snowflake-sdk (Node.js) and snowflake-connector-python libraries. Available on Enterprise plans.
Summand follows Snowflake’s documented best practices for service connectors: dedicated read-only role, modern authentication (key-pair JWT or programmatic access tokens), structured query tags for cost attribution, and a 1-hour statement timeout to bound runaway queries.
What Summand needs
A dedicated Snowflake role with read-only access to the database, schema, and tables you intend to analyze. Snowflake’s access control best practices recommend creating an integration-specific role rather than reusing a human user’s role. The role needs:USAGEon the warehouseUSAGEon the database and schemasSELECTon the tables and views to be analyzed (orSELECT ON ALL TABLES IN SCHEMA …plusSELECT ON FUTURE TABLES IN SCHEMA …for new tables)
Authentication
Snowflake is deprecating single-factor password authentication for service users by October 2026. Summand supports three auth methods, listed in order of preference:Key-pair JWT (recommended)
1
Generate a key pair
On any machine with The private key (
openssl:summand_rsa_key.p8) goes into Summand. The public key (summand_rsa_key.pub) goes into Snowflake.2
Register the public key on the Snowflake user
Strip the PEM header/footer from Snowflake’s key rotation guide explains how to rotate via
summand_rsa_key.pub and run, in Snowflake:RSA_PUBLIC_KEY_2 without downtime.3
Add the connector in Summand
In Connectors → Add connector → Snowflake:
- Choose Key pair (recommended)
- Paste the contents of
summand_rsa_key.p8into Private key - If you used
-v2 des3(encrypted), supply the Passphrase
Programmatic Access Token (PAT)
Introduced in 2024, PATs are token-based credentials scoped to a single user — simpler than key-pair, more secure than passwords. Best for “OAuth without the redirect dance.”1
Generate a PAT in Snowflake
ALTER USER … REMOVE PROGRAMMATIC ACCESS TOKEN summand_token.2
Add the connector
In Connectors → Add connector → Snowflake:
- Choose Programmatic Access Token
- Paste the token value into the Token field
Password (legacy)
Supported for backward compatibility but Snowflake is enforcing key-pair / OAuth for service users by October 2026. Existing password-auth connectors should be migrated before then; new connectors should default to key-pair or PAT.Setup script — least-privilege role
Run this in Snowflake (asSECURITYADMIN or SYSADMIN) before adding the connector. Adjust <DB>, <SCHEMA>, and <WAREHOUSE> to your environment:
Network access
By default Summand connects from a fixed pool of egress NAT IPs (visible in Settings → Connectivity). Three deployment options exist:1. Public endpoint with IP allowlist (default)
Add Summand’s egress IPs to your Snowflake network policy:2. AWS PrivateLink (Enterprise only)
For accounts that disable public traffic via AWS PrivateLink, Summand can be added to your VPC peering. Contact sales@summand.com — this is a managed-peering setup and requires both sides to coordinate.3. Hostname allowlist on customer side
If your firewall blocks outbound by hostname, allow:<account>.snowflakecomputing.com(account-specific URL)<account>.<region>.privatelink.snowflakecomputing.com(PrivateLink endpoint, if applicable)*.snowflakecomputing.comif you prefer broad allowlisting
Adding the connector
From Connectors → Add connector → Snowflake:What Summand sets on every Snowflake session
For predictable cost and operational behavior, Summand applies these session parameters automatically:Cost attribution
Every Summand query carries a JSONQUERY_TAG. To see credits attributable to Summand:
Picking tables, views, and datasets
Summand discovers base tables, views, and materialized views in the schema(s) you have access to. View support means dbt-style “raw tables → curated views” pipelines work out of the box — point Summand at the curated view and analyze it directly. Same UX as any other database connector: toggle on the tables/views to analyze, set targets per dataset, run.Common errors
”Snowflake view metadata is stale”
Snowflake views can drift when an underlying table gains columns and the view’s stored column shape becomes out of sync. The fix must be in Snowflake (ALTER VIEW cannot do this):
”Connection succeeded but no warehouse is bound”
The role lacksUSAGE on the warehouse. Run:
“Account identifier not found”
Most often caused by:- Using the legacy
<locator>.<region>.<cloud>form — switch to<org>-<account> - Trailing
.snowflakecomputing.com(Summand auto-strips this, but other tools may not) - Underscores in the identifier — Snowflake’s Python connector requires hyphens (Summand auto-converts on the way in)