>
    Strata Copilot
    Onboard a Snowflake App to SSPM
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Onboard SaaS Apps Supported by SSPM
    4. Onboard a Snowflake App to SSPM
    Download PDF
    SaaS Security

    Onboard a Snowflake App to SSPM

    Table of Contents

    Onboard a Snowflake App to SSPM

    Connect a Snowflake App instance to SSPM to detect posture risks.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • SaaS Security Posture Management license
    Or any of the following licenses that include the Data Security license:
    • CASB-X
    • CASB-PA
    For SSPM to detect posture risks in your Snowflake instance, you must onboard your Snowflake instance to SSPM. Through the onboarding process, SSPM connects to a Snowflake SDK to scan your Snowflake instance for misconfigured settings. If there are misconfigured settings, SSPM suggests a remediation action based on best practices. SSPM also connects to a Snowflake API to run identity scans for account risks.
    SSPM gets access to your Snowflake instance through Programmatic Access Token (PAT) authorization. To enable PAT authorization, you run an SQL script in Snowflake that creates a custom role with the permissions that SSPM requires to run scans. The SQL script also configures network guardrails, provisions a dedicated service user, and generates a PAT token.
    During onboarding, you will provide SSPM with the following information.
    ItemDescription
    Account Locator As An Identifier
    The unique, system-generated alphanumeric identifier assigned by Snowflake to your specific account instance.
    Service User PAT
    A secure, long-lived Programmatic Access Token for a dedicated service user account. You will create an SQL script to generate this token, which SSPM will use to securely connect to your Snowflake instance.
    As you complete the following steps, make note of the values of the items described in the preceding table. You will need to enter these values during onboarding to access your Snowflake instance from SSPM.
    1. Identify the Snowflake administrator account that you will use to run your SQL script.
      Required Permissions: The account that you will use must be assigned to the ACCOUNTADMIN role.
      To verify that the account is assigned to the necessary roles, complete the following steps:
      1. From the left navigation pane in Snowflake, select AdminUsers & Roles.
      2. Select the name of the user whose roles you want to verify.
      3. On the information page for the user, locate the Granted Roles section. Verify that the user is assigned to the ACCOUNTADMIN role. If the user isn’t assigned to this role, you can Grant Role.
    2. Create an SQL file to generate the Account Locator and Service User PAT.
      When you later onboard Snowflake to SSPM, you will supply SSPM with the Account Locator As An Identifier and the Service User PAT. In this step, you will create a new query file to run a series of SQL statements that will provision a secure service user, apply custom security roles, and establish the network guardrails required for SSPM to authenticate safely.
      1. Open a web browser to the Snowflake login page, and log in to the administrator account you identified earlier.
      2. From the left-hand navigation pane on the Snowflake home page, select ProjectsWorkspaces.
      3. From the left-hand navigation pane on the Workspaces page, select + Add newSQL file.
      4. Use the dropdown menus in the top-right corner of the query editor to select the ACCOUNTADMIN role, an active virtual warehouse, and the database (and associated schema) where the network rules will be created.
      5. Paste the following SQL statements into the query editor, and replace the following variables with information specific to your Snowflake environment.
        1. Replace all occurrences of <warehouse_name> and <custom_role_name> with names for the new warehouse and custom role.
        2. Replace <network_rule_name> and <network_policy_name> with names for your network guardrails.
        3. Replace <ip_address_1>, <ip_address_2> and so on with the allowed IP addresses to whitelist ingress traffic. To ensure that SSPM can run its scans, make sure you whitelist the SSPM IP addresses required for your region.
        4. Replace all occurrences of <username> with the name you want to give to the new service user, and replace <pat_name> with a name for your Programmatic Access Token.
                                      
// ============================================================================
// 1. COMPUTE & SECURITY ROLE SETUP
// ============================================================================
                                            
