Skip to main content

Documentation Index

Fetch the complete documentation index at: https://infisical.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Infisical supports connecting to Snowflake using a Username and a Programmatic Access Token (PAT). PATs are scoped, revocable credentials that authenticate as a Snowflake user without exposing the user’s password.

Prerequisites

  • A Snowflake account with permission to create Programmatic Access Tokens.
  • The account identifier for your Snowflake instance, which combines your organization name and account name. You can find it in your Snowflake login URL (https://app.snowflake.com/orgName/accountName/#/account/users) or under Account Details in Snowsight.

Create a Snowflake Programmatic Access Token

1

Open Snowsight User Settings

In Snowsight, open the side bar menu and select User & Roles under Governance & Security.Snowflake User Profile
2

Create a new User

Click Create user in the top-right corner.Generate Programmatic Access Token
3

Configure user details and role

Provide a Username and assign a role. The role must have permission to create and manage secrets in the target database. The snippet below grants the minimum required privileges (alternatively, assign the ACCOUNTADMIN role).Configure UserIf you decide to go with a custom role, you just need to run the following snippet:
-- Grant INFISICAL user access to SECRET_SYNC_TEST
CREATE ROLE IF NOT EXISTS INFISICAL_ROLE;
GRANT ROLE INFISICAL_ROLE TO USER INFISICAL; -- Change INFISICAL to be your user

GRANT ALL PRIVILEGES ON DATABASE SECRET_SYNC_TEST TO ROLE INFISICAL_ROLE;
GRANT ALL PRIVILEGES ON SCHEMA SECRET_SYNC_TEST.PUBLIC TO ROLE INFISICAL_ROLE;
GRANT OWNERSHIP ON ALL SECRETS IN SCHEMA SECRET_SYNC_TEST.PUBLIC TO ROLE INFISICAL_ROLE REVOKE CURRENT GRANTS; -- Transfers ownership
GRANT OWNERSHIP ON FUTURE SECRETS IN SCHEMA SECRET_SYNC_TEST.PUBLIC TO ROLE INFISICAL_ROLE REVOKE CURRENT GRANTS; -- Transfers ownership
If you select a custom role, note that secret ownership is enforced per object. Existing secrets in the target schema remain owned by their creator unless you transfer ownership. Infisical must use a role that owns every secret it manages (required for CREATE OR REPLACE SECRET and DROP SECRET). If the schema already has secrets, run the GRANT OWNERSHIP ON ALL SECRETS ... statement; always keep the GRANT OWNERSHIP ON FUTURE SECRETS ... statement.
4

Create a network policy

Programmatic Access Tokens require an attached network policy that defines the IPs allowed to authenticate as this user.Go into workspaceCreate network policy
CREATE NETWORK POLICY INFISICAL_SYNC_POLICY
    ALLOWED_IP_LIST = ('0.0.0.0/0')
    COMMENT = 'Allow access from any IP';

ALTER USER INFISICAL set NETWORK_POLICY = 'INFISICAL_SYNC_POLICY';
Be careful with the IPs you allow in your network policy. Using 0.0.0.0/0 allows access from any IP address, which can be dangerous in production. Prefer restricting the list to only the IP ranges that should be allowed to authenticate (for example, your corporate NAT(s) and/or Infisical’s outbound IPs if you have them).
5

Generate a Programmatic Access Token

Open the Programmatic access tokens tab and click Generate new token. Give the token a descriptive name (e.g. infisical) and configure its expiration and role restrictions according to your security policy.Generate Programmatic Access Token
6

Copy the Token

Copy the generated token. Snowflake only displays it once — store it somewhere secure for the next step.Copy Programmatic Access Token
7

Copy the Snowflake Account

Copy the Account identifier. The fastest way is to read it from your Snowsight URL (https://app.snowflake.com/orgName/accountName/#/account/users), where the identifier is orgName-accountName.Alternatively, click your username in the bottom-left corner, open Account details, and copy the Account value from the Config File tab.Account details buttonAccount detailsAccount info
Create a dedicated Snowflake user (or role) for Infisical rather than reusing a personal account. This keeps the connection’s blast radius small and makes it easy to rotate or revoke access independently.

Create Snowflake Connection in Infisical

1

Navigate to App Connections

In your Infisical dashboard, go to Organization SettingsApp Connections.App Connections Tab
2

Select Snowflake Connection

Click Add Connection and choose Snowflake from the list of available connections.Select Snowflake Connection
3

Fill out Connection Form

Complete the form with:
  • A name for the connection (e.g. snowflake-prod)
  • An optional description
  • The Snowflake Account identifier (e.g. orgName-accountName)
  • The Snowflake Username (The name of the user that was created)
  • The Programmatic Access Token generated in the previous section Snowflake Connection Form
4

Connection Created

After clicking Create, Infisical validates the credentials by opening a connection to your Snowflake account. Once validated, your Snowflake Connection is ready to use.Snowflake Connection Created