# Snowflake

## Overview

Snowflake is a cloud-based data platform that enables organizations to build data pipelines, analytics, and AI applications. Connect Akto Argus to your Snowflake account to discover Cortex-based agents and Cortex Search Services, and fetch related metadata.

This visibility helps you identify agentic workloads running in Snowflake and assess associated security risks across both execution and retrieval layers. Once connected, Akto Argus automatically:

* **Discovers Cortex AI Agents and Search Services**: Fetches all AI agents and Cortex Search Services from your Snowflake account
* **Monitors Agent Activity**: Captures agent execution data, including prompts, responses, retrievals, and API interactions
* **Sends Traffic to Akto**: Transmits API and retrieval traffic data to Akto for comprehensive security analysis

## Prerequisites

Before setting up the Snowflake connector, ensure you have completed the following:

1. **Traffic Processor** – Configure your Traffic Processor first. Follow the [Hybrid SaaS Setup Guide](/akto-argus-agentic-ai-security-for-homegrown-ai/connectors/others/hybrid-saas.md) for detailed instructions.
2. **Snowflake Account** – Active Snowflake account with Cortex AI capabilities enabled
3. **Authentication Credentials** – One of the following authentication methods:
   * Username and password
   * OAuth token
   * RSA key pair (recommended for production)
4. **Network Access** – Ensure connectivity between the connector service and:
   * Your Snowflake account URL
   * Akto Data Ingestion Service
   * Kafka broker endpoint

## Steps to Connect

{% stepper %}
{% step %}
**Open the Snowflake Connector in Akto Argus**

1. Navigate to **Akto Argus**.
2. Open **Connectors**.
3. Under **AI Agent Security**, locate the **Snowflake** connector card.
4. Select **Connect** to open setup dialog.
   {% endstep %}

{% step %}
**Enter the Snowflake Account URL**

Enter the base URL of your Snowflake account in the **Snowflake Account URL** field.

* Format:\
  `https://<account_identifier>.<region>.snowflakecomputing.com`
* The value can be obtained from:
  * The browser address bar when accessing the Snowflake UI, or
  * Snowflake account settings.
    {% endstep %}

{% step %}
**Select the Authentication Method**

Select the authentication method used to access your Snowflake account from the **Authentication Method** dropdown.

Available options:

{% tabs %}
{% tab title="Username & Password" %}

* Enter the Snowflake username in the **Username** field.
  * The username must exist in the target Snowflake account.
  * The user must have permissions to query Cortex-related metadata.
* Enter the password for the specified Snowflake user in the **Password** field.

{% hint style="info" %}
The password is used only for authentication. Akto Argus does not modify Snowflake configuration.
{% endhint %}
{% endtab %}

{% tab title="OAuth Token" %}
Enter a valid Snowflake OAuth access token in the **OAuth Token** field.

* The token must be generated using a Snowflake-configured OAuth integration.
* The token must grant read access to required metadata.
  {% endtab %}

{% tab title="Key Pair (RSA)" %}

* Enter the Snowflake username associated with the RSA key pair.
  * The user must have the public key registered in Snowflake.
* Paste the RSA private key in PEM format into the **Private Key (RSA)** field.
  * Format:

    ```
    -----BEGIN PRIVATE KEY-----
    ...
    -----END PRIVATE KEY-----
    ```
  * The corresponding public key must already be associated with the Snowflake user.
* If the private key is encrypted, enter the passphrase in the **Private Key Passphrase** field.
  {% endtab %}
  {% endtabs %}
  {% endstep %}

{% step %}
**Specify Warehouse, Database, and Schema(Optional)**

You may optionally specify:

* **Warehouse**
* **Database**
* **Schema**

These fields control query execution context.
{% endstep %}

{% step %}
**Enter the Data Ingestion Service URL**

Enter the URL of your **self-hosted data ingestion service** in the **URL for Data Ingestion Service** field in order to forward agent execution and telemetry data into your environment for processing.

