OneAnalytics docs

Connect Snowflake

Snowflake is a first-class source. We recommend a dedicated role, a sized warehouse, and key-pair authentication — no passwords on the wire.

1. Create role, warehouse, user

Run as ACCOUNTADMIN:

-- Dedicated role
CREATE ROLE OA_READER;
GRANT USAGE ON DATABASE MYDB TO ROLE OA_READER;
GRANT USAGE ON ALL SCHEMAS IN DATABASE MYDB TO ROLE OA_READER;
GRANT SELECT ON ALL TABLES IN DATABASE MYDB TO ROLE OA_READER;
GRANT SELECT ON ALL VIEWS  IN DATABASE MYDB TO ROLE OA_READER;
GRANT SELECT ON FUTURE TABLES IN DATABASE MYDB TO ROLE OA_READER;

-- Dedicated warehouse (X-Small is enough for most BI workloads)
CREATE WAREHOUSE OA_WH
  WAREHOUSE_SIZE = XSMALL
  AUTO_SUSPEND = 60
  AUTO_RESUME = TRUE
  INITIALLY_SUSPENDED = TRUE;
GRANT USAGE ON WAREHOUSE OA_WH TO ROLE OA_READER;

-- Service user with key-pair auth
CREATE USER OA_SVC
  DEFAULT_ROLE = OA_READER
  DEFAULT_WAREHOUSE = OA_WH
  RSA_PUBLIC_KEY = '<paste-public-key-PEM-body>';
GRANT ROLE OA_READER TO USER OA_SVC;

2. Generate the key pair

openssl genrsa -out oa_rsa.pem 2048
openssl rsa -in oa_rsa.pem -pubout -out oa_rsa.pub

Paste the body of oa_rsa.pub (without -----BEGIN/END----- lines) into RSA_PUBLIC_KEY above. Upload oa_rsa.pem in the OneAnalytics connection dialog — we store it encrypted at rest with the workspace KMS key.

3. Add the connection

Sources → Add → Snowflake:

  • Account: abc12345.ap-south-1.aws (from your Snowflake URL, minus .snowflakecomputing.com)
  • User: OA_SVC
  • Role: OA_READER
  • Warehouse: OA_WH
  • Database: MYDB
  • Schema: (optional, restricts browser)
  • Auth: Key pair → upload oa_rsa.pem

4. Pick a mode

Snowflake's compute-on-demand makes Direct mode attractive — auto-suspend keeps the warehouse off when idle, and each query spins it up (2-3 s cold start). Use Import only if you need to isolate OneAnalytics traffic entirely or avoid Snowflake compute costs.

Cost control

  • Query tag: We tag every query with app=oneanalytics,workspace_id=<uuid> for attribution in SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY.
  • Result cache: We respect it — identical queries within 24 h are free.
  • Statement timeout: Defaults to 120 s on our side; configure in Dataset Settings.

Network policy

If you use a Snowflake network policy, allowlist our egress IPs (10.20.0.129/32, 10.20.0.130/32) or connect via the gateway agent's static IP.