Skip to main content

Intro

With Cloud Amplifier, you can grant Domo access to work with your enterprise data assets inside Snowflake. With the Snowflake-Cloud Amplifier integration, your data remains in Snowflake, within your governance and data structure, and Snowflake controls data access and query processing. Cloud Amplifier gives you access to a comprehensive portfolio of the Domo data experience capabilities to get more value from your data. This guide is written for users familiar with Snowflake and describes how to register Snowflake with Cloud Amplifier, including setup for Read and Write capability and OAuth configuration.
Note: Magic ETL leverages the Snowflake-Cloud Amplifier integration so you can effortlessly transform your data inside Snowflake. Learn about Magic ETL on Snowflake.
Learn how to register Snowflake with Cloud Amplifier in the following topics:

Architectural Overview

This image represents the Cloud Amplifier-Snowflake integration.
Snowflake architecture diagram.png

Prerequisites

Cloud Amplifier setup consists of two parts: Read-only or Read/Write. After the Read-only setup is complete, you may begin using virtual tables that read from Snowflake to create cards, set up Alerts, or serve as inputs in Magic ETL flows. You can set up Read only and return later to set up the Write portion.

Recommended Account Creation - All

Before setting up the Snowflake connection, we strongly recommend that you complete the following:
  • (Recommended) ​Create a Snowflake service account — We recommend creating a new Snowflake account specifically for this integration. You can use any account with read access in Snowflake, but a service account is best practice. This account must have read access to your default Snowflake environment in order to create virtual Snowflake tables in Domo.
  • (Recommended) Create a Domo service account — We recommend creating a new Domo account specifically for this integration. The account role must have the Manage Cloud Accounts and Manage DataSet grants enabled.
For more information about roles and grants, see our article about Managing Custom Roles.

Account Creation - Write

Before registering with Cloud Amplifier for the Write portion of the setup, you must complete the following:
  • (Required) Create a default Snowflake database — You need a Snowflake database that is exclusively for Domo to write Domo-managed tables. During setup, this database is the default.
    Note: Any tables not managed by Domo in this database will not be seen by Cloud Amplifier.
  • (Conditional) Place IP Addresses on an allowlist — If your Snowflake environment restricts access based on IP address, you may need to place Domo IPs on an allowlist. For more information, see our article about Allow Domo IP Addresses for Network Connections.
    Important: During the Write setup process, you are provided with SQL statements to create the integration. These statements must be executed against your Snowflake environment by a Snowflake administrator with the ACCOUNTADMIN role.This is a Snowflake requirement and prevents the need to manage your Snowflake administrator credentials within Domo, which is especially important in larger organizations where your Snowflake administrator may not have Domo access. After the integration is established, you no longer need a Snowflake administrator account.

Read-only Setup

Follow these steps to set up Read-only access and begin referencing Snowflake tables from within Domo using Cloud Amplifier.
  1. Navigate to the Data Warehouse.
  2. Select Add New Cloud Integration on the canvas.
  3. In the modal, select Snowflake. The cloud integrations modal displays.
    native integration.png
  4. Select + Add New Integration.
  5. Enter the Snowflake setup information:
    • Integration name — A unique name to help you identify the integration in Domo. If configuring OAuth, this name is how Domo users view the reference to the Snowflake native connection. It is not the same as the integration name, and has no impact for Snowflake.
    • (Optional) Integration description — A description of the integration.
    • Snowflake connection URL — This is your Snowflake URL, which you can find on the Snowflake login page. The URL is in this format: < orgname> -< account_name>.snowflakecomputing.com. To learn how to find your Snowflake URL, see the Snowflake documentation .
    • Snowflake username/Snowflake password The credentials for the Snowflake service account that you created.
      Screenshot 2024-11-06 at 12.01.26 PM.png
  6. Scrolling down to the Snowflake role settings, select a role option.
    • Use default role — By default, when someone connects to Snowflake, they are assigned an initial role. If no default role is specified, the system defaults to the PUBLIC role, which has access to nothing.
    • Specify a role — Allows you to choose the default role for new users, rather than the PUBLIC role.
    • Use secondary roles — This is a function that Snowflake supports. When set, Snowflake automatically determines if someone has access to a table with any role granted that user. If a Snowflake user has multiple roles in Snowflake and each role has access to multiple tables, the person must switch roles frequently. Secondary roles prevent this by allowing the person to access a table without switching between multiple roles. This option does not allow individuals to choose their Snowflake role as they query. Instead, you can define a given role for all users when Domo needs to query Snowflake.
  7. Under Configure OAuth, toggle the switch to enable OAuth to authenticate users individually. See Configure OAuth in Domo below.
  8. Select the Snowflake warehouse to use for loading and/or querying data.
    load and query.png
  9. Read-only configuration is now complete. Continue to the next step to add Snowflake data to Domo.
    read complete.png
  10. (Optional) Select Choose Data Tables to create DataSets in Domo. The modal displays navigation for databases, schemas, and tables in Snowflake that you want to add to Domo. Locate and select the data you want to add and select Create DataSets.
    database and schema.png

