Help & Documentation
Open Support Ticket

Gathering Connection Information in Snowflake Account (v7.2.0)

This article describes the second step of Connecting to Snowflake MCP Server. Log into the Snowflake account and gather the necessary data.

Prerequisites:

  • Snowflake account with ACCOUNTADMIN privileges.

In this article:

Gather MCP Server Setup Information

During the MCP Server setup the following information is required. To get this info, login into the Snowflake account.

1. "account" Value

Go to Admin > Accounts

  1. In the row of the account that has ACCOUNTADMIN privileges hover over the link icon to show the account's locator.
  2. Copy the xxxxxxx.us-east-2.aws part, this is the account value.

2. "database" and "schema" Values

Access Catalog

Copy the titles of database and schema where the Snowflake Intelligence Agents are saved.

3. "token" Value

Access User menu > Settings > Authentication

  1. [Generate new token]
  2. Name: Give the token a descriptive name.
  3. Expires in: Select the expiration period.
  4. Grant access: Select the account to which the access is given.
  5. [Generate]
  6. Copy the token and save it somewhere. Its impossible to see it ever again after you close this window.

4. Check Credentials

As a result, for MCP Server setup you need to have the following credentials copied:

  • account;
  • database;
  • schema;
  • token.

Create and Assign a Role

If you select "User OAuth" as the Auth Type, it is recommended to create a Role that will give Snowflake users the set of permissions needed to access the Snowflake Agents.  This will make managing the various permissions needed to use the Agents through the MCP Server much easier than trying to assign each permission to each individual user that will be using the Agent.

1. Grant Permissions

The permission to access an agent are not enough to use the Agent. You will have to give the Role permissions to all of the Objects connected to the agent.  For each agent, note names of all of the following used by the agent:

  • database;
  • schema;
  • warehouse;
  • all the tables;
  • semantic views (if used);
  • stages (if used).

Then, grant the following permissions to the Role:

  • USAGE to each agent, database, schema and warehouse;
  • SELECT on all tables and semantic views;
  • READ on stages.

If you are using Managed Snowflake MCP Server, additionally give:

  • USAGE on MCP server and database, schema and all the tables connected to it.

2. Assign the Role

The Role you created must be assigned to all the users who will be using these Agent(s) in Concierge. It also needs to be set as a Default Role. If a user already has a Default Role, assign the role you created to that user’s existing Default Role.

Credentials for Auth Type

To create a Snowflake External Resource Configuration with "Service Account Token" or "User OAuth" Auth Type, you will have to perform these additional configurations in the Snowflake account.

1. Access My Workspace

Return to Snowflake account and access Projects

Click [+ Add New] in My Workspace section and select "SQL File" from the dropdown menu to add a Security Integration.

2. Configure Security Integration

Add the following query into the text field:

CREATE SECURITY INTEGRATION [integration_name]_oauth
TYPE = OAUTH
ENABLED = TRUE
OAUTH_CLIENT = CUSTOM
OAUTH_CLIENT_TYPE = 'CONFIDENTIAL' 
OAUTH_REDIRECT_URI = 'https://[instance].metricinsights.com/data/editor/service/validate-data-source-oauth' 
OAUTH_ISSUE_REFRESH_TOKENS = TRUE
OAUTH_REFRESH_TOKEN_VALIDITY = 7776000;

Replace [integration_name] with the name of Security Inegration and the [instance] with the name of Metric Insights instance where the Concierge you are connecting Snowflake with is configured.

3. Get OAUTH Client and Secret

Add the following query to the code:

SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('[INTEGRATION_NAME]_OAUTH');

NOTE: The Security Integration name must be all caps.

After adding the query, click the run button.

In the Results tab, you’ll see the JSON with OAUTH_CLIENT_SECRET_2, OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET. Download the results file and copy OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET values from the table.

4. Get Server Value

Go to Admin > Accounts

  1. In the row of the account that has ACCOUNTADMIN privileges hover over the link icon to show the account's locator.
  2. Copy the xxxxxxx.us-east-2.aws.snowflakecomputing.com part, this is the Server address.

5. Check Credentials

As a result, you need to have the following credentials copied:

  1. OAUTH_CLIENT_ID;
  2. OAUTH_CLIENT_SECRET;
  3. Server address.
    • NOTE: Server value must be inserted without "https://" at the beginning and without ‘/’ at the end.