Snowflake
The Snowflake Integration enables SailPoint Entro to collect your Snowflake Non-Human Identities metadata and provide visibility into your Snowflake users, roles, and credentials.
This integration operates in read-only mode to ensure data integrity.
Purpose
The integration connects to your Snowflake account to:
-
Inventory Snowflake users and classify each identity as a human user or a machine (service) user
-
Map the roles assigned to each identity and its warehouse-level permissions
-
Identify the authentication method of each identity (RSA key pair, password with MFA, or password without MFA)
-
Flag idle identities based on their last successful login
Architecture
┌───────────────────────────────┐
│ Entro Security Cloud │
│ (Secrets & NHI Visibility) │
└──────────────┬────────────────┘
│ HTTPS (TLS 1.2+)
▼ Snowflake REST API (key-pair / JWT auth)
┌───────────────────────────────┐
│ Snowflake Cloud │
│ (Users, Roles, Grants) │
└───────────────────────────────┘
Security Model
-
Integration operates in read-only mode
-
Authentication uses a dedicated SailPoint Entro Role and User within Snowflake
-
Authentication is key-pair based (RSA 2048-bit, JWT) - no password is created or stored for the integration user
-
Identity metadata is collected through the Snowflake REST API (users and grants endpoints); the granted scope is limited to the read-only
MONITORprivilege andSELECTon theACCOUNT_USAGEandORGANIZATION_USAGEviews -
Tokens and credentials encrypted with AES-256
-
Communication secured with HTTPS/TLS 1.2+