Grant Yuki access to your Snowflake account

This guide explains how to grant Yuki secure, metadata-only access to your Snowflake account. You’ll create a dedicated service user, role, and warehouse, and authenticate Yuki using a key pair.

💡 Note: You don’t need to run these steps manually - our onboarding wizard will walk you through each step.

1. Network Policy (Optional)

If your Snowflake account uses a network policy, create one that allows Yuki’s IPs.

USE SCHEMA DATABASE_NAME.SCHEMA_NAME;
CREATE NETWORK POLICY yuki_policy
ALLOWED_NETWORK_RULE_LIST = ('allow_yuki_ips')
COMMENT = 'Network policy for YUKI_APPLICATION user';

CREATE NETWORK rule allow_yuki_ips
MODE = INGRESS
TYPE = IPV4
VALUE_LIST = (WAITING FOR IPS FROM BACKEND)
COMMENT = 'Allow access for YUKI_APPLICATION user from specific IPs';

2. Generate Key-Pair

Yuki authenticates to Snowflake using key-pair authentication (RSA). Run the following commands locally to generate your key pair.

# Generate private key
openssl genrsa -out yuki_snowflake_key.pem 2048

# Extract public key
openssl rsa -in yuki_snowflake_key.pem -pubout -out yuki_snowflake_key.pub

3. Create Yuki Role, Warehouse, and Service User

Create a dedicated role, lightweight warehouse, and service user for Yuki with the required permissions.

Show SQL commands to create Yuki role, warehouse, and service user

-- Create a dedicated role for Yuki
CREATE OR REPLACE ROLE yuki_application_role;

-- Create a small service warehouse (auto-suspends after 60s)
CREATE OR REPLACE WAREHOUSE yuki_service_wh
  WAREHOUSE_SIZE = XSMALL
  AUTO_SUSPEND = 60
  INITIALLY_SUSPENDED = TRUE
  COMMENT = 'Yuki application service warehouse';

-- Assign ownership of the warehouse to the role
GRANT OWNERSHIP ON WAREHOUSE yuki_service_wh TO ROLE yuki_application_role;

-- Create the Yuki service user (key pair auth)
CREATE OR REPLACE USER yuki_application
  COMMENT = 'Yuki application user with key pair authentication'
  RSA_PUBLIC_KEY = ''  -- insert public key here
  TYPE = SERVICE
  DEFAULT_ROLE = yuki_application_role
  DEFAULT_WAREHOUSE = yuki_service_wh;

-- Grant the role to the new user and to ACCOUNTADMIN (for visibility)
GRANT ROLE yuki_application_role TO USER yuki_application;
GRANT ROLE yuki_application_role TO ROLE accountadmin;

-- Permissions required by Yuki
GRANT MONITOR USAGE ON ACCOUNT TO ROLE yuki_application_role;
GRANT IMPORTED PRIVILEGES ON DATABASE snowflake TO ROLE yuki_application_role;
GRANT CREATE WAREHOUSE ON ACCOUNT TO ROLE yuki_application_role;
GRANT MANAGE WAREHOUSES ON ACCOUNT TO ROLE yuki_application_role;
GRANT EXECUTE TASK ON ACCOUNT TO ROLE yuki_application_role;

Create a dedicated database and secure share so Yuki can access metadata.

Show SQL commands for data share setup

DROP SHARE IF EXISTS share_queries_with_yuki;
CREATE OR REPLACE DATABASE yuki_data;
GRANT OWNERSHIP ON DATABASE yuki_data TO ROLE yuki_application_role ;
GRANT OWNERSHIP ON SCHEMA yuki_data.public TO ROLE yuki_application_role;

CREATE SHARE share_queries_with_yuki;

GRANT USAGE ON DATABASE yuki_data TO SHARE share_queries_with_yuki;
GRANT USAGE ON SCHEMA yuki_data.public TO SHARE share_queries_with_yuki;
-- CREATE Additional PROCEDUREs (in wizard)

ALTER SHARE share_queries_with_yuki ADD ACCOUNTS = <Yuki-Account-Locator>; -- <Yuki-Account-Locator> provided in Wizard

5. Snowflake Account Details

Enter the following details in the Yuki app:

Account Identifier
Cloud Provider
Region
Edition
Cost per Snowflake Credit
User, Role, and Private Key

Click Test & Save to verify the connection.

Summary

After completing this guide, Yuki will have:

A secure service user and role
A lightweight warehouse for metadata access
Verified key-pair authentication
Optional network policy for restricted IPs

Next Step

→ Continue to Deploy the Yuki Proxy to complete the setup.

PreviousGetting Started NextDeploy the Yuki Proxy

Last updated 1 month ago