# Snowsight ## Overview This guide explains what capabilities StrongDM can provide for managing access to Snowsight, Snowflake's administrative user interface. It also provides setup and configuration instructions to add Snowsight as a resource in StrongDM and begin using StrongDM to control access for users who wish to access your Snowsight console. StrongDM users are authenticated with Snowsight and granted the level of access that you configure on the Snowsight side. In addition to access control and auditing, Snowsight access through StrongDM can be a part of a variety of use cases and access control methodologies: * **Least Privilege**: For Snowsight (Snowflake Web Console) clouds, least privilege can be accomplished by setting up multiple instances of the console as StrongDM resources. Each resource would connect to Snowsight using a different service account with different permissions granted to it. * **Just-in-Time Access**: StrongDM users are able to use any access workflows you set up to request access to Snowsight, allowing you the choice between granting Just-in-Time (JIT) access with requests, or providing standing access to particular users or roles within your StrongDM organization. For more details, see the [Access Workflows](https://docs.strongdm.com/admin/access/access-workflows) section. {% hint style="info" %} To avoid confusion during access requests, if there are multiple Snowsight cloud resources in StrongDM, it may be useful to name them in such a way that indicates the level of access, so that users know the name of the resource to request. {% endhint %} * **Context-Based Policy**: StrongDM policies that restrict or enable users' ability to connect to Snowsight resources based on their context can be used to limit availability of your Snowsight console to users in particular geographic locations or with good device trust scores. Policies can also be used to provide an MFA challenge prior to connection, and help solve for many more use cases. For more details, see the [Policies](https://docs.strongdm.com/admin/access/policies) section. {% hint style="info" %} Note that this is a method by which to set up your Snowsight cloud. If you intend to connect to a specific Snowsight-hosted resource, that resource needs to be set up separately in the appropriate areas of the Admin UI. {% endhint %} ## Limitations * For the configuration to work, you must be able to connect to your Snowflake interface via SnowSQL. An admin or web interface does not work. * Due to the limitations of this resource type, StrongDM does not log user interactions after authentication occurs. StrongDM logs activities such as setup or modification of the resource within StrongDM, or authentication of a user to the resource, but StrongDM does not log the queries performed by the user on the resource itself. We recommend the use of the Snowsight [Activity area](https://docs.snowflake.com/en/user-guide/ui-snowsight-activity.html) for logging further interactions with the resource once a user is authenticated. * Similarly, some organization-level behaviors are also different for this resource type: * Inactivity timeouts are not enforced. * Current connections to resources are not severed instantly when access is revoked. * StrongDM must be the only identity provider (IdP) configured for authentication to this resource. ## Prerequisites * In StrongDM, you must have the Admin [permission level](https://docs.strongdm.com/admin/access/permission-level). * You must have administrator access to your Snowsight environment. * Before enabling this resource, ensure the Login Name for each Snowflake user (that is, not Username or Email) is set to match a StrongDM email. An email address serves as the ID StrongDM sends to Snowflake to log in a user. The following process disables identity provider (IdP) logins via any other method. Password logins still work. * We recommend that you reach out to Snowflake support and request that users are not allowed to change their own passwords. Otherwise, once a user logs in to Snowflake via StrongDM, they may change their password and retain access to Snowflake even after their access is revoked in StrongDM. {% hint style="info" %} You can use StrongDM to proxy Snowflake SQL connections instead of connecting to Snowflake directly. {% endhint %} ## Configuration ### Get StrongDM's IdP metadata StrongDM's IdP metadata is required for creating an integration account with Snowsight. 1. Go to `app.strongdm.com/saml/idp_metadata`. This is a public URL that returns a XML blob. Within this output, note the value of the **X509Certificate**. The value is present twice. Both instances should have the same value. 