Snowflake

Snowflake Connectors are secure gateways through which data can be moved in and out of the Platform. Rather than a storage connector, that connects to a GCP or S3 bucket for example, a Snowflake connector is referred to as a database connector.

By connecting to your Snowflake instances, you may access tables and views within your Snowflake account and to then create them as Data Assets. In doing so, you are defining the location of the data that you reference from the platform.

Harbr supports Snowflake both as source for creating assets (requires only read access) or as a destination for exports (requires write access). However, if a Snowflake reader account is used to setup the connector, it will not be possible to use it for export.

Pre-requisites

To connect to a data source in Snowflake, you need:

  1. The ability to manage the Snowflake account containing your source data via the Snowflake management console

  2. Account URL.

  3. Programmatic Access Token

  4. Minimum Role/Permission:

    1. Read:

      1. USAGE on DBs/schemas/warehouse

      2. SELECT

    2. Write:

      1. CREATE TABLE

      2. INSERT

  5. Specific IP addresses to allowlist

IP Allowlisting for Snowflake

To allow the Harbr platform to connect to your Snowflake account, you will need to add specific IP addresses to your Snowflake allowlist. The IPs required depend on how you are using Snowflake within the platform.

Harbr Control Plane IPs

All customers must allowlist the Harbr Control Plane IPs. These are the IPs the platform uses to connect to your Snowflake account, routed through the Harbr NAT gateway. Contact your Customer Success Manager for the specific IP addresses applicable to your environment.

Databricks Workspace IPs (At-Source assets only)

If you are using At-Source assets with a Snowflake connector on a Databricks-based platform, additional IPs are required. At-Source assets use Foreign Catalogs within Databricks to query data directly in Snowflake, which means traffic originates from your Databricks workspace rather than the Harbr control plane.

There are two ranges to configure:

  1. NAT gateway IP addresses for your Databricks workspace VPC — these are specific to your deployment and will need to be sourced from your cloud account by your team.

  2. Databricks Serverless Compute IP range — rather than providing a static list, we recommend referencing the official Databricks documentation directly, so your team can apply the correct values for your deployment region.

If you are unsure which IPs apply to your environment, contact your Customer Success Manager.

To use PATs when setting up your Snowflake connector, you have several options:

PAT Setup Guide

To use Programmatic Access Tokens (PATs) when setting up your Snowflake connector, you have two options:

  1. Create a network policy that allows our platform's IP addresses (recommended)

  2. Disable the network policy requirement for PAT authentication at a user or account level

Choose the approach that best fits your organization's security requirements.

Option 1: Update an existing Network Policy with a new rule allowing Harbr IP addresses

As the primary recommended route, this option maintains strong network governance while allowing Harbr-originated PAT authentication.

Prerequisites

  • You must have ACCOUNTADMIN or SECURITYADMIN privileges

  • Harbr will provide a list of IP addresses. Contact Harbr Support if needed.

Steps

1. Log into Snowflake

  • Open the Snowflake web UI

  • Switch to ACCOUNTADMIN or SECURITYADMIN

    • Click your username → Switch Role

2. Create a new Network Rule containing Harbr IPs

Open a worksheet and run:

USE ROLE SECURITYADMIN;

CREATE OR REPLACE NETWORK RULE HARBR_PAT_ACCESS_RULE

  TYPE = IPV4

  MODE = INGRESS

  VALUE_LIST = (

    '<HARBR_IP_1>',

    '<HARBR_IP_2>',

    '<HARBR_IP_3>'

    -- include all Harbr IPs provided

  );


3. Add the new rule to your existing Network Policy

Determine which policy is applied to your account or integration user:

SHOW PARAMETERS LIKE 'NETWORK_POLICY' IN ACCOUNT;

Then attach the new rule:

ALTER NETWORK POLICY <EXISTING_POLICY_NAME>

  SET ALLOWED_NETWORK_RULE_LIST = (

    'HARBR_PAT_ACCESS_RULE',

    -- include any existing rules currently in the list

    '<OTHER_EXISTING_RULES>'

  );


After this step, Harbr’s IPs are allowed under your active Network Policy.

Verification

  • Create a Snowflake connector on the Harbr Platform.

  • The connection test should be successful. If not, please contact Support. 


Option 2: Modify an Existing Authentication Policy on the User

Use this option only if your Snowflake integration user already has an authentication policy assigned.

