Configure

Enterprise Grafana Cloud

Configure the Snowflake data source

This document explains how to configure the Snowflake data source in Grafana.

Before you begin

You must install the Snowflake plugin before configuring the data source. Refer to Install a plugin for instructions on how to add the plugin. For general information on adding and managing plugins, refer to Plugin management. Grafana recommends keeping your plugin up to date to access all current features.

Before configuring the data source, ensure you have:

Grafana permissions: Organization administrator role.
Snowflake user: A Snowflake user with the appropriate role granted.
- This data source does not require a specific role.
- The Snowflake user’s role is what allows that user to access tables. To query your data, ensure your user has the appropriate roles.
Grafana license: One of the following:
- Any Grafana Cloud plan (free or paid).
- An activated Grafana Enterprise license.

Add the data source

For general information on adding a data source, refer to Add a data source.

To add the Snowflake data source:

Click Connections in the left-side menu.
Click Add new connection.
Type Snowflake in the search bar.
Select the Snowflake data source.
Click Add new data source in the upper right.

Grafana takes you to the Settings tab, where you will set up your Snowflake configuration.

Configure Snowflake

Configuring the Snowflake data source requires a Snowflake user with a username and a password.

Grafana recommends creating a new user with limited permissions for this data source.

Create a user

To connect to Snowflake, you must create a user or authenticate using an existing one. This user runs all queries sent from Grafana.

If you want separate users to run different queries or workloads, create multiple Snowflake data sources with different settings.

To create a user in Snowflake, log in to your Snowflake instance and run the CREATE USER command.

Grant a role

After the Snowflake user is created, you must grant a role using the GRANT ROLE command. Granting a role to a user allows the user to perform operations allowed by that role.

This role defines what warehouses and tables the user has access to.

Get account details from Snowflake

If you already have a working Snowflake account, you can get the information needed to connect to Snowflake from your dashboard by going to the lower-left corner under your account name and clicking View account details. From there you can grab the Account name, Region, and Username to be used in the data source configuration.

Configuration options

These connection settings are the same that are used when connecting via SnowSQL.

The following table describes the available configuration options:

Field	Description
Name	A name for this particular Snowflake data source.
Account	The name of the Snowflake account assigned by Snowflake. In the URL received from Snowflake after the account was provisioned, the account name is the entire string to the left of `snowflakecomputing.com`. If the Snowflake instance is not on `us-west-2`, then the region must be included in the account name. Example: `xyz123.us-east-1`. If the Snowflake instance is not on Amazon Web Services, then the platform must also be included in the account name. Example: `xyz123.us-east-1.gcp`.
Region	Deprecated in favor of Account. Region specifies the region where the Snowflake instance lives.
Username	The username of the account that will query Snowflake.
Authentication Type	Authentication type. Either password authentication or Key Pair Authentication.
Password	The password of the account that will query Snowflake.
Private Key	Enter your unencrypted private key if you prefer to use Key Pair based authentication.
Role	This option allows users to connect to the Snowflake instance using a role that is not the default for the user. The role must still be granted to the user using the `GRANT ROLE` command.
Warehouse	The warehouse to use by default for queries.
Database	The database to use by default for queries.
Schema	The schema to use by default for queries.
TimeInterval	Optional. The lower limit for the `$__interval` and `$__interval_ms` macros. Default: `10s`.
Default Query	Optional. Default query to be used when adding a new Snowflake query to the panel.
Default Variable Query	Optional. Default query to be used when adding a new Snowflake query to the dashboard variable.
Row Limit	Optional. Limits the maximum number of rows read from query results (applied by the plugin, not in the database). If unset, falls back to environment variable `GF_DATAPROXY_ROW_LIMIT`, or unlimited if not set.

Authentication

The Snowflake data source supports the following authentication methods.

Password authentication

Password authentication uses a username and password to authenticate with Snowflake.

Set Authentication Type to Password.
Enter the Username and Password for your Snowflake account.
Click Save & test to verify the connection.

Key Pair authentication

For enhanced security, Key Pair authentication can be used as an alternative to password authentication.

To configure Key Pair authentication:

Generate the public and private keys by following the Snowflake Key Pair authentication documentation.
Update the rsa_public_key in Snowflake for your user.
In Grafana, set Authentication Type to Key Pair.
Enter the Username.
Enter your unencrypted private key in the Private Key field.
Click Save & test to verify the connection.

OAuth authentication

You can use OAuth authentication to pass through tokens to Snowflake on behalf of the user logged into Grafana.

The following instructions use Azure AD as the OAuth provider:

Use Azure AD to set up OAuth.
Follow these instructions to update the application you created in step 1, and add a client application for Snowflake.
Update the scopes you created in step 1 in your grafana.ini file. Add the API you created in step 2. The scopes should look something like:
ini
```
scopes = api://8c1a0b1c-6bb0-4190-a730-8a1c34237619/session:role-any openid email profile offline_access
```
Restart Grafana and log in with Azure AD.
Create a Snowflake data source using Authentication Type: OAuth and toggle Forward OAuth Identity.
Click Save & test to confirm the token is being passed through and is valid.

