Snowflake Integration with Grip Security - Posture (SSPM)

Updated
  • Updated on Feb 5, 2026
  • 6 minute(s) read
  • nT
 Prev Next

Oerview

This guide outlines the integration of Snowflake with Grip Security, enabling Grip Security to deliver insights on Session Settings, Passwords, Authentication, User Provisioning, Role Management, and Network.

Prerequisites

  • An “accountadmin” role in Snowflake

Note.

If you have a network policy, add or update the “allow list” to include Grip IP, so Grip can access and query Snowflake’s database.

US - 18.117.54.181

EU - 99.80.233.188

For more details on adding the IP to the 'Allow list' policy, see Snowflake’s article, 'Controlling network traffic with network policies.'

Once you add the IP, ensure the policy is activated.

We offer two connection options: OAuth and Key Pair Authentication.

Below is how to connect to each method.

Setting Up the OAuth Integration

From Snowflake admin console, click on the + sign >> SQL Worksheet / File (1)

  • Copy and paste the query below.

Note: Ensure that you complete the following information within the commands. (see the below image)

  • Ensure you have the “accountadmin” role (2)

  • Change the OAUTH_REDIRECT_URI “client_domain_in_portal (3) to your Grip portal domain.
    For example, if your domain in Grip is acme, your OAUTH_REDIRECT_URI will be https://acme.integrations.grip.security/oauth/callback

USE ROLE accountadmin;
CREATE OR REPLACE SECURITY INTEGRATION GRIP_SSPM_OAUTH
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'                 
  OAUTH_REDIRECT_URI = 'https://client_domain_in_portal.integrations.grip.security/oauth/callback' 
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  COMMENT = 'OAuth client for Grip SSPM';

  • Click on the “Play” icon to run the command.

  • Paste and run: USE ROLE orgadmin; SELECT CURRENT_WAREHOUSE()

  • Copy the warehouse name (5) to your clipboard; you'll need it for the integration.

Create SSPM role

Copy and paste the query below, but DO NOT press ENTER! Until you replace the required details for commands 3 (GRANT ROLE) command 4 (ALTER USER) and 5 (GRANT USAGE ON WAREHOUSE) see below instructions.

USE ROLE accountadmin; 
CREATE ROLE GRIP_SSPM_ROLE;
GRANT ROLE GRIP_SSPM_ROLE TO USER (enter your user name here);
ALTER USER (enter your user name here) SET DEFAULT_WAREHOUSE =  (warehouse_name); 
GRANT USAGE ON WAREHOUSE (warehouse_name) TO ROLE GRIP_SSPM_ROLE;
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE GRIP_SSPM_ROLE;
GRANT MONITOR ON ACCOUNT TO ROLE GRIP_SSPM_ROLE;

Commands replacement details

  • Line  3 - GRANT ROLE GRIP_SSPM_ROLE TO USER (enter your user name here); command should contain the Snowflake username, with which you are going to create OAuth integration, not the user’s email address.
    for example if your user name is marco_pl the command should be -  GRANT ROLE GRIP_SSPM_ROLE TO USER marco_pl;
    To find the Snowflake username, run one of the following commands directly in Snowflake:

    • SELECT CURRENT_USER(); (recommended)

    • SHOW USERS; - Note that this command will fetch all users from the system, and you will need to select your own.
      This username will later be used to consent to the OAuth application.

  • Line 4 - Enter the user name you used for command 3 and the warehouse you will use in command 5: ALTER USER <name> SET DEFAULT_WAREHOUSE = <warehouse>

  • Line 5 - GRANT USAGE ON WAREHOUSE - Enter the warehouse name in the command, for example, if the warehouse name is SSPM_WH, enter: GRANT USAGE ON WAREHOUSE SSPM_WH TO ROLE GRIP_SSPM_ROLE;

Run the snowflake commands one by one: USE ROLE (6), CREATE ROLE (7), GRANT ROLE (8), ALERT USER (9), GRANT USAGE ON WARHOUSE (10)
+
GRANT IMPORTED PRIVILAGES & GRANT MONITOR ON ACCOUNT as seen in the below image.

Get Snowflake’s information to connect the Grip integration.

To set up the integration, you will need to copy the following details from Snowflake: Client ID, Client Secret, Account ID, Account Domain, and Snowflake User Role.

Get the Client ID, Client Secret, and Role

  • Run the following command (10) : SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('GRIP_SSPM_OAUTH');

  • After running the command, copy the Client Secret (11) and Client ID (12) to a clipboard.

    Note

    Make sure to copy these exact values from the command output, as they are necessary for configuring the integration in Grip. Ensure they are copied precisely and stored securely.

