Skip to main content

Overview

Stigg’s integration with Snowflake serves a core principal of granting access to raw data, enabling the creation of customized reporting solutions and fostering informed business decision-making.
Stigg’s native integration with Snowflake is included in the Scale plan, and is also available as an optional add-on to the Growth plan. See Stigg’s pricing for more details.

Exported entities

When connecting Snowflake, you can choose which Stigg entity groups to include in the sync. All groups are selected by default. See Exported entities for the full list of entity groups and the tables within each.

Entity schema

Setting up the integration

Prerequisites

To set up the integration, you’ll need a Snowflake account with the ACCOUNTADMIN role. If you don’t have an account with the ACCOUNTADMIN role, contact your Snowflake administrator to set one up for you.
Snowflake deprecates the creation of new password-based users, so Stigg recommends key-pair authentication for all new Snowflake connections. Existing password-based connections should migrate to key-pair before Snowflake removes password users for service-type accounts.
1

Generate a Snowflake key pair (recommended)

Stigg supports connecting to Snowflake using key-pair authentication, which Snowflake recommends over password authentication.
Follow the steps below to generate the private and public RSA key pair. You’ll use the private key with Stigg, and the public key in Snowflake.
These commands use the openssl CLI. If you don’t have it installed, install it locally or ask your DevOps / infrastructure team to run them for you.
# To generate an unencrypted private key
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt

# Or to generate an encrypted private key (recommended)
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -v2 aes-256-cbc -out rsa_key.p8

# To generate the public key from the private key
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
After running these commands you will have two files:- rsa_key.p8: your private key in PKCS#8 format. This is the file you will upload or paste into Stigg when configuring the Snowflake integration. - rsa_key.pub: your public key. In the next step, you will copy the Base64 body of this file (without the -----BEGIN PUBLIC KEY----- / -----END PUBLIC KEY----- lines) into the Snowflake SQL script.If you generated an encrypted private key, openssl will prompt you to choose a passphrase. Remember this value, as you’ll enter it in the Passphrase field in Stigg when connecting to Snowflake.If you prefer to authenticate with a username and password instead, skip this step.
2

Create Stigg entities in Snowflake

In Snowflake, create the relevant Stigg entities (a role, user, warehouse, database and schema) with the OWNERSHIP permission.Open a new Snowflake worksheet and paste the below script:

-- set variables (these need to be uppercase)
set export_role = 'STIGG_ROLE';
set export_warehouse = 'STIGG_WAREHOUSE';
set export_database = 'STIGG_DATABASE';
set export_schema = 'STIGG_SCHEMA';

-- set credentials
set export_username = 'STIGG_USER';
set export_public_key = '<PASTE YOUR PUBLIC KEY HERE>'; -- base64 content only, no header/footer (skip if using password auth)

begin;

-- create role
use role securityadmin;
create role if not exists identifier ($export_role);
grant role identifier ($export_role) to role SYSADMIN;

-- create user
create user if not exists identifier ($export_username)
    default_role = $export_role
    default_warehouse = $export_warehouse;
    rsa_public_key = $export_public_key;

grant role identifier ($export_role) to user identifier ($export_username);

-- change role to sysadmin for warehouse / database steps
use role sysadmin;

-- create warehouse
create warehouse if not exists identifier ($export_warehouse)
    warehouse_size = xsmall warehouse_type = standard
auto_suspend = 60
auto_resume = true
initially_suspended = true;

-- create database
create database if not exists identifier ($export_database);

-- grant warehouse access
grant USAGE
    on warehouse identifier ($export_warehouse)
    to role identifier ($export_role);

-- grant database access
grant OWNERSHIP
    on database identifier ($export_database)
    to role identifier ($export_role);

commit;

begin;

USE DATABASE identifier ($export_database);

-- create schema
CREATE SCHEMA IF NOT EXISTS identifier ($export_schema);

commit;

begin;

-- grant schema access
grant OWNERSHIP
    on schema identifier ($export_schema)
    to role identifier ($export_role);

commit;
Replace <PASTE YOUR PUBLIC KEY HERE> with the base64 content of your rsa_key.pub file (without the header/footer lines). If you’re using password authentication instead, remove the rsa_public_key line and set a password on the user instead.
When pasting your public key into Snowflake, use only the Base64-encoded content of the key.
Do not include the -----BEGIN PUBLIC KEY----- or -----END PUBLIC KEY----- lines, and ensure there are no extra spaces or line breaks.
Incorrect formatting will prevent the connection from being established.
Run the script, while using the Run All option (⌘ + Shift + Enter shortcut in Mac or CTRL + Shift + Enter in Windows).
3

