrations to your Identity Intelligence tenant
A Snowflake login that has ACCOUNTADMIN privileges to grant read access to the SNOWFLAKE database in your Snowflake account
The name of your Snowflake warehouse
A computer with openssl or an equivalent that can generate RSA keys

Configuration Steps

Generate an RSA key

Identity Intelligence will use an RSA key pair to securely communicate with your Snowflake account. Use the following command to generate the private key:

openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt

Use the following command to generate the public key by referencing the private key:

openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

For more information on RSA keys in Snowflake, see the Snowflake docs.

Provision a Identity Intelligence user in Snowflake

Once the RSA key pair has been generated, to provision the user, you will need to:

Create a role for Identity Intelligence to use and grant it the necessary privileges
1. Choose a name for the role that you will assign to the Identity Intelligence user's role
2. In the examples below, replace <cii_integration_role> with the name you choose. Replace <warehouse name> with the name of your Snowflake warehouse.
3. Using the "Query Data" UI in Snowflake, enter each of the following lines individually to provision the role:

CREATE ROLE <cii_integration_role>;

GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE <cii_integration_role>;

-- This grant allows CII to read Trust Center events
GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_VIEWER TO ROLE <cii_integration_role>;

GRANT USAGE ON WAREHOUSE <warehouse name> TO ROLE <cii_integration_role>;

Create a service account user identified by the RSA key and give it access to the role
1. Choose a name for the role that you will assign to the Identity Intelligence service account user
2. In the examples below, replace <cii_service_user> with the name you choose. Replace <cii_integration_role> with the name of the role you created in the previous step. Replace <generated public key> with the contents of the RSA key pair you created at the beginning of this process
  1. CREATE USER <cii_service_user> DEFAULT_ROLE = <cii_integration_role> TYPE = SERVICE RSA_PUBLIC_KEY = '<generated public key>';
    For an example of how the public key must be formatted in this command, see the Snowflake documents on assigning a public key to a user.
3. Next, execute the following command to give the new service account user access to the role:
  1. GRANT ROLE <cii_integration_role> TO USER <cii_service_user>;
4. If you would like to further secure Identity Intelligence's access to your warehouse by restricting the allowed IP addresses, you may also add a network policy to the user you just created. In the example below, replace the <nat_ip> placeholders with the IPs for your region (found in the Initial Setup for Snowflake in Identity Intelligence):
  1. CREATE OR REPLACE NETWORK POLICY <cii_service_network_policy> ALLOWED_IP_LIST = ('<nat_ip_1>', '<nat_ip_2>') COMMENT = 'Created for CII. Only allows access from known CII NAT gateways';
    ALTER USER <cii_service_user> SET NETWORK_POLICY = <cii_service_network_policy>;
    For more information, see the Snowflake documentation on network policies and the alter user command

Create your integration in Identity Intelligence

The last step is to create your integration in Identity Intelligence. For this, you will need:

The name of the service account user you created in Snowflake
The name of the role you assigned to the service account user in Snowflake
The account locator and region for your Snowflake account. Please note that your organization and account name will NOT work instead.
- If you are having trouble finding this, you can run SELECT current_account(), current_region(); in your Snowflake account. You should see that the account is a string of letters and numbers like SF12345 and the region is something like AWS_US_WEST_2. For these values, the combined identifier would be sf12345.us-west-2.aws
The name of your Snowflake warehouse
The private key file for the public key associated with the service account user above. This will be a file with a .p8 extension. If you used the exact commands above, it will be called rsa_key.p8

Navigate to the Integrations page in Identity Intelligence and click "Add Integration" at the top right

Find the Snowflake tile and click "Add Integration"

Click "Complete Setup" below the instructions to go to the General Settings configuration

You should now see the form in the screenshot
Choose and enter a name for your integration within Identity Intelligence that relates to the specific Snowflake warehouse that will be monitored into the "Name" field
In the "Service Account Name for CII" field, enter the name of the service account user you created in Snowflake
In the "Service Account Role" field, enter the name of the role you assigned to the service account user in Snowflake
In the "Your Snowflake Account Identifier" field, enter the account locator and region for your Snowflake account
In the "Your Snowflake Warehouse" field, enter the name of your Snowflake warehouse
In the "Private Key" field, drag and drop the private key file into the banner, or click the banner and select the private key file for upload
Once you have entered the necessary information, click "Connect" to initialize your Snowflake integration and begin monitoring

Configuring Key Rotation for Identity Intelligence Snowflake User

If desired, the RSA keypair created for the service account can be rotated or updated.

