Overview
This guide outlines the integration of Snowflake with Grip Security, enabling Grip Security to deliver insights on Session Settings, Passwords, Authentication, User Provisioning, Role Management, and Network.
Prerequisites
An “accountadmin” role in Snowflake
You will need to provide Grip with Snowflake’s Account ID, Client ID, Client secret, and the Account domain and Snowflake user role. (explained in this article)
To get the above, you will need a Snowflake administrator role.
Note.
If you have a network policy, add or update the “allow list” to include Grip IP, so Grip can access and query Snowflake’s database.
US - 18.117.54.181
EU - 99.80.233.188
For more details on adding the IP to the 'Allow list' policy, see Snowflake’s article, 'Controlling network traffic with network policies.'
Once you add the IP, ensure the policy is activated.
Setting Up the OAuth Integration
From Snowflake admin console, click on the + sign >> SQL Worksheet (1)
Copy and paste the following query, ensure you have the “accountadmin” role (2), and that you change the “{client_domain_in_portal} (3) to your Grip portal domain.
USE ROLE accountadmin;
CREATE OR REPLACE SECURITY INTEGRATION GRIP_SSPM_OAUTH
TYPE = OAUTH
ENABLED = TRUE
OAUTH_CLIENT = CUSTOM
OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
OAUTH_REDIRECT_URI = 'https://{client_domain_in_portal}.integrations.grip.security/oauth/callback'
OAUTH_ISSUE_REFRESH_TOKENS = TRUE
COMMENT = 'OAuth client for Grip SSPM';Click on the “Play” icon to run the command.
Paste and run: USE ROLE orgadmin; SELECT CURRENT_WAREHOUSE()
Copy the warehouse name (5); you will need it during the integration.
Create SSPM role
Copy and paste the query below and follow the instructions that follow (see image for assistance).
USE ROLE accountadmin;
CREATE ROLE GRIP_SSPM_ROLE;
GRANT ROLE GRIP_SSPM_ROLE TO USER {username_will_be_used_to_consent_app};
GRANT USAGE ON WAREHOUSE {warehouse_name} TO ROLE GRIP_SSPM_ROLE;
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE GRIP_SSPM_ROLE;
GRANT MONITOR ON ACCOUNT TO ROLE GRIP_SSPM_ROLE;You will need again the “
USE ROLE accountadmin” (6)The “
CREATE ROLE - GRIP_SSPM_ROLE“(7) requires the minimum-security permissionsThe USER in “
GRANT ROLE GRIP_SSPM_ROLE” (8) must be the same user with whom you intend to create the OAuth integration in Grip.Run the Query
Paste the Warehouse name (9) you copied in step 5.
Run the remaining commands.
Get Snowflake’s information to connect the Grip integration.
To set up the integration, you will need to copy the following details from Snowflake: Client ID, Client Secret, Account ID, Account Domain, and Snowflake User Role.
Get the Client ID, Client Secret, and Role
Run the following command (10) :
SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('GRIP_SSPM_OAUTH');After running the command, copy the Client Secret (11) and Client ID (12) to a clipboard.
Copy the ROLE (13) you previously created.
Get Snowflake’s Account Identifier (ID) and Account/ Server URL.
From your user, go to your account >> View account details (14)
Copy the Account Identifier (15) and the Account/ Server URL (16)
Connect Snowflake to Grip SaaS Security Posture Management.
From the Grip portal, go to “Posture >> “Add Tenant”(1).
Click on “Snowflake” (2).
Fill in the data you collected from Snowflake (3): Display Name, Client ID, Client Secret, Account ID, Account Domain, and Snowflake User Role
Click on “Continue.”
In the “Connect Snowflake” window, click “Connect” (4) if you have a Snowflake Username and Password.
Note that if you are not the Snowflake admin, copy the URL above and send it to the Snowflake admin to complete the registration. Please note that the URL will expire after 1 hour.
Sign in to Snowflake (5) , ENSURE that the user name you sign with is the same user that was assigned the role (step 8 )
Click “Allow” (6)
Once the tenant is added, you will be directed to the tenant's page.
Click the tenant to see and filter your policy statuses, assess your security posture, and begin fixing it.