Grant Stigg access to your Snowflake cluster

By default, Snowflake allows users to connect to the service and internal stage from any computer or device. A security administrator (or higher) can use a network policy to allow or deny access to a request based on its origin.In this step we’ll ensure that Stigg has access to your Snowflake cluster.In Snowflake, open a new worksheet and run the below command:
SHOW NETWORK POLICIES;
If the returned result is empty, all network access is allowed to your cluster, and specifically Stigg can access it - skip to the next section.If the returned result is not empty, an existing network policy is in place. To ensure that Stigg can access your cluster, update the existing policy and add Stigg’s IP addresses to the allowlist using the below command:
CREATE NETWORK POLICY $EXPORT_POLICY_NAME ALLOWED_IP_LIST = (
-- Depending on your data residency location, add the following IP addresses to your allowlist:
-- United States:
  '34.106.109.131/32',
  '34.106.196.165/32',
  '34.106.60.246/32',
  '34.106.229.69/32',
  '34.106.127.139/32',
  '34.106.218.58/32',
  '34.106.115.240/32',
  '34.106.225.141/32',
-- European Union:
  '13.37.4.46/32',
  '13.37.142.60/32',
  '35.181.124.238/32'
);
4

Connect Stigg with Snowflake

In Stigg, navigate to Integrations > Apps > Snowflake.Enter the following information in the connection form:
FieldDescription
Account URLThe Snowflake account URL, for example: https://ab12345.us-east-2.aws.snowflakecomputing.com
RoleThe role you specified when creating the Stigg entities in Snowflake, for example: STIGG_ROLE
WarehouseThe warehouse you specified when creating the Stigg entities in Snowflake, for example: STIGG_WAREHOUSE
DatabaseThe database you specified when creating the Stigg entities in Snowflake, for example: STIGG_DATABASE
SchemaThe schema you specified when creating the Stigg entities in Snowflake, for example: STIGG_SCHEMA
UsernameThe username you specified when creating the Stigg entities in Snowflake, for example: STIGG_USER
Auth methodSelect Key pair (recommended) or User / Password.
Private KeyRequired for key-pair auth. The private key you created when generating the key pair.
Passphrase (optional)Protects your private key with an extra password, if you generated an encrypted key. Snowflake recommends following PCI DSS guidelines and storing it securely.
PasswordRequired for password auth. The password for the Snowflake user.
Click Test & connect. Stigg will verify the credentials before saving the connection.
5

Select entities to export

After entering your connection details, expand the Entities to export section to choose which entity groups to include in the sync. All groups are selected by default.See Exported entities for a description of each group.

Migrating existing connections from password-based to key-pair authentication

If you previously connected Stigg to Snowflake using password-based authentication, you can easily migrate your connection to RSA key-pair authentication without losing access.
1

Click Switch to key pair

In the Snowflake integration card, click Switch to key pair in the banner. This will open the guided migration wizard.image.png
2

Generate your key pair

Follow the Generate a Snowflake key pair step above to create your private and public keys.
3

Update your Snowflake user

Use the script below to update the existing Stigg user and associate your new public key. This script removes password-based authentication and enables key-pair login.
-- this script updates the existing user created with password-based authentication
set export_username = 'STIGG_USER';

-- set the public key generated earlier
alter user identifier ($export_username) set rsa_public_key = '<BASE64_PUBLIC_KEY>';

-- optional: enforce key-pair only by removing the password
alter user identifier ($export_username) unset password;
Replace <BASE64_PUBLIC_KEY> with the base64 content of your public key (without the BEGIN/END lines).
4

Update your Stigg connection

Go to connection details.
  1. Paste or upload your private key file (rsa_key.p8).
  2. Enter your passphrase (if applicable).
  3. Click Update Snowflake connection. Your integration will now use RSA key-pair authentication.
Existing data and sync configuration remain unchanged. Only the authentication method is updated.

Sync process and schedule

After setup, Stigg performs a full sync of all selected entities. Subsequent syncs are incremental, transferring only changes since the last run. Stigg syncs data to Snowflake on a configurable schedule — daily at 12:00 AM UTC by default. You can adjust the sync frequency from the Snowflake integration settings at any time.

Manual sync

To trigger an immediate sync, open the Snowflake integration in Stigg and click Sync now.

Sync history

The Snowflake integration page shows a log of all past and in-progress syncs. The dashboard updates automatically as syncs complete — no need to refresh. Each row in the history shows the sync status and timestamps. Expand a row to see:
  • Number of rows synced per entity
  • Sync duration
  • What triggered the sync (scheduled or manual)
  • Who initiated it (for manual syncs)
Use the status and date filters to find a specific sync run. Snowflake supports two public key slots for each user:
  • RSA_PUBLIC_KEY
  • RSA_PUBLIC_KEY_2
This allows you to rotate keys without downtime.
1

Generate a new key pair

Follow the same steps as in the Generate a Snowflake key pair section to create a new private key and public key.
2

Add your new public key to Snowflake

Add the new public key to the secondary key slot:
alter user STIGG_USER
  set rsa_public_key_2 = '<NEW_PUBLIC_KEY>';
3

Update Stigg with the new private key

In Stigg → Integrations → Snowflake:
  1. Upload or paste your new rsa_key.p8
  2. Enter the passphrase (if applicable)
  3. Click Update Snowflake connection
4

Verify and activate the new key

Once the connection is validated:
  • Swap keys:
    alter user STIGG_USER swap rsa_public_key_2 = rsa_public_key;
    
  • Or remove the old one:
    alter user STIGG_USER unset rsa_public_key_2;
    
Key rotation is a security best practice and recommended for SOC2 / ISO27001 compliance.

Removing the integration

To remove the integration, click on the dotted menu icon and select the Remove action. Confirm the action by clicking on the Remove button in the opened modal.