For least-privilege access, we recommend creating a dedicated role and user for Reeflow rather than reusing an admin account. Snowflake’s access control best practices cover this in more depth.
Run the following as ACCOUNTADMIN, customising the role, user, warehouse, and database names to match your environment:
USE ROLE ACCOUNTADMIN;
-- Dedicated role for Reeflow
CREATE ROLE IF NOT EXISTS REEFLOW_READER;
-- Dedicated user
CREATE USER IF NOT EXISTS REEFLOW_READER
DEFAULT_ROLE = REEFLOW_READER
DEFAULT_WAREHOUSE = COMPUTE_WH
MUST_CHANGE_PASSWORD = FALSE;
GRANT ROLE REEFLOW_READER TO USER REEFLOW_READER;
-- Warehouse, database, and schema usage
GRANT USAGE ON WAREHOUSE COMPUTE_WH TO ROLE REEFLOW_READER;
GRANT USAGE ON DATABASE ANALYTICS TO ROLE REEFLOW_READER;
GRANT USAGE ON ALL SCHEMAS IN DATABASE ANALYTICS TO ROLE REEFLOW_READER;
GRANT USAGE ON FUTURE SCHEMAS IN DATABASE ANALYTICS TO ROLE REEFLOW_READER;
-- Read access on existing and future tables / views
GRANT SELECT ON ALL TABLES IN DATABASE ANALYTICS TO ROLE REEFLOW_READER;
GRANT SELECT ON FUTURE TABLES IN DATABASE ANALYTICS TO ROLE REEFLOW_READER;
GRANT SELECT ON ALL VIEWS IN DATABASE ANALYTICS TO ROLE REEFLOW_READER;
GRANT SELECT ON FUTURE VIEWS IN DATABASE ANALYTICS TO ROLE REEFLOW_READER;
GRANT SELECT ON ALL MATERIALIZED VIEWS IN DATABASE ANALYTICS TO ROLE REEFLOW_READER;
GRANT SELECT ON FUTURE MATERIALIZED VIEWS IN DATABASE ANALYTICS TO ROLE REEFLOW_READER;
When creating a Snowflake connection in Reeflow, provide the following:
Field
Description
Account
Snowflake account identifier. Find it in Snowsight under your user profile: Account → View account details → Account Identifier (e.g. MYORG-MYACCOUNT or xy12345.us-east-1).
Username
The Snowflake user that owns the PAT. Find it in Snowsight under Settings → Profile → Username.
Programmatic Access Token
The PAT generated above
Warehouse
Default warehouse used to execute queries
Database
Default database queries are issued against
Schema
Optional default schema. Defaults to PUBLIC when omitted.
Role
Optional default role. Defaults to the user’s default role when omitted.