Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

About Snowflake

Iru collects warehouse and account usage, database/schema metadata, roles and grants, and login/query history from Snowflake, primarily via SNOWFLAKE.ACCOUNT_USAGE views. Authentication uses key-pair authentication: short-lived JWTs signed with your RSA private key, verified against the public key registered on the Snowflake user Iru uses.

How it works

Authorization: Bearer YOUR_SIGNED_JWT
X-Snowflake-Authorization-Token-Type: KEYPAIR_JWT
JWTs are short-lived (about 60 seconds); Iru regenerates them using the configured key and account details.
DetailValue
CategoryData platform
AuthenticationKey-pair JWT
Official references: Key-pair authentication, Account identifiers, REST API, ACCOUNT_USAGE.

Prerequisites

  • SECURITYADMIN (or equivalent) to assign RSA_PUBLIC_KEY on a dedicated service user.
  • OpenSSL (or another tool) to generate a 2048-bit (or larger) RSA key pair.
  • Your account identifier (orgname-accountname preferred, or legacy locator with region/cloud if required).

Connect Snowflake to Iru

Snowflake

1

Generate an RSA key pair

Example with OpenSSL:
openssl genrsa -out snowflake_private_key.pem 2048
openssl rsa -in snowflake_private_key.pem -pubout -out snowflake_public_key.pem
Protect snowflake_private_key.pem. Never commit it or share it with Snowflake.
2

Register the public key on a Snowflake user

As an administrator, strip the PEM headers and newlines from snowflake_public_key.pem so only the base64 body remains, then run:
ALTER USER YOUR_USERNAME SET RSA_PUBLIC_KEY='YOUR_PUBLIC_KEY';
Snowflake allows two keys per user (RSA_PUBLIC_KEY / RSA_PUBLIC_KEY_2) for rotation. Assign the new key to RSA_PUBLIC_KEY_2, update Iru, then drop the old key.
3

Produce a JWT for the wizard

Use Snowflake CLI or a library. For example:
snow connection generate-jwt \
  --account YOUR_ACCOUNT_IDENTIFIER \
  --user YOUR_USERNAME \
  --private-key-path snowflake_private_key.pem
Copy the JWT string for the initial Iru handshake; ongoing regeneration is handled in product.
4

Grant ACCOUNT_USAGE access

The integration user needs a role that can read SNOWFLAKE shared metadata, for example:
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE YOUR_ROLE;
GRANT ROLE YOUR_ROLE TO USER YOUR_USERNAME;

Iru Compliance

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on Snowflake

Find Snowflake (use Category or Search by name or description). On that card, turn on the toggle. A browser tab or window may open for the connector wizard.
3

Enter account and host in the wizard

Choose the host pattern that matches your account:
  • Standard: https://YOUR_ACCOUNT_IDENTIFIER.snowflakecomputing.com
  • PrivateLink: https://YOUR_ACCOUNT_IDENTIFIER.privatelink.snowflakecomputing.com
Enter account_identifier and confirm server variables before continuing.
4

Submit the JWT and activate

When prompted, paste the JWT. Submit until the Snowflake card shows Active.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
Wizard session expired. Toggle the source off and on, then retry.
Run DESCRIBE USER to confirm the fingerprint matches and the private key pairs with the registered public key.
Prefer org-account form; legacy locators may need region/cloud suffix.
IMPORTED PRIVILEGES on SNOWFLAKE for the Iru role.

Considerations

Iru does not run arbitrary queries against your…

Iru does not run arbitrary queries against your tables. It reads governance-oriented metadata and usage views.

See also