2. Copy the certificate value. You will need it to create a StrongDM integration account. ### Create a StrongDM integration account This integration account sets StrongDM information, including the IdP certificate. 1. Note your Snowflake account identifier, which identifies your Snowflake account within your organization, Snowflake-supported cloud platforms, and cloud regions. The account identifier may consist of your Snowflake organization name and account name, in the format `-` (for example, `myorg-account123`). Alternatively, the account identifier may consist of your account locator, region ID, and cloud, and be in the format `..` (for example, `xy12345.us-east-2.aws`). The account identifier makes up part of your Snowflake base URL (for example, `https://myorg-account123.snowflakecomputing.com` or `https://xy12345.us-east-2.aws.snowflakecomputing.com`). 2. In SnowSQL, execute the following command, being sure to replace the placeholders with your own values. ```sql create security integration strongdm_idp type = saml2 enabled = true saml2_issuer = 'https://app.strongdm.com/saml/idp_metadata' saml2_sso_url = '' saml2_provider = 'Custom' saml2_x509_cert='' saml2_sp_initiated_login_page_label = '' saml2_enable_sp_initiated = true saml2_force_authn = false saml2_requested_nameid_format = 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' saml2_snowflake_issuer_url = 'https://.snowflakecomputing.com' saml2_snowflake_acs_url = 'https://.snowflakecomputing.com/fed/login'; ``` {% hint style="info" %} The value of `saml2_sso_url` and `saml2_sp_initiated_login_page_label` can be any URL or string, respectively. Note that the URL entered for `saml2_sso_url` becomes a hot link that users can click when accessing the resource. If clicked, the user is taken away from the resource they intend to access. {% endhint %} 3. Ensure that the metadata matches your base URL (for example, `https://.snowflakecomputing.com`). If you run into 403 errors when adding Snowsight as a cloud resource, it is likely because the wrong URLs were set. If the URLs are wrong, Snowflake could generate metadata with an incorrect URL. ### Get the Snowsight metadata XML blob The Snowsight metadata XML blob allows connection to StrongDM. 1. Run `desc security integration strongdm_idp;` in SnowSQL. 2. Copy the `SAML2_SNOWFLAKE_METADATA` value. You will need it to configure the Snowsight cloud resource. ## Resource Configuration in StrongDM This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs. {% tabs %} {% tab title="Admin UI" %} **Set up and Manage With the Admin UI** If using the Admin UI to add the resource to StrongDM, use the following steps. 1. Log in to the Admin UI and go to **Resources** > **Managed Resources**. 2. Click **Add Resource**. Note that there are two types and they have different properties. 3. For **Resource Type**, set **GCP Web Console (Workforce Identity Federation)**. 4. Set all other required [resource properties](#resource-properties). 5. Click **create** to save the resource. 6. Click the resource name to view status, diagnostic information, and setting details. After the server is created, the Admin UI displays that resource as unhealthy until the health checks run successfully. When the resource is ready, the **Health** icon indicates a positive, green status. {% endtab %} {% tab title="CLI" %} **Set up and Manage With the CLI** This section provides general steps on how to configure and manage the resource using the StrongDM CLI. For more information and examples, please see the [CLI Reference](https://docs.strongdm.com/references/cli) documentation. 1. In your terminal or Command Prompt, log in to StrongDM: ```sh sdm login ``` 2. Run `sdm admin clouds add snowsight --help` to view the help text for the command, which shows you how to use the command and what options (properties) are available. Note which [properties](#resource-properties) are required and collect the values for them.\\ ``` NAME: sdm admin clouds add snowsight - create Snowsight (Snowflake Web Console) cloud USAGE: sdm admin clouds add snowsight [command options] OPTIONS: --bind-interface value IP address on which to listen for connections to this resource on clients. Specify "default", "loopback", or "vnm" to automatically allocate an available address from the corresponding IP range configured in the organization. (default: "default") --connect-to-default-acs If left unchecked, the first ACS that appears in SAML Metadata will be used. --egress-filter value apply filter to select egress nodes e.g. 