baton-snowflake 
baton-snowflake is a connector for Baton built using the Baton SDK. It
works with Snowflake V6 API.
Check out Baton to learn more about the project in general.
This connector uses key-pair authentication to access the Snowflake API. The process of generating the key pair and then assigning those keys to a user is described in the key-pair authentication documentation.
The connector must be passed both the path to the UNENCRYPTED PRIVATE KEY in PEM format or the raw value by . They can be passed as either CLI flags or as environment variables via the following variable names:
| As Environment Variables | As CLI flags | Description |
|---|---|---|
BATON_PRIVATE_KEY_PATH |
--private-key-path |
Path to private key |
BATON_PRIVATE_KEY |
--private-key |
Raw private key value |
BATON_EXCLUDED_DATABASES |
--excluded-databases |
Database names to skip during sync (repeatable) |
Alongside the key pair, you must specify the Snowflake account URL, account identifier, and user identifier using either environment variables or CLI flags. The process of obtaining the these values is described in the account identifiers documentation.
Connect to Tool in UI under Account Icon on lower right can give you the account identifier.
To execute the setup script needs
1. Check connection on CLI snowflake-cli
Configure your config.toml file
Example:
default_connection_name = "myconnection"
[connections]
[connections.myconnection]
account = "YOUR_ACCOUNT"
user = "YOUR_USER"
password = "YOUR_PASSWORD"Check if you can connect to Snowflake
snow --config-file ./config.toml sql -q "SHOW DATABASES"
Will generate a key pair and assign it to a Snowflake user. The script will create rsa_key.p8 and rsa_key.pub if they do not exist then output the public key fingerprint.
./scripts/setup.sh YOUR_USERSee on Docs
Install snowflake-cli
Configure your config.toml file
Check if you can connect to Snowflake
snow --config-file ./config.toml sql -q "SHOW DATABASES"
Use the following command
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt
The following command assumes the private key is encrypted and contained in the file named rsa_key.p8.
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
User must be ACCOUNTADMIN
ALTER USER <SNOWFLAKEUSER> SET RSA_PUBLIC_KEY='MIIBIj...';
DESC USER <SNOWFLAKEUSER>;
SELECT SUBSTR((SELECT "value" FROM TABLE(RESULT_SCAN(LAST_QUERY_ID()))
WHERE "property" = 'RSA_PUBLIC_KEY_FP'), LEN('SHA256:') + 1);
Run the following command on the command line: writing RSA key
openssl rsa -pubin -in rsa_key.pub -outform DER | openssl dgst -sha256 -binary | openssl enc -base64
Compare both outputs. If both outputs match, the user correctly configured their public key.
To sync secrets the account needs this role permission https://docs.snowflake.com/en/sql-reference/sql/show-secrets#access-control-requirements
Use --excluded-databases (or BATON_EXCLUDED_DATABASES) to skip one or more databases entirely. Excluded databases and all of their tables are omitted from every sync. Matching is case-insensitive.
