When setting up system users in Snowflake for services or integrations (e.g., Salesforce, Mixpanel, ETL tools), you want a secure and scoped configuration. This guide walks you through how to create a user with a custom role, whitelist IPs, and enable key pair authentication.
1. Create a Role
Start by creating a dedicated role for the user.
CREATE ROLE IF NOT EXISTS my_service_role;
Grant necessary privileges to the role. For example, access to a warehouse:
GRANT USAGE ON WAREHOUSE compute_wh TO ROLE my_service_role;
-- Add SELECT, INSERT, etc., on required schemas/tables as needed
2. Create a Network Policy (Optional IP Whitelisting)
Snowflake allows restricting access to specific IPs via network policies.
CREATE OR REPLACE NETWORK POLICY my_service_policy
ALLOWED_IP_LIST = ('123.45.67.89', '98.76.54.32')
COMMENT = 'Policy for system user access';
3. Create the User
Link the user to the warehouse and the network policy. Replace my_service_user with your actual username.
CREATE USER IF NOT EXISTS my_service_user
DEFAULT_WAREHOUSE = compute_wh
NETWORK_POLICY = my_service_policy
COMMENT = 'System user for system integration';
Assign the role to the user:
GRANT ROLE my_service_role TO USER my_service_user;
4. Generate RSA Key Pair (For Key Pair Authentication)
On your local machine or CI/CD environment:
# Generate private key
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out my_service_private.p8
# Generate public key
openssl rsa -in my_service_private.p8 -pubout -out my_service_public.pub
The .p8 file is your private key. Keep it secret. The .pub content goes into Snowflake.
5. Add Public Key to User
Copy the public key content (excluding headers) and set it:
ALTER USER my_service_user
SET rsa_public_key = 'MIIBIjANBgkq...IDAQAB';
The user is now restricted to specific IPs, has scoped access via roles, and can authenticate via key pair auth. You can now use this user securely for automation or integrations.