{% hint style="warning" %}
**Note**

* The ingestion service must be deployed and exposed in your infrastructure.
* The URL must be reachable from Akto.
* The endpoint receives metadata collected by Akto for this connector.
  {% endhint %}
  {% endstep %}

{% step %}
**Complete the Integration**

1. Review all entered values.
2. Select **Import** to finalise the connection.
   {% endstep %}
   {% endstepper %}

## Data Collection

The Snowflake connector captures two categories of information:

### Agent Metadata

* **Cortex AI Agents**: All AI agents built using Snowflake Cortex in your account
* **Agent Configurations**: Model selection, parameters, and settings
* **Cortex Functions**: Usage of built-in Cortex AI functions (COMPLETE, SENTIMENT, TRANSLATE, etc.)

### Agent Execution Data

* **Recent Activity**: Agent executions from the past 60 minutes
* **Input Data**: Prompts, queries, and parameters sent to agents
* **Output Data**: Agent responses and generated content
* **API Interactions**: External API calls made by agents
* **Performance Metrics**: Execution time and resource consumption

## Troubleshooting

### Connection Issues

**Problem**: Cannot connect to Snowflake account

**Solutions**:

* Verify `SNOWFLAKE_ACCOUNT_URL` is correct and includes the region (e.g., `xyz12345.us-east-1.snowflakecomputing.com`)
* Ensure network connectivity from the connector to Snowflake
* Check firewall rules allow outbound HTTPS connections to Snowflake

### Authentication Errors

**Problem**: Authentication failed

**Solutions**:

* **For Password Auth**: Verify username and password are correct
* **For Token Auth**: Ensure OAuth token is valid and not expired
* **For Key Pair Auth**:
  * Verify public key is registered in Snowflake (`DESC USER username`)
  * Ensure private key format is correct (PKCS#8 PEM format)
  * Check passphrase if the private key is encrypted

### Permission Issues

**Problem**: Access denied to warehouse/database/schema

**Solutions**:

* Grant necessary permissions to your Snowflake user:

  ```sql
  -- Create role and user
  CREATE ROLE IF NOT EXISTS <AKTO_CONSUMER>;
  CREATE USER IF NOT EXISTS <AKTO_USER> DEFAULT_ROLE = <AKTO_CONSUMER>;
  GRANT ROLE <AKTO_CONSUMER> TO USER <AKTO_USER>;

  -- Read-only access to AI observability events (via application role)
  -- Read access to AI observability events (traces, spans, metrics)
  GRANT APPLICATION ROLE SNOWFLAKE.AI_OBSERVABILITY_READER TO ROLE <AKTO_CONSUMER>;

  -- Account-level monitoring to discover all agents, cortex search services and view usage stats
  GRANT MONITOR USAGE ON ACCOUNT TO ROLE <AKTO_CONSUMER>;

  -- Required to query Cortex agent metadata and observability functions
  GRANT DATABASE ROLE SNOWFLAKE.CORTEX_USER TO ROLE <AKTO_CONSUMER>;

  -- Monitor ALL existing agents and search
  -- Replace <DB> and <SCHEMA> with each agent's location or cortex search location
  GRANT USAGE ON DATABASE <DB> TO ROLE <AKTO_CONSUMER>;
  GRANT USAGE ON SCHEMA <DB>.<SCHEMA> TO ROLE <AKTO_CONSUMER>;
  GRANT MONITOR ON AGENT <DB>.<SCHEMA>.<AGENT_NAME> TO ROLE <AKTO_CONSUMER>;

  -- Future agents or search services added
  -- GRANT USAGE ON FUTURE SCHEMAS IN DATABASE <DB>
  TO ROLE <AKTO_CONSUMER>;
  ```

### No Agents Appearing

**Problem**: Connector is running but no agents appear in Akto

**Solutions**:

* Verify Snowflake Cortex is enabled in your account
* Ensure you have AI agents deployed in Snowflake
* Check `SNOWFLAKE_DATABASE` and `SNOWFLAKE_SCHEMA` point to the correct location
* Verify Traffic Processor is running and accessible

## Get Support

If you need assistance with the Snowflake connector:

* **In-app Chat**: Use the chat widget in your Akto dashboard for instant support
* **Discord Community**: Join our community at [discord.gg/Wpc6xVME4s](https://discord.gg/Wpc6xVME4s)
* **Email Support**: Contact us at <support@akto.io>
* **Contact Form**: Submit a support request at <https://www.akto.io/contact-us>

Our team is available 24/7 to help with setup, troubleshooting, and best practices.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ai-security-docs.akto.io/akto-argus-agentic-ai-security-for-homegrown-ai/connectors/ai-agent-security/snowflake.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.