Snowflake
Sonora connects to Snowflake using key-pair authentication. Sonora generates and secures the key pair—you configure your Snowflake account with the public key we provide. The private key never leaves Sonora’s infrastructure.
Snowflake imports are product usage only. Customer records are matched using external IDs from an existing customer source (for example Salesforce or HubSpot).
If you need a starting point for structuring your data, use the Product Usage Upload Template to see the expected format.
Customer matching setup
Section titled “Customer matching setup”In Snowflake Product Usage settings, choose the Customer External ID Source that owns the account IDs in your Snowflake table.
- If your table uses Salesforce Account IDs, select
salesforceorsalesforce_oauth. - If your table uses HubSpot Company IDs, select
hubspot. - If your table uses Kong Excel customer IDs, select
kong_excel.
If this source is not set, product usage imports will fail until it is configured.
Prerequisites
Section titled “Prerequisites”You need ACCOUNTADMIN or SECURITYADMIN privileges in Snowflake.
Network configuration
Section titled “Network configuration”Sonora connects from static IPs listed on the IP allowlist page. If your Snowflake account uses network policies, add those addresses to allow connections.
Create role and user
Section titled “Create role and user”Run these statements in a Snowflake worksheet. Replace the database, schema, and table names with your own:
-- Create a role for Sonora with read-only accessCREATE ROLE IF NOT EXISTS SONORA_SVC_ROLE;
-- Grant access to your reporting database and schemaGRANT USAGE ON DATABASE REPORTING TO ROLE SONORA_SVC_ROLE;GRANT USAGE ON SCHEMA REPORTING.ANALYTICS TO ROLE SONORA_SVC_ROLE;
-- Grant SELECT on specific tables (repeat for each table)GRANT SELECT ON TABLE REPORTING.ANALYTICS.USAGE_METRICS TO ROLE SONORA_SVC_ROLE;
-- Create a warehouse for Sonora queries (XSMALL keeps costs low)CREATE WAREHOUSE IF NOT EXISTS SONORA WAREHOUSE_SIZE = 'XSMALL' AUTO_SUSPEND = 60 AUTO_RESUME = TRUE;
GRANT USAGE ON WAREHOUSE SONORA TO ROLE SONORA_SVC_ROLE;
-- Create the service accountCREATE USER IF NOT EXISTS SONORA_SVC TYPE = SERVICE DEFAULT_ROLE = SONORA_SVC_ROLE DEFAULT_WAREHOUSE = SONORA;
GRANT ROLE SONORA_SVC_ROLE TO USER SONORA_SVC;Configure the public key
Section titled “Configure the public key”Your Sonora contact will provide a public key string. Add it to your service account:
ALTER USER SONORA_SVC SET RSA_PUBLIC_KEY = '<public key from Sonora>';Share connection details
Section titled “Share connection details”Send your Sonora contact the following so we can complete the setup:
| Field | Example |
|---|---|
| Account | ACME-AB12345 (from your Snowflake URL) |
| User | SONORA_SVC |
| Role | SONORA_SVC_ROLE |
| Warehouse | SONORA |
| Database | REPORTING |
| Schema | ANALYTICS |
Your account identifier appears in your Snowflake URL as https://<account>.snowflakecomputing.com, or query it with SELECT CURRENT_ORGANIZATION_NAME() || '-' || CURRENT_ACCOUNT();.
Troubleshooting
Section titled “Troubleshooting”“Invalid public key” — Confirm you copied the entire key string from Sonora without adding line breaks or extra characters.
“User does not have permission” — Check grants with SHOW GRANTS TO ROLE SONORA_SVC_ROLE;. The role needs USAGE on the database, schema, and warehouse, plus SELECT on each table.
Connection timeout — Verify the account identifier matches your URL exactly. If using network policies, confirm Sonora’s IPs are allowlisted. Check that AUTO_RESUME = TRUE on the warehouse.