// Create a minimum-size warehouse and custom role
CREATE OR REPLACE WAREHOUSE <warehouse_name> WITH
  WAREHOUSE_TYPE = STANDARD
  GENERATION = '1'
  WAREHOUSE_SIZE = XSMALL
  AUTO_SUSPEND = 30
  AUTO_RESUME = TRUE
  INITIALLY_SUSPENDED = TRUE;
                                            
// Create a custom role with all the required permissions
CREATE OR REPLACE ROLE <custom_role_name>;
                                            
GRANT USAGE ON WAREHOUSE <warehouse_name> TO ROLE <custom_role_name>; -- To resume the warehouse and run SQL queries
GRANT MONITOR ON ACCOUNT TO ROLE <custom_role_name>; -- To view account parameters, security integrations, and account-level policy references
GRANT APPLY PASSWORD POLICY ON ACCOUNT TO ROLE <custom_role_name>; -- To view password policy descriptions and configurations
GRANT APPLY AUTHENTICATION POLICY ON ACCOUNT TO ROLE <custom_role_name>; -- To view authentication policy descriptions and configurations
GRANT APPLY SESSION POLICY ON ACCOUNT TO ROLE <custom_role_name>; -- To view session policy descriptions and configurations
GRANT DATABASE ROLE SNOWFLAKE.SECURITY_VIEWER TO ROLE <custom_role_name>; -- To view all user directories and identity mapping details
                                            
// ============================================================================
// 2. NETWORK GUARDRAILS CONFIGURATION
// ============================================================================
                                            
// Create a network rule to whitelist ingress traffic
CREATE OR REPLACE NETWORK RULE <network_rule_name>
  MODE = INGRESS
  TYPE = IPV4 
  VALUE_LIST = ('<ip_address_1>', '<ip_address_2>');
                                            
// Create a network policy to allow the above network rule
CREATE OR REPLACE NETWORK POLICY <network_policy_name>
  ALLOWED_NETWORK_RULE_LIST = ( '<network_rule_name>' );
                                            
// ============================================================================
// 3. SERVICE USER PROVISIONING
// ============================================================================
                                            
// Create a new service user bound to our security profiles
CREATE OR REPLACE USER <username>
  TYPE = SERVICE
  DEFAULT_WAREHOUSE = <warehouse_name>
  DEFAULT_ROLE = <custom_role_name>
  NETWORK_POLICY = <network_policy_name>;
                                            
// Assign the custom role to the new service user
GRANT ROLE <custom_role_name> TO USER <username>;
                                            
// ============================================================================
// 4. METADATA EXTRACTION & AUTHENTICATION TOKEN GENERATION
// ============================================================================
                                            
EXECUTE IMMEDIATE $$
DECLARE
     account_locator STRING;
     pat_secret STRING;
     rs RESULTSET;
BEGIN
                                            
-- 1. Grab Account Locator safely across cloud providers
SELECT UPPER(
   REPLACE(
     t.value:host::string,
     '.snowflakecomputing.com',
     ''
    )
  )
INTO :account_locator
FROM TABLE(FLATTEN(INPUT => PARSE_JSON(SYSTEM$ALLOWLIST()))) t
WHERE t.value:type = 'SNOWFLAKE_DEPLOYMENT';
                                            
-- 2. Generate the Programmatic Access Token (PAT) for the user
EXECUTE IMMEDIATE '
  ALTER USER IF EXISTS <username>
  ADD PAT <pat_name>
  ROLE_RESTRICTION = ''<custom_role_name>''
  DAYS_TO_EXPIRY = 365
';
                                            
-- 3. Extract the freshly generated secret from the metadata stream
SELECT $2::STRING
INTO :pat_secret
FROM TABLE(RESULT_SCAN(LAST_QUERY_ID()));
                                            
-- 4. Package credentials into a clean relational array for the onboarding UI/API
rs := (
   SELECT 'Account Locator As An Identifier' AS ATTRIBUTE, :account_locator AS VALUE
   UNION ALL
   SELECT 'Service User PAT', :pat_secret
);
                                            
