Snowflake Integration Setup
Honeydew is built on top of Snowflake and requires access to Snowflake in order to operate. You have two options to set up Snowflake access - either using a central org-level connection parameters or map your individual Snowflake user credentials to Honeydew. If you would like to use a central org-level connection, it is advised to create a new dedicated Snowflake user for Honeydew integration. The following Snowflake connection parameters are required for Honeydew setup:- Account name
- Username
- Role
- Warehouse
Authentication Methods
Honeydew supports the following authentication methods for Snowflake:Key-pair authentication
This is the recommended method for org-level service accounts. For this method, you will need to provide a Private Key and possibly a Private Key Passphrase (if used).1
Generate a key pair
- MacOS
- Windows
Generating an unencrypted private key can be done using the following command:Generating an encrypted private key can be done using the following command:Generating the public key:
2
Assign the public key to a Snowflake user
To assign the public key to a Snowflake user, execute the following SQL command in Snowflake:
Exclude the public key delimiters in the SQL statement.
3
Configure the Snowflake connection in Honeydew
In Honeydew App settings page,
configure the Snowflake connection using the Private Key and Private Key Passphrase (if used) from the previous step.
OAuth authentication
This is the recommended method for individual users credentials. Each user will need to connect to Honeydew using their own Snowflake OAuth credentials. For this method, you will need to create a new Snowflake OAuth integration and then provide a Client ID and Client Secret. When Snowflake OAuth is used, users can authorize their Honeydew credentials using SSO via Snowflake. If Snowflake is set up with SSO through a third-party identity provider, Honeydew users can use this method to log into Snowflake and authorize Honeydew credentials without any additional setup.OAuth integration configuration
1
Locate the Honeydew redirect URI
You will need to provide the Honeydew redirect URI when creating the OAuth integration in Snowflake.
The redirect URI can be found in the Honeydew App settings page under the Snowflake connection section.
It should look like this (exact URI may vary based on your Honeydew deployment):Save it for later use.
2
Create a Snowflake OAuth integration
To create a new OAuth integration in Snowflake, execute the following SQL command.
You can find the complete documentation on creating an oauth integration here.In the following query, replace Additional configuration options may be specified for the security integration as needed.
<REDIRECT_URI>
with the Honeydew redirect URI you saved in the previous step.
Replace <VALIDITY_IN_SECONDS>
with the desired validity period for the refresh token - for example, 2592000
for 30 days.
If not provided, the default is 7776000
(90 days).If you are using secondary roles, please include OAUTH_USE_SECONDARY_ROLES = 'IMPLICIT'
in the statement.
If you would like to pre-authorize specific roles for OAuth authentication,
provide the PRE_AUTHORIZED_ROLES_LIST
parameter with a list of the actual role names you want to pre-authorize.When defining a network policy for the OAuth integration, ensure that it allows access from the Honeydew IP addresses,
in combination with any IP addresses that are used to access Snowflake from your SSO provider (e.g. Okta, etc..).
Only Snowflake users with the
ACCOUNTADMIN
role or a role with the global CREATE INTEGRATION
privilege can execute this SQL command3
Retrieve OAuth Client ID and Client Secret
Once the OAuth integration is created, you can configure the Snowflake connection in Honeydew.
First, retrieve the Client ID and Client Secret for the OAuth integration you just created.
You can do this by executing the following SQL command in Snowflake:
4
Configure the Snowflake connection in Honeydew
In Honeydew App settings page,
configure the Snowflake connection using the Client ID and Client Secret from previous step.
User setup
Once Snowflake OAuth integration is configured, Honeydew users will be able to provide their credentials via OAuth. By clicking “Connect to Snowflake” in the Snowflake settings, users will be redirected to Snowflake to authorize with the configured SSO provider.PAT (programmatic access tokens) authentication
For this method, you will need to provide a generated access token.1
Generate a PAT in Snowflake
Follow the steps in the Snowflake documentation to create a PAT.
Note the prerequisites required for PAT generation, such as:
2
Configure the PAT in Honeydew
In Honeydew App settings page,
configure the Snowflake connection using the Access Token generated in Snowflake.
Password authentication
For this method, you will need to provide a password, and will likely be required to approve access via MFA.Password authentication is not recommended for production use.
It is advised to use Key-pair authentication for Snowflake integration, when using an org-level service account,
and to use OAuth authentication
or PAT (programmatic access tokens) authentication for individual users credentials.It is strongly recommended to keep MFA enabled for any Snowflake users that are integrated with Honeydew.
- Database - the database where Honeydew will deploy any dynamic datasets as views or tables
- Schema - the schema where Honeydew will deploy any dynamic datasets as views or tables
- Dev Database - the database where Honeydew will deploy any dynamic datasets as views or tables when working on a dev branch
- Dev Schema - the schema where Honeydew will deploy any dynamic datasets as views or tables when working on a dev branch
Allowing Honeydew client IP addresses
If you have IP-based access restrictions in Snowflake, add the IP addresses displayed in the Snowflake connection screen in Honeydew App settings page to the “Allowed IP Addresses” list.For the Honeydew Cloud deployment, the following IP addresses are used:
34.86.209.90
34.145.147.92
Permissions
Honeydew does not process any Snowflake data, but only reads metadata and deploys views/tables. You can find more security-related information here. If using an integration user deployment, the Honeydew integration user/role require the following permissions to operate:- USAGE on any databases and schemas which will be used as part of the semantic layer
- SELECT on any tables/views which will be used as part of the semantic layer
- CREATE TABLE, CREATE DYNAMIC TABLE and CREATE VIEW on the database/schema where dynamic datasets will be deployed
Snowflake Cortex Requirements
Honeydew has a growing number of AI-powered features, built on top of Snowflake Cortex. This includes the Honeydew Analyst Bot, which provides AI-assisted data exploration and analysis capabilities.Snowflake User Access Requirements
The Snowflake user used by Honeydew to connect to Snowflake, needs to have the SNOWFLAKE.CORTEX_USER role. This role is required for accessing Snowflake’s AI/ML capabilities that power the bot’s functionality.SNOWFLAKE.CORTEX_USER
role and how to grant it,
refer to the Snowflake Cortex documentation.
Claude 4 Sonnet Model Availability
claude-4-sonnet
model is required to be available in your Snowflake Cortex environment.
If this model is not available in the region where your Snowflake account is running,
you can enable cross-region inference.
To enable cross-region inference, you can use one of the following commands:
Enable across all regions:
Tracking Honeydew Queries in Snowflake
You can track and monitor queries executed by Honeydew in Snowflake using several methods. All queries from Honeydew include a standardized query tag that provides detailed information about the query context.Query Tag Format
All Honeydew queries include a query tag with the following JSON format:- application: Always set to “Honeydew”
- workspace: The Honeydew workspace name
- branch: The Honeydew workspace branch being used (e.g., “dev”, “prod”)
- user: The Honeydew user identifier (usually email address)
- client: The client name, usually “Honeydew Server” for server-side operations
Tracking Methods
You can track Honeydew queries using any of the following approaches:1. By User or Role
If you’re using dedicated Snowflake users or roles for Honeydew integration, you can filter queries by these identifiers in theSNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY
view.
2. By Warehouse
If you’re using dedicated warehouses for Honeydew operations, you can filter by warehouse name in theSNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY
view.