Write Setup

Before completing the steps in this section, complete the prerequisites above. Registering with Cloud Amplifier for write capabilities is a multi-step process that requires a Snowflake administrator. The following graphic displays the process of registering a Snowflake instance with Cloud Amplifier.
registering graphic.png
Follow these steps to configure write capabilities:
  1. Enter the name of the Default Role that you assigned to the Snowflake service account and the Snowflake write database name. The Snowflake write database name is the default Snowflake database to which all new data coming from Domo is added. The name is case sensitive, and each letter should be capitalized.
  2. Select Generate SQL to generate SQL unique to this integration.
    generate sql.png
    Important: You cannot use this SQL for other integrations or accounts and you must regenerate it if the credentials are changed.
  3. Copy the SQL from the dialog and execute the SQL against your Snowflake warehouse. This SQL can only be executed by a Snowflake account administrator with the ACCOUNTADMIN role. The output of that SQL is a CSV file description of the integration that includes IDs required by Domo to continue setup.
    execute SQL.png
  4. Copy the following values from the SQL output:
    • User ARN : STORAGE_AWS_IAM_USER_ARN
    • External ID : STORAGE_AWS_EXTERNAL_ID
      external id.png
      Additional SQL is generated to register the ARN and External ID with Domo. A Snowflake administrator with the ACCOUNTADMIN role must execute this SQL against the warehouse you selected for storing data earlier in this process.
      run sql.png
      execute 2.png
  5. In Domo, confirm that the script executed successfully. Domo then initializes the Snowflake integration, creates required assets in Snowflake, such as tables and schemas, and enables Cloud Amplifier for this account.
  6. Finalize the write integration by checking the box to acknowledge that you understand that Domo can make changes to your Snowflake environment.
    finalize write integration.jpeg
  7. Select Apply. When you see the Select Snowflake tables screen, your connection is working.
  8. (Optional) The modal displays navigation for databases, schemas, and tables in Snowflake that you want to add to Domo. Locate and select the data you want to add and select Create DataSets.
    Screenshot 2024-06-21 at 1.34.38 PM.png
Write setup for Snowflake is now complete.

Use Snowflake-sourced DataSets

When you use Snowflake-sourced DataSets in a DataFlow, the data is queried live from Snowflake at the time the flow is executed. In addition, Snowflake-sourced DataSets are checked for updates every 15 minutes based on the table’s LAST_ALTERED DateTime. If a table has been updated since it was last checked, DataFlows that use that table as a trigger will execute.

Snowflake Connection Security

There are two options for securing your Snowflake connection: key-pair authentication and basic authentication with username & password. You can also choose to configure OAuth.
Important: We strongly recommend key-pair authentication for enhanced security.
With basic authentication, enter your Snowflake connection URL, username, and password. Key-pair implementation is explained below.

Snowflake Key-pair Authentication

Snowflake supports key pair authentication for enhanced security. Configure it by following the steps below.
  1. Complete all the steps provided in this article from Snowflake: Snowflake prerequisites , then return here.
  2. Navigate to the Data Warehouse.
  3. In the left panel, select Manage Cloud Connections.
  4. In the modal, select Snowflake.
    select snowflake.jpg
  5. Hover over an existing integration and select Options > Edit account or create a new integration.
  6. In the integration modal under Edit Snowflake Account, choose the radio button for Key pair. The modal offers the option to review the Snowflake documentation on key-pair authentication.
    key pair.jpg
  7. Select Choose a File and upload your private key file.
    choose a file.jpg
  8. Enter your Snowflake private key passphrase.
  9. Move through the rest of the modal and make any other changes, then save your integration.
Note: See our FAQ and troubleshooting sections below if you experience connection issues.

