Snowflake Integration Guide

Last updated: February 17, 2026

Connect your Snowflake account to Clazar using key-pair authentication. This guide walks through generating credentials, configuring your Snowflake account, and completing the connection in Clazar.

Overview

Clazar connects to Snowflake using key-pair authentication (RSA private/public key). This method is more secure than password-based authentication and is the recommended approach by Snowflake for programmatic access.

What you'll need:

  • Admin access to your Snowflake account (ACCOUNTADMIN or SECURITYADMIN role)

  • A terminal to generate RSA keys (macOS, Linux, or Windows with OpenSSL installed)

  • Access to Clazar (Integrations → Snowflake)

Prerequisites

Find your Snowflake account identifier

Your account identifier is part of your Snowflake URL:

https://ORGNAME-ACCOUNTNAME.snowflakecomputing.com

The account identifier is the ORGNAME-ACCOUNTNAME portion (for example, ACME-PROD1).

You can also find it in the Snowflake UI under Admin → Accounts.

Setup

Option 1: Full setup (recommended)

This approach creates a dedicated service user and a fresh key pair, keeping the Clazar integration isolated and secure.

Step 1 — Generate an RSA key pair

Open a terminal and run:

bash

# Generate an unencrypted private key in PKCS#8 formatopenssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt
# Generate the corresponding public keyopenssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

This produces two files:

FilePurpose

rsa_key.p8

Private key — used when connecting in Clazar

rsa_key.pub

Public key — assigned to the Snowflake user

Store both files securely. The private key should be treated as a secret.

Note: The private key must be unencrypted (generated with -nocrypt). Encrypted keys are not supported.

Step 2 — Create a dedicated Snowflake role and user

Log in to your Snowflake account with admin privileges and run the following in a Snowflake worksheet:

sql

-- Create a dedicated role for ClazarCREATE ROLE IF NOT EXISTS CLAZAR_ROLE;-- Grant access to account usage dataGRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE CLAZAR_ROLE;-- Grant warehouse access (required for executing queries)GRANT USAGE ON WAREHOUSE <warehouse_name> TO ROLE CLAZAR_ROLE;-- Grant listing and offer management permissionsGRANT CREATE LISTING ON ACCOUNT TO ROLE CLAZAR_ROLE;GRANT CREATE SHARE ON ACCOUNT TO ROLE CLAZAR_ROLE;-- Create a dedicated service userCREATE USER IF NOT EXISTS CLAZAR_USER
  DEFAULT_ROLE = 'CLAZAR_ROLE'  DEFAULT_WAREHOUSE = '<warehouse_name>'  MUST_CHANGE_PASSWORD = FALSE;-- Assign the role to the userGRANT ROLE CLAZAR_ROLE TO USER CLAZAR_USER;

Replace <warehouse_name> with an active warehouse in your account (for example, COMPUTE_WH).

Managing existing listings: If you have existing listings that Clazar needs to manage, grant ownership on each listing:

sql

GRANT OWNERSHIP ON LISTING <listing_name> TO ROLE CLAZAR_ROLE;

Or, if you prefer not to transfer ownership, grant modify access instead:

sql

GRANT MODIFY ON LISTING <listing_name> TO ROLE CLAZAR_ROLE;

What these permissions do:

  • IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE — access to account usage and metadata

  • USAGE ON WAREHOUSE — allows Clazar to execute queries

  • CREATE LISTING — allows creating new marketplace listings (docs)

  • CREATE SHARE — allows creating data shares for listings (docs)

  • OWNERSHIP or MODIFY on listings — allows managing existing listings, offers, and versions (docs)

Step 3 — Assign the public key

Extract the public key content (without the PEM header/footer):

bash

grep -v "PUBLIC KEY" rsa_key.pub | tr -d '\n'

Copy the output and run in Snowflake:

sql

ALTER USER CLAZAR_USER SET RSA_PUBLIC_KEY='<paste public key content>';

Step 4 — Verify

sql

DESC USER CLAZAR_USER;

Confirm that the RSA_PUBLIC_KEY_FP property shows a fingerprint value. This means the key is correctly assigned.

Option 2: Reuse an existing key pair

If you already have an RSA key pair (for example, from a previous Clazar connection to another Snowflake account), you can reuse it. You still need to create a user in the target account and assign the public key.

Step 1 — Create the role and user

Follow the same SQL commands from Option 1, Step 2 above.

Step 2 — Assign the existing public key

If you have the public key file, extract the content:

bash

grep -v "PUBLIC KEY" rsa_key.pub | tr -d '\n'

If you only have the private key file, regenerate the public key first:

bash

openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

Then assign it in Snowflake:

sql

ALTER USER CLAZAR_USER SET RSA_PUBLIC_KEY='<paste public key content>';

Step 3 — Verify

sql

DESC USER CLAZAR_USER;

Confirm that RSA_PUBLIC_KEY_FP shows a fingerprint value.

Tip: When connecting in Clazar, use the same private key file from your existing setup.

Connect in Clazar

Once your Snowflake account is set up, complete the connection in Clazar.

New connection

  1. Navigate to Integrations → Snowflake

  2. Click Add Connection

  3. Enter your connection details:

FieldValue

Account Identifier

Your Snowflake account identifier (for example, ACME-PROD1)

Username

The Snowflake user with the public key (for example, CLAZAR_USER)

API Key

The full contents of your private key file, including the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- lines

  1. Click Connect

  2. The status should change to Connected

Replacing an existing connection

  1. Navigate to Integrations → Snowflake

  2. Disconnect or Edit the current connection

  3. Enter the new account details as described above

Adding a new connection alongside an existing one

If you want to verify the new connection before removing the old one:

  1. Navigate to Integrations → Snowflake

  2. Click Add Connection and enter the new account details

  3. Verify the new connection shows as Connected

  4. Disconnect the old connection

Important: Only one Snowflake connection should be active at a time. If multiple connections are active, Clazar will use the first one it finds.

Troubleshooting

SymptomLikely causeResolution

Connection fails immediately

Private key is encrypted

Regenerate the key with the -nocrypt flag

Authentication error

Public key not assigned to the user

Run DESC USER <username>; and verify RSA_PUBLIC_KEY_FP has a value

Invalid account identifier

Incorrect format

Use the ORGNAME-ACCOUNTNAME format from your Snowflake URL

Operations use the wrong account

Previous connection still active

Disconnect the old connection in Clazar

RSA_PUBLIC_KEY_FP is empty

Key assignment failed

Re-run the ALTER USER ... SET RSA_PUBLIC_KEY command and ensure the key content has no line breaks or extra spaces

Security best practices

  • Use a dedicated service user. Avoid using personal or shared accounts for the integration.

  • Limit privileges. Grant only the permissions Clazar requires (the CLAZAR_ROLE example above follows this principle).

  • Protect the private key. Store it securely and limit access. Never share it over unencrypted channels.

  • Rotate keys periodically. Snowflake supports key-pair rotation with two active keys, allowing zero-downtime rotation.

References

Support

If you encounter any issues during setup, contact the Clazar support team for assistance.