Prerequisites

  • ACCOUNTADMIN or SECURITYADMIN role

  • Verified integration user name

Steps

1. Check which Authentication Policy (if any) is assigned to the user:

DESC USER <HARBR_CONNECTOR_USER>;

If AUTHENTICATION_POLICY is set, extend that policy:

USE ROLE SECURITYADMIN;

ALTER AUTHENTICATION POLICY <EXISTING_POLICY_NAME>

  SET PAT_POLICY = (

    NETWORK_POLICY_EVALUATION = NOT_ENFORCED

  );

This ensures PAT authentication for this user does not require or enforce network policy checks.


Option 3: Create a New Authentication Policy

Use this option if the integration user does not have an authentication policy configured.

Prerequisites

  • ACCOUNTADMIN or SECURITYADMIN role

  • A security-focused database & schema (e.g. SECURITY_DB.SECURITY_SCHEMA) or another database and schema where policies are created and stored

Steps

  1. Create the policy

USE ROLE SECURITYADMIN;

USE DATABASE <SECURITY_DB>;

USE SCHEMA <SECURITY_SCHEMA>;

CREATE AUTHENTICATION POLICY HARBR_PAT_POLICY

  PAT_POLICY = (

    NETWORK_POLICY_EVALUATION = NOT_ENFORCED

  );

  1. Assign it to the Snowflake Connector user

ALTER USER <HARBR_CONNECTOR_USER>

SET AUTHENTICATION_POLICY = HARBR_PAT_POLICY;


Option 4: (Optional) Apply the Policy at the Account Level

Use this only if you wish for all users in your Snowflake account to adopt the same PAT behaviour. (created in option 3, step 1 above)

ALTER ACCOUNT 

SET AUTHENTICATION_POLICY = HARBR_PAT_POLICY;Verification

  • Try creating a PAT - it should work according to your chosen policy setting. 

  • If you encounter issues, please double check the guide or raise a ticket with Harbr Support for assistance. 

Creating Your Programmatic Access Token

Once you've completed an option (either 1, 2 3 or 4), progress to the following steps: 

  1. Navigate to your profile:

    • Click your username in the bottom left

    • Select "Settings"

  2. Go to the Authentication tab 

    • Programmatic access tokens

  3. Click "Generate new token"

    • Name: Enter a descriptive name (e.g., [YOUR_PLATFORM_NAME]_Connector)

    • Comment: Optional description

    • Lifetime: Choose appropriate duration (we recommend 1 year maximum)

    • Grant access

    • Click Generate Token

  4. Copy your token immediately:

    • Store the token securely

Importantly, copy the token value now - you won't be able to see it again

Create the Connector

  1. Click Manage on the Navigation bar.

  2. Select Connectors to view the Manage Connectors screen

  3. Click the Create Connector button at the top right

  4. Enter a Name for your Connector and a Description (optional)

  5. Choose Type > Snowflake .

  6. In the Harbr Snowflake connector configuration:

    • Account URL: Your Snowflake Url

    • Username: Your Snowflake username

    • PAT: Paste the PAT value you generated

  7. Add any Integration Metadata needed for programmatic integration.

  8. Click Create.

  9. Click Close

Note: You can use the Snowflake web interface or other supported Snowflake ETL software to integrate data using your connector.

Snowflake Data Assets

A Data Asset can be added to a Space when you specify what you need, just like a product. Snowflake Data Assets are remote which means that the data within the asset is queried in it’s remote location and is not transferred to the platform.

Once an asset has been added to a space, you can query it. Current naming conventions to access an asset is:

  • Asset Name: Mortgage Portfolio

  • Asset Source: Snowflake

  • Hue Catalog Name : Mortgage Portfolio

  • Trino Catalog Name: snwfl_mortgage_portfolio

select * from <trino_catalog_name>.<schema>.<table> limit 100;

where

<trino_catalogue_name> is the technical 'Trino Catalog Name' name shown above

<schema> is the "schema name" from the source system (e.g. Snowflake)

<table_name> is the name of a table in the schema.

Note

  • Use show catalogs command to get a list of catalogs and their names 

  • Do use <catalog name>; show schemas; commands to get a list of the schemas within a catalogQuery performance may be impacted if:

  • full volume table results are returned (>10 million records).

  • a query joins a Data Asset and data within a product.

  • the configuration of the Snowflake warehouse referenced by the Data Asset is sub-optimal.