CLI flag (repeatable):
baton-snowflake \
--excluded-databases "MY_INTERNAL_DB" \
--excluded-databases "ANOTHER_DB"Environment variable (comma-separated):
BATON_EXCLUDED_DATABASES="MY_INTERNAL_DB,ANOTHER_DB" baton-snowflake
brew install conductorone/baton/baton conductorone/baton/baton-snowflake
BATON_ACCOUNT_URL=https://abcdsa-abcdsa123.snowflakecomputing.com
BATON_ACCOUNT_IDENTIFIER=abcdsa-abcdsa123
BATON_USER_IDENTIFIER=user1
BATON_PUBLIC_KEY_FINGERPRINT=s98YHSRV+12124142124124124c=
BATON_PRIVATE_KEY_PATH=./my-private-key.pem
baton-snowflake
baton resources
docker run --rm
-v $(pwd):/out -e BATON_ACCOUNT_URL=https://abcdsa-abcdsa123.snowflakecomputing.com BATON_ACCOUNT_IDENTIFIER=abcdsa-abcdsa123 BATON_USER_IDENTIFIER=user1 BATON_PUBLIC_KEY_FINGERPRINT=s98YHSRV+12124142124124124c= BATON_PRIVATE_KEY_PATH=./my-private-key.pem ghcr.io/conductorone/baton-snowflake:latest -f "/out/sync.c1z"
docker run --rm -v $(pwd):/out ghcr.io/conductorone/baton:latest -f "/out/sync.c1z" resources
go install github.com/conductorone/baton/cmd/baton@main
go install github.com/conductorone/baton-snowflake/cmd/baton-snowflake@main
BATON_ACCOUNT_URL=https://abcdsa-abcdsa123.snowflakecomputing.com \
BATON_ACCOUNT_IDENTIFIER=abcdsa-abcdsa123 \
BATON_USER_IDENTIFIER=user1 \
BATON_PUBLIC_KEY_FINGERPRINT=s98YHSRV+12124142124124124c= \
BATON_PRIVATE_KEY_PATH=./my-private-key.pem \
baton resources
baton-snowflake will fetch information about the following Baton resources:
- Users
- Account Roles
- Databases
- Integrations
baton-snowflake syncs account-level integrations via SHOW INTEGRATIONS and marks them as
non-human identities by integration type: EXTERNAL OAUTH security integrations are tagged as app
registrations, while STORAGE and API integrations are tagged as assumable roles (they assume a
cloud IAM role).
SHOW INTEGRATIONS returns only the integrations the connector's current role has been granted at
least one privilege on. A role holding MANAGE GRANTS (e.g. ACCOUNTADMIN or SECURITYADMIN)
sees every integration in the account; a more restricted role simply sees a smaller set. No
integrations are returned (and the sync is unaffected) if the role can see none.
We started Baton because we were tired of taking screenshots and manually building spreadsheets. We welcome contributions, and ideas, no matter how small -- our goal is to make identity and permissions sprawl less painful for everyone. If you have questions, problems, or ideas: Please open a GitHub Issue!
See CONTRIBUTING.md for more details.
baton-snowflake
Usage:
baton-snowflake [flags]
baton-snowflake [command]
Available Commands:
capabilities Get connector capabilities
completion Generate the autocompletion script for the specified shell
help Help about any command
Flags:
--account-identifier string required: Account Identifier. ($BATON_ACCOUNT_IDENTIFIER)
--account-url string required: Account URL. ($BATON_ACCOUNT_URL)
--client-id string The client ID used to authenticate with ConductorOne ($BATON_CLIENT_ID)
--client-secret string The client secret used to authenticate with ConductorOne ($BATON_CLIENT_SECRET)
--excluded-databases strings Database names to exclude from sync, case-insensitive. Can be specified multiple times. ($BATON_EXCLUDED_DATABASES)
-f, --file string The path to the c1z file to sync with ($BATON_FILE) (default "sync.c1z")
-h, --help help for baton-snowflake
--log-format string The output format for logs: json, console ($BATON_LOG_FORMAT) (default "json")
--log-level string The log level: debug, info, warn, error ($BATON_LOG_LEVEL) (default "info")
--private-key string Private Key (PEM format). ($BATON_PRIVATE_KEY)
--private-key-path string Private Key Path. ($BATON_PRIVATE_KEY_PATH)
-p, --provisioning This must be set in order for provisioning actions to be enabled ($BATON_PROVISIONING)
--skip-full-sync This must be set to skip a full sync ($BATON_SKIP_FULL_SYNC)
--sync-secrets Enable synchronization of Snowflake secrets. ($BATON_SYNC_SECRETS)
--ticketing This must be set to enable ticketing support ($BATON_TICKETING)
--user-identifier string required: User Identifier. ($BATON_USER_IDENTIFIER)
-v, --version version for baton-snowflake
Use "baton-snowflake [command] --help" for more information about a command.