Snowflake Integration Setup

Honeydew is built on top of Snowflake and requires access to Snowflake in order to operate. You have two options to set up Snowflake access - either using a central org-level connection parameters or map your individual Snowflake user credentials to Honeydew. If you would like to use a central org-level connection, it is advised to create a new dedicated Snowflake user for Honeydew integration. The following Snowflake connection parameters are required for Honeydew setup:
  1. Account name
  2. Username
  3. Role
  4. Warehouse

Authentication Methods

Honeydew supports the following authentication methods for Snowflake:

Key-pair authentication

This is the recommended method for org-level service accounts. For this method, you will need to provide a Private Key and possibly a Private Key Passphrase (if used).
1

Generate a key pair

Generating an unencrypted private key can be done using the following command:
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt
Generating an encrypted private key can be done using the following command:
openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key.p8
Generating the public key:
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
Store the generated keys in a secure location.
2

Assign the public key to a Snowflake user

To assign the public key to a Snowflake user, execute the following SQL command in Snowflake:
 -- Replace <HONEYDEW_USER> with the Snowflake user name and <PUBLIC_KEY> with the content of the rsa_key.pub file
ALTER USER <HONEYDEW_USER> SET RSA_PUBLIC_KEY='<PUBLIC_KEY>';
Exclude the public key delimiters in the SQL statement.
3

Configure the Snowflake connection in Honeydew

In Honeydew App settings page, configure the Snowflake connection using the Private Key and Private Key Passphrase (if used) from the previous step.

OAuth authentication

This is the recommended method for individual users credentials. Each user will need to connect to Honeydew using their own Snowflake OAuth credentials. For this method, you will need to create a new Snowflake OAuth integration and then provide a Client ID and Client Secret. When Snowflake OAuth is used, users can authorize their Honeydew credentials using SSO via Snowflake. If Snowflake is set up with SSO through a third-party identity provider, Honeydew users can use this method to log into Snowflake and authorize Honeydew credentials without any additional setup.

OAuth integration configuration

1

Locate the Honeydew redirect URI

You will need to provide the Honeydew redirect URI when creating the OAuth integration in Snowflake. The redirect URI can be found in the Honeydew App settings page under the Snowflake connection section. It should look like this (exact URI may vary based on your Honeydew deployment):
https://api.honeydew.cloud/oauth2callback
Save it for later use.
2

Create a Snowflake OAuth integration

To create a new OAuth integration in Snowflake, execute the following SQL command. You can find the complete documentation on creating an oauth integration here.In the following query, replace <REDIRECT_URI> with the Honeydew redirect URI you saved in the previous step. Replace <VALIDITY_IN_SECONDS> with the desired validity period for the refresh token - for example, 2592000 for 30 days. If not provided, the default is 7776000 (90 days).If you are using secondary roles, please include OAUTH_USE_SECONDARY_ROLES = 'IMPLICIT' in the statement. If you would like to pre-authorize specific roles for OAuth authentication, provide the PRE_AUTHORIZED_ROLES_LIST parameter with a list of the actual role names you want to pre-authorize.
CREATE OR REPLACE SECURITY INTEGRATION HONEYDEW_OAUTH_INTEGRATION   -- Replace HONEYDEW_OAUTH_INTEGRATION with your desired integration name
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = '<REDIRECT_URI>'                 -- Replace with the Honeydew redirect URI
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = <VALIDITY_IN_SECONDS>  -- Replace with desired validity period in seconds
  NETWORK_POLICY = '<NETWORK_POLICY>'                   -- (Optional) Replace with the name of the network policy to use, if any
  PRE_AUTHORIZED_ROLES_LIST = ( '<role_name1>', ...)    -- (Optional) Replace with the list of roles that will be used for OAuth authentication
  OAUTH_USE_SECONDARY_ROLES = IMPLICIT;                 -- (Optional) Required for secondary roles
Additional configuration options may be specified for the security integration as needed.
When defining a network policy for the OAuth integration, ensure that it allows access from the Honeydew IP addresses, in combination with any IP addresses that are used to access Snowflake from your SSO provider (e.g. Okta, etc..).
Only Snowflake users with the ACCOUNTADMIN role or a role with the global CREATE INTEGRATION privilege can execute this SQL command
3

