Configuring Snowflake for Cloud Connected

Overview

In a Cloud Connected deployment of Panther, your organization owns the Snowflake account and the AWS account in which your Panther instance is deployed, while Panther manages initial deployments and subsequent upgrades of the platform.

You must start with a new or empty Snowflake account. Panther does not support using Panther-managed Snowflake accounts with Cloud Connected deployments.

This page explains how to configure a Snowflake account for your deployment of Panther, and how to connect your credentials to your AWS account.

Panther features requiring Snowflake Enterprise or higher

In order to use the following Panther features, you must be using the Enterprise Edition of Snowflake or higher:

How to create a new Snowflake account for Panther

Step 1: Create account and role

Create a new, dedicated Snowflake account for Panther using the example template below.

To minimize latency, your Panther deployment and Snowflake instance should reside in the same AWS region.

USE ROLE ORGADMIN;
CREATE ACCOUNT <YOUR_PANTHER_ACCOUNT_NAME> # the account_name is up to your discretion but we recommend your Panther account name
  ADMIN_NAME = <YOUR_ADMIN_NAME>
  ADMIN_PASSWORD = '<YOUR ADMIN PASSWORD>' # we recommend at least 32 characters
  EMAIL = '<your snowflake DBA email>'
  MUST_CHANGE_PASSWORD = FALSE
  EDITION = <YOUR_EDITION> # STANDARD, ENTERPRISE or BUSINESS_CRITICAL
  REGION = <YOUR_REGION> # i.e. aws_us_west_2
  COMMENT =  'Panther Snowflake BYOSF Production Environment';

In the new account, create a Panther Account Administrator user and grant it administrative privileges using the following commands:

USE ROLE SECURITYADMIN;
CREATE USER IF NOT EXISTS pantheraccountadmin password='<panther_credential>';

GRANT ROLE SYSADMIN
   TO USER pantheraccountadmin;
   
GRANT ROLE SECURITYADMIN
   TO USER pantheraccountadmin;

GRANT ROLE ACCOUNTADMIN
   TO USER pantheraccountadmin;
   
ALTER USER pantheraccountadmin SET DEFAULT_ROLE = SYSADMIN;

Note the Snowflake Account URL and save it in a secure location. You will need it in the next steps.
- The URL will be in this format: <org-name>-<account-name>.snowflakecomputing.com

Step 2: Connect credentials to the AWS account Panther is in

Follow the instructions on Using Pre-Deployment Tools to connect your Snowflake credentials.
- This process ensures the credentials will not leave the AWS environment or be read by a Panther employee.
- You will need your Snowflake Account URL and ADMIN_PASSWORD from the previous steps.

Creating read-only roles for Panther data tables

Panther maintains the PANTHERACCOUNTADMIN user credentials in a secure location.

If you would like to create and maintain several users with read-only access to the Panther data lake tables, you can use the PANTHERACCOUNTADMIN user or another SECURITYADMIN enabled user on your Snowflake account to run the following commands:

USE ROLE SECURITYADMIN;

# If needed, create a new user
CREATE USER IF NOT EXISTS my_readonly_user 
    PASSWORD = '<INITIAL PASSWORD>'
    MUST_CHANGE_PASSWORD = TRUE;

# Grant the PANTHER_READONLY_ROLE to the newly created user
GRANT ROLE PANTHER_READONLY_ROLE TO USER my_readonly_user;

Disabling and Re-enabling the Panther Account Admin User (Optional)

Disabling the PANTHERACCOUNTADMIN user may prevent Panther from being able to:

Perform credential rotation
Enable certain functionality, such as Role-Based Access Control (RBAC)
Deploy new capabilities that require Panther to runsnowconfig

If you choose to disable the PANTHERACCOUNTADMIN user despite the implications above, you may do so using the following commands:

USE ROLE SECURITYADMIN;

ALTER USER PANTHERACCOUNTADMIN SET DISABLED = TRUE

If a Panther upgrade requires privileged access, the user can then be temporarily re-enabled:

USE ROLE SECURITYADMIN;

ALTER USER PANTHERACCOUNTADMIN SET DISABLED = FALSE

PreviousCloud Connected NextConfiguring AWS for Cloud Connected

Last updated 14 days ago