Skip to content

Snowflake

The Snowflake Integration enables SailPoint Entro to collect your Snowflake Non-Human Identities metadata and provide visibility into your Snowflake users, roles, and credentials.

This integration operates in read-only mode to ensure data integrity.

Purpose

The integration connects to your Snowflake account to:

  • Inventory Snowflake users and classify each identity as a human user or a machine (service) user

  • Map the roles assigned to each identity and its warehouse-level permissions

  • Identify the authentication method of each identity (RSA key pair, password with MFA, or password without MFA)

  • Flag idle identities based on their last successful login


Architecture

┌───────────────────────────────┐
│       Entro Security Cloud    │
│  (Secrets & NHI Visibility)   │
└──────────────┬────────────────┘
               │  HTTPS (TLS 1.2+)
               ▼  Snowflake REST API (key-pair / JWT auth)
┌───────────────────────────────┐
│         Snowflake Cloud       │
│     (Users, Roles, Grants)    │
└───────────────────────────────┘

Security Model

  • Integration operates in read-only mode

  • Authentication uses a dedicated SailPoint Entro Role and User within Snowflake

  • Authentication is key-pair based (RSA 2048-bit, JWT) - no password is created or stored for the integration user

  • Identity metadata is collected through the Snowflake REST API (users and grants endpoints); the granted scope is limited to the read-only MONITOR privilege and SELECT on the ACCOUNT_USAGE and ORGANIZATION_USAGE views

  • Tokens and credentials encrypted with AES-256

  • Communication secured with HTTPS/TLS 1.2+