Skip to main content

Snowflake Technical Integration Details

Robby Dunigan avatar
Written by Robby Dunigan
Updated over 2 weeks ago

Overview

Integrating Snowflake and MaestroQA allows for customers to export data from MaestroQA and import data into MaestroQA.

To do this you will need to be an Admin in MaestroQA with access to the Integrations page. Then underneath the Data Export locate Snowflake:

For information on what can be exported to Snowflake, check this Data Dictionary. For information on the data ingestion process, check this Help Article.


Setup Steps

1. Securing Database Access

Before creating database objects, you'll need to allow MaestroQA's IP addresses to connect to your Snowflake instance.

List of IPs to allow will be visible in the first step of the Snowflake integration process but if you are unable to locate them contact your main POC at MaestroQA.

Important: Without proper network access configuration, the connection will fail even with correct credentials.

2. Create Database and Schema

First, create a dedicated database for MaestroQA data (or skip this step if using an existing database):

CREATE DATABASE MAESTRO_DB;

Create a schema within the database:

CREATE SCHEMA MAESTRO;

3. Create Service User

Create the MaestroQA service user and configure RSA key authentication:

CREATE USER MAESTRO_USER; ALTER USER MAESTRO_USER SET RSA_PUBLIC_KEY='<MAESTROQA_PUBLIC_KEY>';

MaestroQA's Public Key is accessible in the second step of the Snowflake Integration process else if you are unable to locate it there, reach out to your main POC at Maestro!

4. Configure Role and Permissions

Create a role for MaestroQA operations:

CREATE ROLE MAESTRO_ROLE;

Grant the necessary permissions:

CREATE ROLE MAESTRO_ROLE;
REVOKE ALL PRIVILEGES ON DATABASE MAESTRO_DB FROM MAESTRO_ROLE;
GRANT USAGE ON DATABASE MAESTRO_DB TO MAESTRO_ROLE;
GRANT USAGE ON WAREHOUSE <your_warehouse_name> TO MAESTRO_ROLE;
GRANT ROLE MAESTRO_ROLE TO USER MAESTRO_USER;
GRANT ALL ON SCHEMA maestro TO MAESTRO_ROLE;
GRANT OWNERSHIP ON SCHEMA maestro TO ROLE MAESTRO_ROLE;
-- the below operation is only needed if you don't have "auto resume" enabled on the warehouse
GRANT OPERATE ON WAREHOUSE <your_warehouse_name> TO MAESTRO_ROLE;

Important Notes

  • Warehouse Name: Replace <your_warehouse_name> with your actual Snowflake warehouse name

  • Auto-Resume: The GRANT OPERATE command is only needed if your warehouse doesn't have auto-resume enabled

  • Security: Contact your MaestroQA implementation team for the current RSA public key

Next Steps

After completing this setup, you'll need to configure the MaestroQA connection using these values:

Connection Configuration

When filling out the MaestroQA Snowflake connection form, use these values from your setup:

Field

Value

Account

Your Snowflake account identifier

Cloud Region ID

Your Snowflake region (e.g., us-east-1, eu-west-1)

User

MAESTRO_USER

Warehouse

<your_warehouse_name> (the warehouse you granted access to)

Database

MAESTRO_DB

Schema

MAESTRO

User Role

MAESTRO_ROLE

Final Steps

  1. Ensure MaestroQA has provided you with their current RSA public key

  2. Enter the connection details in MaestroQA's interface

  3. Test the connection to verify everything is working correctly


Troubleshooting

Common Issues That Cause Connection Failures

Case Sensitivity Problems:

  • Snowflake object names are case-sensitive when quoted, case-insensitive when unquoted

  • Our commands create unquoted objects (stored as UPPERCASE)

  • If the connection form is case-sensitive, use: MAESTRO_USER, MAESTRO_DB, MAESTRO, MAESTRO_ROLE

Account Identifier Format:

  • Use format: account_name.region or orgname-account_name

  • Don't include: https://, .snowflakecomputing.com, or other URL components

  • Example: abc12345.us-east-1 not https://abc12345.us-east-1.snowflakecomputing.com

Warehouse Issues:

  • Warehouse must be running or have auto-resume enabled

  • User needs USAGE permission (granted in setup)

  • If auto-resume is disabled, user needs OPERATE permission (conditional in our setup)

Network Access:

  • Check if all IPs are being whitelisted

  • Network policies apply at account level and can override other permissions

  • VPN/proxy configurations may require additional IP ranges

Role Assignment:

  • The user's default role might not be MAESTRO_ROLE

  • Connection may need to explicitly specify the role

  • Role inheritance can cause unexpected permission issues

Did this answer your question?