OAuth Configuration

You can enable OAuth in Snowflake, which requires all users of the Snowflake-Cloud Amplifier integration to authenticate in Snowflake to ensure that they can only access Snowflake data for which they are authorized. To configure OAuth in Snowflake, you must complete setup first in Snowflake, then in Domo. You can then choose to integrate with Okta SSO.

Configure OAuth in Snowflake

Begin by configuring the Snowflake OAuth security integration.
  1. Run the following query inside the Snowflake console as an ACCOUNTADMIN.
    • You can replace the integration name [domo_platform] with any value.
    • Verify the redirect URI (oauth_redirect_uri) is correct based on your instance of Domo. create or replace security integration [domo_platform] type = oauth enabled = true oauth_client = custom oauth_client_type = 'CONFIDENTIAL' oauth_redirect_uri = 'https: //oauth. domo. com/api/data/v1/oauth/providers/snowflake-oauth/exchange' oauth_issue_refresh_tokens = true oauth_refresh_token_validity = 86400; -- Update as appropriate, currently 1 day
  2. Use your integration name to verify that the details of the new security integration are correct: 
    desc security integration [domo_platform]
  3. Run the following command to retrieve your new client ID and secret. 
    select system$show_oauth_client_secrets('domo_platform') -- for obtaining the client id and secret for use inside of Domo
  4. Copy the client ID and secret to use in the Domo setup process.

Configure OAuth in Domo

  1. Complete steps 1–8 of the read-only setup process above, then return here.
  2. After toggling the switch to enable OAuth, the following fields display:
    • Snowflake account identifier — If this field is already filled, do not change it.
    • Snowflake client ID — Paste the client ID retrieved from Snowflake.
    • Snowflake client secret — Paste the client secret retrieved from Snowflake.
  3. Choose the Snowflake role to use and select Authenticate.
    A Snowflake modal displays.
    Important: Ensure that the [domo_platform] name entered in the brackets is in all caps. Otherwise, Snowflake returns an error when retrieving the client ID in secret.
  4. Enter your Snowflake credentials and select Sign In.
    snowflake popup.jpg
  5. Review the application permissions and select Allow.
    app permissions.jpg
  6. Choose how frequently Domo checks the database metadata for changes to the table such as rows added and removed, and how long the cache lives in Domo before needing to be refreshed. If you want to disable caching in Domo and run each query live against Snowflake, set the value in the Cache TTL field to 0. We recommend you monitor your Snowflake instance to understand any impacts of disabling the cache TTL.
    ttl settings.jpg
  7. Select Next to move to the Select warehouse screen of the modal.
  8. Choose the warehouse to connect and select Next to finalize the connection.
Your Snowflake-Cloud Amplifier connection now displays inside the Data Warehouse. If you want to integrate your connection with Okta SSO, follow the steps below.

Configure Okta for SSO Access

You must complete the OAuth configuration before following these steps for Okta SSO.
  1. Go to the Okta Administrator dashboard.
    okta admin dashboard.jpg
  2. In the left navigation, go to Applications
    Applications.
    applications.jpg
  3. Select Browse App Catalog.
    browse app catalog.jpg
  4. Use the search bar to find and choose a new Snowflake integration.
    new snowflake integration.jpg
  5. In the Application label field, label your new integration. Example: Snowflake <Account>
  6. For the Subdomain field, follow these steps:
    • If your Snowflake account URL is in the new URL format: https://<;organizationName>-<accountName>.snowflakecomputing.com, your Subdomain value is <organizationName>-<accountName>
    • If your Snowflake account URL is in the old format without the organization name and with the following cloud region: https://<;accountLocator>.<region>.snowflakecomputing.com, your Subdomain is your Snowflake account name with the region. *Example: <accountLocator>.<region>
  7. Choose whether to display application icon to users. By default, it is visible.
  8. Check the box labeled Automatically log in when user lands on login page and select Next.
  9. In the Sign-On Options section, select the radio button for SAML 2.0.
    saml 2.0.jpg
  10. Scroll down and select View Setup Instructions to open another page of instructions.
    view setup instructions callout.jpg
  11. Before navigating to the new page, select Done to finalize the setup.
    select done.jpg
  12. Go to the new page of setup instructions and complete the steps.

