Snowflake OAuth Integration with Grip Security - Posture (SSPM)

  • Updated on Nov 27, 2025
  • 4 minute(s) read
  • nT
 Prev Next

Overview

This guide outlines the integration of Snowflake with Grip Security, enabling Grip Security to deliver insights on Session Settings, Passwords, Authentication, User Provisioning, Role Management, and Network.

Prerequisites

  • An “accountadmin” role in Snowflake

  • You will need to provide Grip with Snowflake’s Account ID, Client ID, Client secret, and the Account domain and Snowflake user role. (explained in this article)

  • To get the above, you will need a Snowflake administrator role.

Note.

If you have a network policy, add or update the “allow list” to include Grip IP, so Grip can access and query Snowflake’s database.

US - 18.117.54.181

EU - 99.80.233.188

For more details on adding the IP to the 'Allow list' policy, see Snowflake’s article, 'Controlling network traffic with network policies.'

Once you add the IP, ensure the policy is activated.

Setting Up the OAuth Integration

From Snowflake admin console, click on the + sign >> SQL Worksheet / File (1)

  • Copy and paste the query below.

Note: Ensure that you complete the following information within the commands. (see the below image)

  • Ensure you have the “accountadmin” role (2)

  • Change the OAUTH_REDIRECT_URI “client_domain_in_portal (3) to your Grip portal domain.
    For example, if your domain in Grip is acme, your OAUTH_REDIRECT_URI will be https://acme.integrations.grip.security/oauth/callback

USE ROLE accountadmin;
CREATE OR REPLACE SECURITY INTEGRATION GRIP_SSPM_OAUTH
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'                 
  OAUTH_REDIRECT_URI = 'https://client_domain_in_portal.integrations.grip.security/oauth/callback' 
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  COMMENT = 'OAuth client for Grip SSPM';

  • Click on the “Play” icon to run the command.

  • Paste and run: USE ROLE orgadmin; SELECT CURRENT_WAREHOUSE()

  • Copy the warehouse name (5) to your clipboard; you'll need it for the integration.

Create SSPM role

Copy and paste the query below, but DO NOT press ENTER! Until you replace the required details for commands 3 (GRANT ROLE) and 4 (GRANT USAGE ON WAREHOUSE) see below instructions.

USE ROLE accountadmin;
CREATE ROLE GRIP_SSPM_ROLE;
GRANT ROLE GRIP_SSPM_ROLE TO USER (enter your user name here)
GRANT USAGE ON WAREHOUSE (warehouse_name) TO ROLE GRIP_SSPM_ROLE;
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE GRIP_SSPM_ROLE;
GRANT MONITOR ON ACCOUNT TO ROLE GRIP_SSPM_ROLE;

Commands replacement details

  • Line  3 - GRANT ROLE GRIP_SSPM_ROLE TO USER {username_will_be_used_to_consent_app}; command should contain the Snowflake username, with which you are goning to create OAuth integration, not the user’s email address.
    for example if your user name is marco_pl the command should be -  GRANT ROLE GRIP_SSPM_ROLE TO USER marco_pl;
    To find the Snowflake username, run one of the following commands directly in Snowflake:

    • SELECT CURRENT_USER(); (recommended)

    • SHOW USERS; - Note that this command will fetch all users from the system, and you will need to select your own.
      This username will later be used to consent to the OAuth application.

  • Line 4 - GRANT USAGE ON WAREHOUSE - Enter the warehouse name in the command, for example, if the warehouse name is SSPM_WH, enter GRANT USAGE ON WAREHOUSE SSPM_WH TO ROLE GRIP_SSPM_ROLE;

Run the commends.

  • You will need again the “USE ROLE accountadmin(6)

  • The “CREATE ROLE - GRIP_SSPM_ROLE(7) requires the minimum-security permissions

  • The USER in “GRANT ROLE GRIP_SSPM_ROLE” (8) must be the same user with whom you intend to create the OAuth integration in Grip.

    • Run the Query

  • Paste the Warehouse name (9) you copied in step 5.

  • Run the remaining commands.

Get Snowflake’s information to connect the Grip integration.

To set up the integration, you will need to copy the following details from Snowflake: Client ID, Client Secret, Account ID, Account Domain, and Snowflake User Role.

Get the Client ID, Client Secret, and Role

  • Run the following command (10) : SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('GRIP_SSPM_OAUTH');

  • After running the command, copy the Client Secret (11) and Client ID (12) to a clipboard.

    Note

    Make sure to copy these exact values from the command output, as they are necessary for configuring the integration in Grip. Ensure they are copied precisely and stored securely.

    • OAUTH_CLIENT_ID

    • OAUTH_CLIENT_SECRET

  • Copy the ROLE (13) you previously created.

Get Snowflake’s Account Identifier (ID) and Account/ Server URL.

  • From your user, go to your account >>  View account details (14)

  • Copy the Account Identifier (15) and the Account/ Server URL (16)

Connect Snowflake to Grip SaaS Security Posture Management.

  • From the Grip portal, go to “Posture >> “Add Tenant(1).

  • Click on “Snowflake(2).

  • Fill in the data you collected from Snowflake (3):  Display Name, Client ID, Client Secret, Account ID, Account Domain, and Snowflake User Role

    Note

    For the Role field, enter the exact role you used earlier during OAuth setup — the one with the necessary read permissions (e.g., GRIP_SSPM_ROLE).

    This guarantees the integration uses the correct access level.

  • Click on “Continue.”

  • In the “Connect Snowflake” window, click “Connect (4) if you have a Snowflake Username and Password.

  • Note that if you are not the Snowflake admin, copy the URL above and send it to the Snowflake admin to complete the registration. Please note that the URL will expire after 1 hour.

  • Sign in to Snowflake (5) , ENSURE that the user name you sign with is the same user that was assigned the role (step 8 )

  • Click “Allow (6)

Once the tenant is added, you will be directed to the tenant's page.

Click the tenant to see and filter your policy statuses, assess your security posture, and begin fixing it.

Related articles