Retrieve OAuth Client ID and Client Secret

Once the OAuth integration is created, you can configure the Snowflake connection in Honeydew. First, retrieve the Client ID and Client Secret for the OAuth integration you just created. You can do this by executing the following SQL command in Snowflake:
WITH
OAUTH_SECRETS as (
  select PARSE_JSON(
    system$SHOW_OAUTH_CLIENT_SECRETS('HONEYDEW_OAUTH_INTEGRATION')) as SECRETS_JSON     -- Replace HONEYDEW_OAUTH_INTEGRATION with your integration name
)
SELECT
  SECRETS_JSON:"OAUTH_CLIENT_ID"::string as CLIENT_ID,
  SECRETS_JSON:"OAUTH_CLIENT_SECRET"::string as CLIENT_SECRET
from
  OAUTH_SECRETS;
4

Configure the Snowflake connection in Honeydew

In Honeydew App settings page, configure the Snowflake connection using the Client ID and Client Secret from previous step.

User setup

Once Snowflake OAuth integration is configured, Honeydew users will be able to provide their credentials via OAuth. By clicking “Connect to Snowflake” in the Snowflake settings, users will be redirected to Snowflake to authorize with the configured SSO provider.

PAT (programmatic access tokens) authentication

For this method, you will need to provide a generated access token.
1

Generate a PAT in Snowflake

Follow the steps in the Snowflake documentation to create a PAT. Note the prerequisites required for PAT generation, such as:
2

Configure the PAT in Honeydew

In Honeydew App settings page, configure the Snowflake connection using the Access Token generated in Snowflake.

Password authentication

For this method, you will need to provide a password, and will likely be required to approve access via MFA.
Password authentication is not recommended for production use.
It is advised to use Key-pair authentication for Snowflake integration, when using an org-level service account, and to use OAuth authentication or PAT (programmatic access tokens) authentication for individual users credentials.It is strongly recommended to keep MFA enabled for any Snowflake users that are integrated with Honeydew.
The following Snowflake connection parameters are required to be able to deploy dynamic datasets to Snowflake:
  1. Database - the database where Honeydew will deploy any dynamic datasets as views or tables
  2. Schema - the schema where Honeydew will deploy any dynamic datasets as views or tables
  3. Dev Database - the database where Honeydew will deploy any dynamic datasets as views or tables when working on a dev branch
  4. Dev Schema - the schema where Honeydew will deploy any dynamic datasets as views or tables when working on a dev branch

Allowing Honeydew client IP addresses

If you have IP-based access restrictions in Snowflake, add the IP addresses displayed in the Snowflake connection screen in Honeydew App settings page to the “Allowed IP Addresses” list.
For the Honeydew Cloud deployment, the following IP addresses are used:
  • 34.86.209.90
  • 34.145.147.92
If you are using a private Honeydew deployment, the IP addresses will be different. You can find them in the Snowflake connection screen in Honeydew App settings page.

Permissions

Honeydew does not process any Snowflake data, but only reads metadata and deploys views/tables. You can find more security-related information here. If using an integration user deployment, the Honeydew integration user/role require the following permissions to operate:
  1. USAGE on any databases and schemas which will be used as part of the semantic layer
  2. SELECT on any tables/views which will be used as part of the semantic layer
  3. CREATE TABLE, CREATE DYNAMIC TABLE and CREATE VIEW on the database/schema where dynamic datasets will be deployed
Honeydew has a growing number of AI-powered features, built on top of Snowflake Cortex. To be able to use these features in Honeydew, the SNOWFLAKE.CORTEX_USER database role is required to be granted:
-- Grant the SNOWFLAKE.CORTEX_USER role to the user role created for Honeydew integration
GRANT DATABASE ROLE SNOWFLAKE.CORTEX_USER TO ROLE HONEYDEW_USER_ROLE;
For more details, see the Snowflake Cortex documentation.