    • OAUTH_CLIENT_ID

    • OAUTH_CLIENT_SECRET

  • Copy the ROLE (13) you previously created.

Get Snowflake’s Account Identifier (ID) and Account/ Server URL.

  • From your user, go to your account >>  View account details (14)

  • Copy the Account Identifier (15) and the Account/ Server URL (16)

Connect Snowflake to Grip SaaS Security Posture Management

  • From the Grip portal, go to the Integrations page » search for Snowflake (1)

  • Click on “Connect for Posture Managment(2).

  • Select the OAuth authentication method (3).

  • Fill in the data you collected from Snowflake (4):  Display Name, Client ID, Client Secret, Account ID, Account Domain, and Snowflake User Role

    Note

    For the Role field, enter the exact role you used earlier during OAuth setup — the one with the necessary read permissions (e.g., GRIP_SSPM_ROLE).

    This guarantees the integration uses the correct access level.

  • Click on “Continue.”

  • In the “Connect Snowflake” window, click “Connect (5) if you have a Snowflake Username and Password.

  • Note that if you are not the Snowflake admin, copy the URL above and send it to the Snowflake admin to complete the registration. Please note that the URL will expire after 1 hour.

  • Sign in to Snowflake (6) , ENSURE that the user name you sign with is the same user that was assigned the role (step 8 )

  • Click “Allow (7)

Once connected Snowflake tenant will be visible under the Posture Management.

Step 1- Get Grip public key

  • From Grip portal, go to the Integration page» search for Snowflake app and click on Connect

  • Select the Authentication Method: Key Pair Authentication

  • Enter the key Display Name and click on Generate Key.

  • The Public Key will be generated, copy it to your clipboard as you will need when configuring snowflake SSPM connection.

Once you obtain the public key, proceed with Snowflake configuration. Do not move forward until you have completed the setup in Snowflake. If necessary, you can close this window; the key will be saved, and you can return to editing at any time.

Snowflake configuration

Step 2 - Create a user

Note.

  • This step is optional; you may use an existing one. However, you must ensure that the user you select does not have a Public key associated with it to avoid harming any of your existing integrations.

  • To verify that a user doesn’t have a Public key associated, run the following query:
    DESC USER YOUR_USERNAME

     ->> SELECT "value" FROM $1

              WHERE "property" = 'RSA_PUBLIC_KEY';

The result should resemble the image below. If you do not see null, please create a new user.

Enter the following command

  • Enter the user name

CREATE USER (enter your new user name here);

  • Find the warehouse

USE ROLE orgadmin; SELECT CURRENT_WAREHOUSE();

Step 3 - Create SSPM role

Copy and paste the query below, but DO NOT press ENTER! Until you replace the required details for commands 3 (GRANT ROLE) command 4 (ALTER USER) and 5 (GRANT USAGE ON WAREHOUSE) see below instructions.

USE ROLE accountadmin; 
CREATE ROLE GRIP_SSPM_ROLE;
GRANT ROLE GRIP_SSPM_ROLE TO USER (enter your user name here);
ALTER USER (enter your user name here) SET DEFAULT_WAREHOUSE =  (warehouse_name); 
GRANT USAGE ON WAREHOUSE (warehouse_name) TO ROLE GRIP_SSPM_ROLE;
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE GRIP_SSPM_ROLE;
GRANT MONITOR ON ACCOUNT TO ROLE GRIP_SSPM_ROLE;
ALTER USER (enter your user name here) SET RSA_PUBLIC_KEY = 'REPLACE WITH YOUR PUBLIC KEY'

Replace the (enter your user name here); (1) and the (warehouse_name) (2) with the user name and warehouse you extracted in the previous steps.
Paste the RSA Public Key REPLACE WITH YOUR PUBLIC KEY (3) you generated from Grip.

See the example below.

Run the command

Note

This is a new user; no password is required, and only the minimum requirements are needed.

Step 4 - Complete the integration connection with Grip

Enter the Account Details

Note, this step can only be completed after finishing the configuration in Snowflake.

  • Navigate to your admin account (1) » Account (2) » View account details (3).

  • Copy the Account Identifier and the Account/ Server URL to your clipboard.

Return to Grip portal » Add New Snowflake Tenant window.

  • Do not change the Public key! This key is the one you connected to Snowflake.

  • Fill in the required information below, including the Account Identifier, Account/Server URL, and the Username associated with the public key (the username used for Snowflake configuration).

  • Click on Connect.

Once connected Snowflake tenant will be visible under the Posture Management.

Related articles