'field:name tag:key=value ...' --healthcheck_username value The StrongDM user email to use for healthchecks (required) --port-override value Port on which to listen for connections to this resource on clients. Specify "-1" to automatically allocate an available port. (default: -1) --proxy-cluster-id value proxy cluster id --saml-metadata value The Metadata for your snowflake IDP integration (required, secret) --secret-store-id value secret store id --subdomain value (required) --tags value tags e.g. 'key=value,...' --template, -t display a JSON template --timeout value set time limit for command --tls-required sdm must use TLS to connect ``` 3. Then run `sdm admin clouds add snowsight ` and set all required properties with their values. For example: ``` sdm admin clouds add snowsight "snowsight-prod" --subdomain "snowsight-prod01" --saml-metadata "/etc/strongdm/saml/snowflake_metadata.xml" --healthcheck_username "strongdm-healthcheck@acme.com" --bind-interface "default" --port-override -1 --egress-filter 'field:name tag:env=prod tag:region=us-west' --proxy-cluster-id "plc_0123456789abcdef" --secret-store-id "ss_abcdef0123456789" --tls-required --connect-to-default-acs --tags "env=prod,cloud=snowflake,auth=saml,team=data" --timeout 30 ``` 4. Check that the resource has been added. The output of the following command should show the resource's name: ```sh sdm admin clouds list ``` {% endtab %} {% tab title="Terraform" %} **Set up and Manage With Terraform** This section provides an example of how to configure and manage the resource using the Terraform provider. For more information and examples, please see the [Terraform provider](https://github.com/strongdm/terraform-provider-sdm) documentation. ```hcl # Install StrongDM provider terraform { required_providers { sdm = { source = "strongdm/sdm" version = "16.5.0" } } } # Configure StrongDM provider provider "sdm" { # Add API access key and secret key from the Admin UI api_access_key = "njjSn...5hM" api_secret_key = "ziG...=" } # Create Snowsight (Snowflake Web Console) cloud resource "sdm_resource" "snowsight_prod" { snowsight { # Required name = "snowsight-prod" # subdomain = "snowsight-prod01" # --subdomain saml_metadata = file("/etc/strongdm/saml/snowflake_metadata.xml") # --saml-metadata (recommended: use secret store) healthcheck_username = "strongdm-healthcheck@acme.com" # --healthcheck_username # Common networking options bind_interface = "default" # --bind-interface ("default" | "loopback" | "vnm") port_override = -1 # --port-override (-1 = auto-allocate) egress_filter = "field:name tag:env=prod tag:region=us-west" # --egress-filter # Optional configuration tls_required = true # --tls-required connect_to_default_acs = true # --connect-to-default-acs # Optional integrations proxy_cluster_id = "plc_0123456789abcdef" # --proxy-cluster-id secret_store_id = "ss_abcdef0123456789" # --secret-store-id (recommended for metadata) # Tags tags = { # --tags env = "prod" cloud = "snowflake" auth = "saml" team = "data" } } } ``` {% endtab %} {% tab title="SDKs" %} **Set up and Manage With SDKs** In addition to the Admin UI, CLI, and Terraform, you may configure and manage your resource with any of the following SDK options: Go, Java, Python, and Ruby. Please see the following references for more information and examples. | Go | ​[pkg.go.dev](https://pkg.go.dev/github.com/strongdm/strongdm-sdk-go/v16)​ | ​[strongdm-sdk-go](https://github.com/strongdm/strongdm-sdk-go)​ | ​[Go SDK Examples](https://github.com/strongdm/strongdm-sdk-go-examples)​ | | ------------- | -------------------------------------------------------------------------- | ------------------------------------------------------------------------ | --------------------------------------------------------------------------------- | | Java | ​[javadoc](https://strongdm.github.io/strongdm-sdk-java-docs/)​ | ​[strongdm-sdk-java](https://github.com/strongdm/strongdm-sdk-java)​ | ​[Java SDK Examples](https://github.com/strongdm/strongdm-sdk-java-examples)​ | | Python | ​[pdocs](https://strongdm.github.io/strongdm-sdk-python-docs/)​ | ​[strongdm-sdk-python](https://github.com/strongdm/strongdm-sdk-python)​ | ​[Python SDK Examples](https://github.com/strongdm/strongdm-sdk-python-examples)​ | | Ruby | ​[RubyDoc](https://www.rubydoc.info/gems/strongdm)​ | ​[strongdm-sdk-ruby](https://github.com/strongdm/strongdm-sdk-ruby)​ | ​[Ruby SDK Examples](https://github.com/strongdm/strongdm-sdk-ruby-examples)​ | | {% endtab %} | | | | | {% endtabs %} | | | | ## Resource properties The **Snowsight (Snowflake Web Console)** cloud type has the following properties.