Troubleshoot OAuth token errors

If you get an invalid token error, step 2 instructions provide ways to validate the token which will provide additional information on why it is invalid:

select system$verify_external_oauth_token('<ACCESS_TOKEN>');

Additional OAuth resources

For more information about OAuth authentication with Snowflake, refer to the following resources:

Verify the connection

Click Save & test to verify the connection. If successful, you should see the following message:

Data source is working.

If you don’t see this message, refer to the Troubleshooting guide for help.

Provision the data source

You can define the data source in YAML files as part of Grafana’s provisioning system. For more information, refer to Provisioning Grafana.

Provisioning example

apiVersion: 1

datasources:
  - name: Snowflake
    type: grafana-snowflake-datasource
    access: proxy
    basicAuth: false
    editable: true
    enabled: true
    jsonData:
      account: xyz123.east-us-2.azure
      username: grafana-user
      authType: password
      timeInterval: 10s
      defaultQuery: SELECT $__timeGroup(<time_column>, $__interval) as time, <value_column> FROM <metric_table> WHERE $__timeFilter(time)
      defaultVariableQuery: SELECT DISTINCT <column_name> FROM <metric_table> LIMIT 1000
      defaultInterpolation: ''
    secureJsonData:
      password: <YOUR_PASSWORD>

Provisioning example with ACCOUNTADMIN role

For the Billing dashboard, you need a data source with the ACCOUNTADMIN role:

apiVersion: 1

datasources:
  - name: Snowflake Billing Data
    type: grafana-snowflake-datasource
    access: proxy
    basicAuth: false
    editable: true
    enabled: true
    jsonData:
      account: xyz123.us-east1.gcp
      username: grafana-admin-user
      database: snowflake
      role: ACCOUNTADMIN
      authType: password
      timeInterval: 10s
      defaultQuery: SELECT $__timeGroup(<time_column>, $__interval) as time, <value_column> FROM <metric_table> WHERE $__timeFilter(time)
      defaultVariableQuery: SELECT DISTINCT <column_name> FROM <metric_table> LIMIT 1000
      defaultInterpolation: sqlstring
    secureJsonData:
      password: <YOUR_PASSWORD>

Replace <YOUR_PASSWORD> with your actual Snowflake password.

Use Terraform to provision the data source

You can automate the configuration of the Snowflake data source in Grafana using Terraform with the Grafana Terraform provider.

Basic Terraform example

terraform {
  required_providers {
    grafana = {
      source  = "grafana/grafana"
      version = "~> 2.0"
    }
  }
}

provider "grafana" {
  url  = var.grafana_url
  auth = var.grafana_auth
}

variable "grafana_url" {
  description = "Grafana instance URL"
  type        = string
  default     = "http://localhost:3000"
}

variable "grafana_auth" {
  description = "Grafana API key or service account token"
  type        = string
  sensitive   = true
}

variable "snowflake_account" {
  description = "Snowflake account identifier (e.g., xyz123.us-east-1)"
  type        = string
}

variable "snowflake_username" {
  description = "Snowflake username"
  type        = string
}

variable "snowflake_password" {
  description = "Snowflake password"
  type        = string
  sensitive   = true
}

variable "snowflake_warehouse" {
  description = "Snowflake warehouse name"
  type        = string
}

variable "snowflake_database" {
  description = "Snowflake database name"
  type        = string
}

resource "grafana_data_source" "snowflake" {
  name = "Snowflake"
  type = "grafana-snowflake-datasource"

  json_data_encoded = jsonencode({
    account      = var.snowflake_account
    username     = var.snowflake_username
    authType     = "password"
    warehouse    = var.snowflake_warehouse
    database     = var.snowflake_database
    timeInterval = "10s"
  })

  secure_json_data_encoded = jsonencode({
    password = var.snowflake_password
  })

  is_default = false
}

output "datasource_id" {
  description = "The ID of the created Snowflake data source"
  value       = grafana_data_source.snowflake.id
}

output "datasource_uid" {
  description = "The UID of the created Snowflake data source"
  value       = grafana_data_source.snowflake.uid
}

Terraform example with Key Pair authentication

variable "snowflake_private_key" {
  description = "Snowflake private key (unencrypted)"
  type        = string
  sensitive   = true
}

resource "grafana_data_source" "snowflake_keypair" {
  name = "Snowflake"
  type = "grafana-snowflake-datasource"

  json_data_encoded = jsonencode({
    account      = var.snowflake_account
    username     = var.snowflake_username
    authType     = "keypair"
    warehouse    = var.snowflake_warehouse
    database     = var.snowflake_database
    timeInterval = "10s"
  })

  secure_json_data_encoded = jsonencode({
    privateKey = var.snowflake_private_key
  })

  is_default = false
}

Deploy the configuration

Create a terraform.tfvars file with your specific values:

grafana_url         = "https://your-grafana.com"
grafana_auth        = "your-api-key"
snowflake_account   = "xyz123.us-east-1"
snowflake_username  = "grafana-user"
snowflake_password  = "your-password"
snowflake_warehouse = "COMPUTE_WH"
snowflake_database  = "your_database"

Initialize and apply the configuration:
Bash
```
terraform init
terraform plan
terraform apply
```

The configuration uses the Grafana Terraform provider to create the data source with secure storage of credentials. You can adjust the is_default setting to true if you want this to be your default data source in Grafana.