RETURN TABLE(rs);
                                            
END;
$$;
    3. Execute the SQL statements and copy the information that SSPM requires for onboarding.
      1. Click the run button in the upper-left corner of the query editor to execute the SQL statements.
        Snowflake will create the warehouse, custom role, network guardrails, service user, and authentication token. In the Results area of the query editor, Snowflake displays your Account Locator As An Identifier and Service User PAT.
      2. Copy the Account Locator As An Identifier and Service User PAT and paste them into a text file.
        Don't continue to the next step unless you have copied your Account Locator As An Identifier and Service User PAT. You will provide this information to SSPM during the onboarding process.
    4. Connect SSPM to your Snowflake instance.
      In SSPM, complete the following steps to enable SSPM to connect to your Snowflake instance.
      1. Log in to Strata Cloud Manager.
      2. Select ConfigurationSaaS SecurityPosture SecurityApplicationsAdd Application and click the Snowflake tile.
      3. On the Posture Security tab, Add New instance.
      4. Log in with Credentials.
      5. Enter your Account Locator As An Identifier and Service User PAT.
      6. Connect.

    Snowflake Credit Consumption Estimates

    Review estimated virtual warehouse credit consumption models for automated SSPM scans based on configuration and identity tracking intervals.
    SSPM scans your Snowflake application instance by running SQL queries through the dedicated virtual warehouse created during setup. Because Snowflake charges for compute resources based on virtual warehouse execution time, SSPM scans will incur additional credit consumption.
    The configuration script provisions a cost-efficient, XSMALL virtual warehouse. Snowflake scales credit consumption by warehouse size, with an XSMALL size consuming exactly 1 credit per hour (as of June, 2026). The script configures this warehouse to automatically suspend after 30 seconds of inactivity. While Snowflake calculates active compute usage by the second, it enforces a 60-second minimum credit charge every time a suspended warehouse starts.
    To estimate total credit consumption, calculate the daily uptime for both configuration and identity scans, and then add them together to find your total daily warehouse activity. Use the following baseline formula for each scan type:
    Daily Scan Uptime (Hours) = ((Maximum of [Scan Time + 30s Suspend Time] or 60s) / 3600s) × (24h / Scan Interval)
    The total daily credit consumption is calculated as follows:
    • Daily Configuration Scan Uptime = The result of the baseline formula using your configuration scan runtime and configured scan interval.
      The configured scan interval appears on the settings page for your application instance in SSPM. To view the settings, from the details page for your Snowflake instance, click the settings icon (gear icon) in the upper-right corner of the page.
    • Daily Identity Scan Uptime = The result of the baseline formula using your identity scan runtime and scan interval (typically 6 hours). The scan runtime will depend on the number of user identities to scan.
    • Daily Warehouse Uptime = Daily Configuration Scan Uptime + Daily Identity Scan Uptime.
    ScenarioDaily Configuration Scan UptimeDaily Identity Scan UptimeDaily Warehouse UptimeDaily CreditsMonthly Credits (30 Days)
    Worst-case0.25 h interval, 20 s run (+30 s suspend)* = 1.6 h6 h interval, 100 s run to scan 10k users (+30 s suspend) = 0.144 h1.6 h + 0.144 h = 1.744 hours1.74452.32
    Best-case24 h interval, 10 s run (+30 s suspend)* = 0.017 h6 h interval, 10 s run to scan 1k users (+30 s suspend)* = 0.067 h0.017 h + 0.067 h = 0.084 hours0.0842.52
    * This runtime falls below 60 seconds when combined with the 30-second auto-suspend delay. The daily uptime calculation applies the mandatory 60-second Snowflake warehouse execution minimum for these tracking periods.
    To determine the actual monetary cost of these scans, multiply the estimated monthly credits by your organization's specific Snowflake contract credit rate.

    © 2026 Palo Alto Networks, Inc. All rights reserved.