PropertyRequirementDescription
Display NameRequiredMeaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Datasource TypeRequiredSnowsight (Snowflake Web Console)
Proxy ClusterRequiredDefaults to "None (use gateways)"; if using proxy clusters, select the appropriate cluster to proxy traffic to this resource
Connectivity ModeRequiredSelect either Virtual Networking Mode, which lets users connect to the resource with a software-defined, IP-based network; or Loopback Mode, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if Virtual Networking Mode and/or multi-loopback mode is enabled for your organization; this field is shown if Virtual Networking Mode enabled for your organization
IP AddressOptionalIf Virtual Networking Mode is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if Loopback Mode is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, 127.0.0.1); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if Virtual Networking Mode and/or multi-loopback mode is enabled for your organization; this field is shown if Virtual Networking Mode and/or multi-loopback mode is enabled for your organization
Port OverrideOptionalIf Virtual Networking Mode is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if Loopback Mode is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the Port Overrides settings
DNSOptionalIf Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, k8s.my-organization-name) instead of the bind address that includes IP address and port (for example, 100.64.100.100:5432)
SubdomainRequiredWhat is used as your local DNS address (for example, app-prod1 turns into http://app-prod1.<your-org-name>.sdm.network/)
Secret StoreOptionalCredential store location; defaults to none (credentials are stored in StrongDM resource configuration)
SAML MetadataRequiredMetadata XML blob from your Snowflake IdP integration
Connect to the Default ACSOptionalFor orgs that have multiple ACSs in their SAML metadata, StrongDM default behavior is to connect to the first one; check this to indicate in the metadata which should be the default
Healthcheck UsernameRequiredIn order for healthchecks to be successful, must be the email of a StrongDM user who has access to this resource, and must also match your Snowflake Login Name (that is, not Username or Email)
Use HTTPSOptionalEnabled by default; when enabled, StrongDM uses HTTPS for the connection
Resource TagsOptionalDatasource Tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)
{% hint style="info" %} Depending on the web browser, users that connect to Snowsight via StrongDM may see a **Continue** button during connection. They must click this button to continue. {% endhint %} {% hint style="info" %} After configuration is complete, you can access a Snowsight resource using StrongDM. Note that when you do, you must use the Snowsight web interface, not the Snowflake classic web interface. You cannot switch to the Snowflake classic web interface. Moreover, the first time that you access this resource, you may be presented with an option to use either Snowsight or the Snowflake classic web interface. You must choose Snowsight or else you won't be able to switch to Snowsight later without admin help. {% endhint %} ## Logs In the **Cloud logs** section of the Admin UI (**Logs** > **Cloud**), you can find all of the activities of the users who accessed the Snowsight resource. Note that StrongDM makes an attempt to drop the Authorization header of logs for display in the Admin UI. Note that any secrets displayed in the cloud logs are placeholder values. No actual keys or secrets are ever exposed in plaintext in the Admin UI. ## CLI Usage When the resource is created and configured, you are ready for users to connect to the resource. In order for your organization's users to access the Snowsight cloud resource via StrongDM, users need to install the following: * The StrongDM Desktop application * The latest version of the StrongDM CLI. If the CLI is already installed, you can run `sdm update` in the CLI to update it. Alternatively, if any updates are available, you can open the desktop app and click the **Upgrade** button. * The `snow` command-line tool After installation, users must exit and restart the desktop app, and then select the Snowsight cloud resource to connect to. Click to connect to the resource in the desktop app, or run `sdm connect ` in the CLI. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/resources/clouds/snowsight.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.