FAQ

Make sure to create a dedicated database inside Snowflake for your Domo integration. If you connect to an existing Snowflake database, then Domo does not see the tables that are in that database.
Domo performs different activities within the CDW account, such as data loading, querying, and data transformation. For most use cases, we recommend a small-sized multi-cluster warehouse (multi-purpose for load, query, and transformation) set to scale up automatically. You can choose the max cluster size to put an upper bound on scaling and limit the cost envelope.When you are ready for production workloads and are considering whether to use existing functional warehouses or to set up new warehouses for the Domo integration, check out this Domo blog post on optimizing with Cloud Amplifier .
With your data in Snowflake, Domo supports two different mechanisms for transforming data:
  1. DataSet Views — DataSet Views provide the Views Explorer tool to create data transformations on your Snowflake DataSets. You can perform operations such as filtering, grouping/aggregation, JOINs, UNIONs, and creating calculated columns from a graphic user interface. DataSet Views are created as virtual DataSets, with queries sent back to the parent DataSets.
    Note: Creating a DataSet View in Domo does not create a View (normal or materialized) in Snowflake. The View definition is stored in Domo, and the resulting query is sent to Snowflake table(s) when needed.
  2. Magic ETL DataFlows — Magic ETL is supported with Domo running on Snowflake Cloud Data Warehouse (CDW). Using Magic ETL with Snowflake data results in data being exported from Snowflake to Magic ETL in a transient state, processed, and written back to Snowflake. Note that Domo only operates on this data in a transient fashion and does not store DataFlow outputs in Domo. (They are sent to the Snowflake warehouse.)
    Note: Data is cached in the Magic ETL execution environment for seven days, or the two most recent data versions from that Magic ETL execution.
When you connect Domo to your Snowflake account, Domo operates over two classes of databases and underlying tables. Tables you create and update directly through independent pipelines or ingestion mechanisms can be explored and registered in Domo, accessible in a read-only fashion. Domo can read and directly query these customer-managed databases.Additionally, we recommend creating a new database in Domo for Read/Write access. Domo uses this Domo-managed database to write data that comes in through the Domo ingestion pipeline, such as with the thousands of connectors available to bring data into Snowflake. Domo also uses this Domo-managed database to create outputs of data transformations (DataFlow outputs).
Permissions originating in Snowflake are not programmatically passed into Domo. However, you can use Domo’s native permission model and Personalized Data Permisssons (PDP) for data security to manage data access to underlying assets in Snowflake.
  • Leaving data in Snowflake — Perhaps the biggest difference is that all Snowflake connectors import/duplicate data from Snowflake to Domo, while Cloud Amplifier leaves the data in Snowflake.
  • Bulk create — Cloud Amplifier allows you to look up and bulk select up to 50 Snowflake tables to immediately create 50 unique DataSets. To do this with connectors, you would have to configure each DataSet individually with a connector.
This is the standard behavior for Snowflake views. Snowflake endpoints do not provide the number of rows unless the data is explicitly queried.
Make sure that you own the user or have the SECURITY/ADMIN Snowflake role.
Follow every instruction provided in this Snowflake documentation . Make sure that the passphrase matches the one you used to create your key-pair and that you have executed the ALTER USER statement successfully.

Troubleshooting

If you experience a problem with your Cloud Amplifier/Snowflake integration, the following information may be able to help. You can also submit a request to Domo Support .
Missing Tables
If you cannot find tables that your account has rights to, make sure the table is materialized. Transient or Temporary tables on the Snowflake side cannot be used to create DataSets through Cloud Amplifier.
Setup Problems
If you have problems setting up your Cloud Amplifier/Snowflake integration, follow the steps below: Check Snowflake Service Account
  1. Log into Snowflake with the service account credentials.
  2. Make sure you can view the default Snowflake Database and query tables that you expect to import.
Assign Correct Role Make sure that a Snowflake administrator with the ACCOUNTADMIN role is executing the SQL that Domo provided in Snowflake. Use Correct URL Make sure that the Snowflake connection URL in Domo matches the Snowflake login URL. You can find the URL on the Snowflake login page. The URL will be in this format: instancename.region. snowflakecomputing.com.
Next steps: Now that you’re integrated, learn how to use Magic ETL on Snowflake or how to create a Magic ETL DataFlow.