Simply create a new keypair for the service account and use the alter user command in Snowflake to set the new public key for the Identity Intelligence Snowflake user
In the Identity Intelligence console, click the 3 dot menu for the Snowflake integration and select Edit Settings
Click Reset Credentials. Then upload the new private key file and click Save
Test connectivity to ensure a successful connection

Enable Cortex Agent Collection for Snowflake Integration

Note: This feature is currently in Alpha. If you would like access to this feature, please contact your Duo Care team, Duo Support or open a Cisco TAC Case to enable it in your account.

To allow Identity Intelligence to collect Cortex Agent metadata and observability events, the Snowflake role used by the existing Identity Intelligence integration service account (<cii_integration_role> ) must be granted privileges for:

Agent discovery (SHOW AGENTS IN ACCOUNT)
Agent inspection (DESCRIBE AGENT <agent_name>)
Observability event reads (SNOWFLAKE.LOCAL.AI_OBSERVABILITY_EVENTS)

Why these grants are required

Snowflake requires the executing role to have at least one privilege on each agent (OWNERSHIP, USAGE, MONITOR, or OPERATE) for SHOW AGENTS / DESCRIBE AGENT
Snowflake also requires at least one privilege on the parent database and parent schema for those commands
Access to SNOWFLAKE.LOCAL.AI_OBSERVABILITY_EVENTS requires AI Observability access roles, specifically SNOWFLAKE.AI_OBSERVABILITY_EVENTS_LOOKUP, and Cortex access via SNOWFLAKE.CORTEX_USER

Configuring the required grants

Using a role that can grant the necessary permissions (typically ACCOUNTADMIN or equivalent role with required grant authority), run the following:

-- 1) Existing agents: grant MONITOR per agent. Repeat for each existing agent.  
GRANT MONITOR ON AGENT <db>.<schema>.<agent_name> TO ROLE <cii_integration_role>; 
 
-- 2) Future agents in each relevant schema. Repeat for each database/schema.  
GRANT MONITOR ON FUTURE AGENTS IN SCHEMA <database_name>.<schema_name> TO ROLE <cii_integration_role>; 

-- 3) Cortex database role 
GRANT DATABASE ROLE SNOWFLAKE.CORTEX_USER TO ROLE <cii_integration_role>; 

-- 4) AI Observability application role 
GRANT APPLICATION ROLE SNOWFLAKE.AI_OBSERVABILITY_EVENTS_LOOKUP TO ROLE <cii_integration_role>; 

-- 5) Parent database access. Repeat for each database. 
GRANT USAGE ON DATABASE <database_name> TO ROLE <cii_integration_role>; 

-- 6a) Option A: grant all schemas in database. Repeat for each database. 
GRANT USAGE ON ALL SCHEMAS IN DATABASE <database_name> TO ROLE <cii_integration_role>; 

-- 6b) Option B: grant only selected schemas. Repeat for each database/schema you would like Identity Intelligence to have access to. 
GRANT USAGE ON SCHEMA <database_name>.<schema_name> TO ROLE <cii_integration_role>;

Verification (optional)

After grants are applied, use the following to test with the Identity Intelligence integration role:

USE ROLE <cii_integration_role>; 
SHOW AGENTS IN ACCOUNT; 
DESCRIBE AGENT <db>.<schema>.<agent_name>; 
SELECT * FROM SNOWFLAKE.LOCAL.AI_OBSERVABILITY_EVENTS LIMIT 10;

PreviousSlack NextSplunk

Last updated 13 hours ago

hashtagOverview

hashtagBefore you begin...

hashtagConfiguration Steps

hashtagGenerate an RSA key

hashtagProvision a Identity Intelligence user in Snowflake

hashtagCreate your integration in Identity Intelligence

hashtagConfiguring Key Rotation for Identity Intelligence Snowflake User

hashtagEnable Cortex Agent Collection for Snowflake Integration

hashtagConfiguring the required grants

hashtagVerification (optional)