Configuring Snowflake Data Sources

This guide explains how to connect your Snowflake account to CerteroX for cost management. The integration queries Snowflake's built-in ACCOUNT_USAGE schema to collect credit consumption and storage usage data.

Step 1: Create a Custom Role for CerteroX

Rather than using a broad built-in role, create a dedicated role with the minimum permissions CerteroX needs.

1. Sign in to the Snowflake web interface with a user that has the ACCOUNTADMIN role.

2. Navigate to Workspaces and open a new SQL worksheet.

3. Run the following SQL to create a custom role:

4. Grant access to the Snowflake account usage data. There are two approaches:

   Option A — Grant the USAGE_VIEWER database role (recommended):
   This provides access to historical usage and metering views without exposing organisation-level data.

   9

   1

   ›

   GRANT DATABASE ROLE SNOWFLAKE.USAGE_VIEWER TO ROLE CERTEROX_ROLE;

   Option B — Grant IMPORTED PRIVILEGES on the SNOWFLAKE database:
   This provides broader access to all Account Usage views.

   9

   1

   ›

   GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE CERTEROX_ROLE;

Note: Only the ACCOUNTADMIN role can grant privileges on the SNOWFLAKE database. Account Usage views have a data latency of between 45 minutes and 3 hours depending on the view.

Step 2: (Optional) Grant Warehouse Access

If you want CerteroX to use a specific warehouse for running its metering queries, grant USAGE on that warehouse to the custom role:

If no warehouse is specified when creating the data source in CerteroX, Snowflake will use the service user's default warehouse.

Step 3: Create a Service User

Create a dedicated service user that CerteroX will authenticate as. Service users (TYPE = SERVICE) are designed for non-interactive, application-to-application access.

1. In the Snowflake web interface, navigate to Workspaces and open a SQL worksheet, then run:

2. Grant the custom role to the service user:

Note: Creating users requires the USERADMIN role (or higher) by default. Setting TYPE = SERVICE ensures the user is intended for programmatic access only.

Step 4: Set Up a Network Policy for the Service User

Service users (TYPE = SERVICE) must be subject to a network policy before they can generate or use Programmatic Access Tokens. If your Snowflake account does not already have an account-level network policy, create one for the service user.

1. Create a network policy that allows access from your required IP ranges:

2. Assign the policy to the service user:

Important: The example above uses 0.0.0.0/0 which allows access from any IP address. For production environments, restrict this to the CerteroX platform IP addresses. Contact Certero support for the current list of IP ranges if required.

Step 5: Generate a Programmatic Access Token

CerteroX authenticates using a Programmatic Access Token (PAT) for the service user.

Via the Snowflake Web Interface

1. Sign in to the Snowflake web interface and navigate to Governance & security > Users & Roles in the left sidebar.

2. Select the CERTEROX_USER you created in Step 3.

3. Under the Programmatic access tokens section, click Generate new token.

4. In the dialog, fill in:

   • Token name: A descriptive name (e.g. certerox_pat). Must start with a letter or underscore, and can contain letters, numbers and underscores only.

   • Comment: Optional description (e.g. "CerteroX cost data integration").

   • Expires in (days): Set an appropriate expiry period (maximum 365 days).

   • Role restriction: Select CERTEROX_ROLE.

5. Click Generate.

6. Copy the token immediately. The token value is only displayed once — after you close the dialog, it cannot be retrieved.

Via SQL

Alternatively, in a SQL worksheet under Workspaces, run:

The token value will be returned in the command output. Copy it immediately.

Important: The token value is only shown once at creation time. Store it securely. Each user can have a maximum of 15 tokens. Tokens cannot have their expiry or role restriction modified after creation — you must revoke and re-create the token to change these settings.

Step 6: Find Your Account Identifier

CerteroX requires your Snowflake account identifier in the format orgname-accountname.

Via the Snowflake Web Interface

1. In the bottom-left corner of the Snowflake web interface, click the account selector (your account name).

2. Hover over your account and click the link icon or select View account details.

3. Copy the account identifier shown (e.g. MYORG-MYACCOUNT).

Via SQL

In a SQL worksheet under Workspaces, run:

Note: The account identifier is case-insensitive. If your account name contains underscores, you may also substitute hyphens (e.g. both myorg-my_account and myorg-my-account are valid). Do not include the .snowflakecomputing.com domain suffix.

Step 7: Create the Snowflake Data Source in CerteroX

1. Log in to CerteroX and navigate to Settings > Data Sources.

2. Click Actions and select Add.

3. Select Snowflake.

4. Fill in the following fields:

5. Click the Connect button.

Step 8: Verify the Connection

1. Return to Settings > Data Sources in CerteroX.

2. Click on your Snowflake data source.

3. Check the Status indicator — it should show as connected.

4. Navigate to the Advanced tab to view detailed data ingestion information.

Note: Initial cost data may take up to one hour to appear while CerteroX queries and processes your Snowflake usage data.

What Data is Collected

CerteroX queries the following Snowflake views to build your cost data:

Costs are calculated using Snowflake's standard on-demand pricing:

• Compute: $3.00 per credit

• Storage: $23.00 per TB/month

Token Maintenance

Programmatic Access Tokens expire based on the period set during creation. To avoid data collection interruptions:

• Rotate a token (generates a new secret with extended expiry):

• Revoke and re-create a token:

After rotating or re-creating a token, update the Access Token value in your CerteroX data source settings.