> ## Documentation Index
> Fetch the complete documentation index at: https://arize-ax.mintlify.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Snowflake permissions configuration

> If you aren't directly running the setup script in the Arize UI, this page goes over the permissions necessary to setup the Snowflake connector.

## One-Time Setup

One-time setup for the Arize File Importer Role and Snowflake Warehouse.

<Info>
  Scroll down to the [Dataset Setup](/ax/machine-learning/machine-learning/integrations-ml/snowflake/snowflake-permissions-configuration#dataset-setup) if you've already completed the steps in this section.
</Info>

1. Make sure you're using the `securityadmin` Snowflake role, and create a Snowflake role called `ARIZE_FILE_IMPORTER_ROLE` .

2. Create a Snowflake user called `ARIZE_FILE_IMPORTER`

   1. Set the default role for the user as the `ARIZE_FILE_IMPORTER_ROLE` role

   2. Set the default warehouse for the user as the warehouse that was provisioned for Arize ([see here if you have not done this yet](/ax/machine-learning/machine-learning/integrations-ml/snowflake#step-2-warehouse-onetime-setup))

   3. Set the user type to `SERVICE`

3. Grant the `ARIZE_FILE_IMPORTER_ROLE` role to the `ARIZE_FILE_IMPORTER` user

```bash theme={null}
-- create variables for user / password / role / warehouse / database (needs to be uppercase for objects)
set role_name = 'ARIZE_FILE_IMPORTER_ROLE';
set user_name = 'ARIZE_FILE_IMPORTER';
set warehouse_name = '[PROVISIONED_WAREHOUSE_FOR_ARIZE]';

-- change role to securityadmin for user / role steps
use role securityadmin;

-- create role for arize
create role if not exists identifier($role_name);

-- create  a user for arize
create user if not exists identifier($user_name);
alter user identifier($user_name) set default_role = $role_name;
alter user identifier($user_name) set default_warehouse = $warehouse_name;
alter user identifier($user_name) set type = 'SERVICE';

grant role identifier($role_name) to user identifier($user_name);    
```

4. Set the `RSA_PUBLIC_KEY` for the `ARIZE_FILE_IMPORTER` user

   1. You can find the RSA Public Key in the Arize UI when setting up the Snowflake import job.

```csharp theme={null}
-- set user public key
ALTER USER identifier($user_name) SET RSA_PUBLIC_KEY='[ARIZE_PUBLIC_KEY]';
```

5. Grant the `ARIZE_FILE_IMPORTER_ROLE` role `USAGE` on the warehouse provisioned for Arize.

```java theme={null}
-- grant arize role access to warehouse
grant USAGE
on warehouse identifier($warehouse_name)
to role identifier($role_name);
```

## Dataset Setup

Follow the below steps when configuring access for new tables/schemas for Arize.

<Info>
  You can skip over steps 1 + 2 if you've already done those for the Snowflake database that contains your table/schema.
</Info>

1. Create a Snowflake schema called `arize` in your database if it doesn't already exist.

   1. `CREATE SCHEMA IF NOT EXISTS [DATABASE_NAME].arize;`

2. Create a table within the `arize` schema called `arize_ingestion_keys` with the following columns: `object_name` \[string], `object_type` \[string], `tag_name` \[string], `tag_value` \[string]. This table is used to store the Arize Ingestion Keys. These keys act as challenge keys to prove ownership of Snowflake tables/schemas.

```sql theme={null}
CREATE TABLE IF NOT EXISTS [DATABASE_NAME].arize.arize_ingestion_keys(
    object_name string, 
    object_type string, 
    tag_name string, 
    tag_value string
); 
```

3. Insert a record into the `arize_ingestion_keys` table for the table/schema you want to give Arize access to. The record should contain the Snowflake table/schema name as the `object_name` , `table` or `schema` as the `object_type` , `arize-ingestion-key` as the `tag_name` , and your Arize Ingestion Key (you can find this in the Arize UI when setting up the Snowflake import job) as the `tag_value` .

```sql theme={null}
-- Assign challenge key to table to prove ownership (idempotently)
MERGE INTO [DATABASE_NAME].arize.arize_ingestion_keys t
USING (SELECT
    '[TABLE_NAME]' as object_name,
    'table' as object_type,
    'arize-ingestion-key' as tag_name,
    '[ARIZE_INGESTION_KEY]' as tag_value
) s
ON t.object_name = s.object_name
WHEN MATCHED THEN UPDATE SET tag_value = '[ARIZE_INGESTION_KEY]'
WHEN NOT MATCHED THEN
INSERT VALUES ('[TABLE_NAME]', 'table', 'arize-ingestion-key', '[ARIZE_INGESTION_KEY]');
```

4. Grant the following permissions to the `ARIZE_FILE_IMPORTER_ROLE` :

   1. `USAGE` on the database *(skip this if done previously)*

   2. `USAGE` on the Snowflake schema that contains the table with your data

   3. `SELECT` on the Snowflake table that contains your data

   4. `USAGE` on the `arize` Snowflake schema *(skip this if done previously)*

   5. `SELECT` on the `arize_ingestion_keys` Snowflake table *(skip this if done previously)*

```sql theme={null}
-- Grant permissions to Arize role
set role_name = 'ARIZE_FILE_IMPORTER_ROLE';
set DATABASE_NAME = '[DATABASE_NAME]';

grant USAGE
on database identifier($database_name)
to role identifier($role_name);

grant USAGE
on schema [DATABASE_NAME].[SCHEMA_NAME]
to role identifier($role_name);

grant SELECT
on table [DATABASE_NAME].[SCHEMA_NAME].[TABLE_NAME]
to role identifier($role_name);

grant USAGE
on schema [DATABASE_NAME].arize
to role identifier($role_name);

grant SELECT
on table [DATABASE_NAME].arize.arize_ingestion_keys
to role identifier($role_name);
```

<Info>
  If you are still running into issues with connecting to Snowflake, please check your Snowflake network policy. You may need to whitelist the general [Arize IPs found here](/ax/security-and-settings/whitelisting).
</Info>