Snowflake - Iru Docs

About Snowflake

Iru collects warehouse and account usage, database/schema metadata, roles and grants, and login/query history from Snowflake, primarily via SNOWFLAKE.ACCOUNT_USAGE views. Authentication uses key-pair authentication: short-lived JWTs signed with your RSA private key, verified against the public key registered on the Snowflake user Iru uses.

How It Works

Authorization: Bearer YOUR_SIGNED_JWT
X-Snowflake-Authorization-Token-Type: KEYPAIR_JWT

JWTs are short-lived (about 60 seconds); Iru regenerates them using the configured key and account details.

Detail	Value
Category	Data platform
Authentication	Key-pair JWT

Official references: Key-pair authentication, Account identifiers, REST API, ACCOUNT_USAGE.

Prerequisites

SECURITYADMIN (or equivalent) to assign RSA_PUBLIC_KEY on a dedicated service user.
OpenSSL (or another tool) to generate a 2048-bit (or larger) RSA key pair.
Your account identifier (orgname-accountname preferred, or legacy locator with region/cloud if required).

Connect Snowflake to Iru

Snowflake
Iru Compliance

Complete this tab before you connect the source in Compliance.

Confirm Snowflake admin access

Sign in to Snowsight or the classic console with SECURITYADMIN (or equivalent) so you can run ALTER USER and GRANT statements for the integration user.

Prepare a secure workstation

Use a trusted machine with OpenSSL (or another RSA tool your security team approves). You will keep snowflake_private_key.pem only in your vault. Never commit it to git or send it to Snowflake support.

Generate an RSA key pair

Example with OpenSSL:

openssl genrsa -out snowflake_private_key.pem 2048
openssl rsa -in snowflake_private_key.pem -pubout -out snowflake_public_key.pem

Protect snowflake_private_key.pem. Never commit it or share it with Snowflake.

As an administrator, strip the PEM headers and newlines from snowflake_public_key.pem so only the base64 body remains, then run:

ALTER USER YOUR_USERNAME SET RSA_PUBLIC_KEY='YOUR_PUBLIC_KEY';

Snowflake allows two keys per user (RSA_PUBLIC_KEY / RSA_PUBLIC_KEY_2) for rotation. Assign the new key to RSA_PUBLIC_KEY_2, update Iru, then drop the old key.

Produce a JWT for the wizard

Use Snowflake CLI or a library. For example:

snow connection generate-jwt \
  --account YOUR_ACCOUNT_IDENTIFIER \
  --user YOUR_USERNAME \
  --private-key-path snowflake_private_key.pem

Copy the JWT string for the initial Iru handshake; ongoing regeneration is handled in product.

Grant ACCOUNT_USAGE access

The integration user needs a role that can read SNOWFLAKE shared metadata, for example:

GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE YOUR_ROLE;
GRANT ROLE YOUR_ROLE TO USER YOUR_USERNAME;

Continue on the Iru Compliance tab.

Finish the Snowflake tab first.

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.

Left navigation: Compliance expanded, Sources selected

Turn on Snowflake

Find Snowflake (use Category or Search by name or description). On that card, turn on the toggle. A browser tab or window may open for the connector wizard.

Enter account and host in the wizard

Choose the host pattern that matches your account:

Standard: https://YOUR_ACCOUNT_IDENTIFIER.snowflakecomputing.com
PrivateLink: https://YOUR_ACCOUNT_IDENTIFIER.privatelink.snowflakecomputing.com

Enter account_identifier and confirm server variables before continuing.

Paste the JWT

When prompted, paste the JWT.

Finish the connection

Click Submit Bearer Token. When the connection succeeds, the wizard shows Connection Configured.

Confirm the source is Active

Close the Iru is requesting access to external services browser tab, then return to Compliance → Sources and confirm the Snowflake card is Active.

Troubleshooting

Nothing opens when you turn the source on

Check pop-up blocker settings for the Iru site and try again.

Server variables failed

Wizard session expired. Toggle the source off and on, then retry.

JWT validation / 401

Run DESCRIBE USER to confirm the fingerprint matches and the private key pairs with the registered public key.

Wrong account string

Prefer org-account form; legacy locators may need region/cloud suffix.

PrivateLink

Ensure Iru egress can reach your endpoint; allowlist if required.

Missing ACCOUNT_USAGE

IMPORTED PRIVILEGES on SNOWFLAKE for the Iru role.

Considerations

Iru does not run arbitrary queries against your…

Iru does not run arbitrary queries against your tables. It reads governance-oriented metadata and usage views.

Sources Management

Browse and manage every Compliance source.

Getting Started With Compliance

Frameworks, actions, and Artifacts.

Iru Overview

How Endpoint, Compliance, and Identity fit together.

Artifacts Management

Upload, review, and organize evidence from sources and actions.

​About Snowflake

​How It Works

​Prerequisites

​Connect Snowflake to Iru

​Troubleshooting

​Considerations

Iru does not run arbitrary queries against your…

​Related Articles

Sources Management

Getting Started With Compliance

Iru Overview

Artifacts Management

About Snowflake

How It Works

Prerequisites

Connect Snowflake to Iru

Troubleshooting

Considerations

Related Articles