Skip to main content

Snowflake (Direct Connection)

Auxia reads your Snowflake tables in place via a read-only role you grant

This is the recommended way to connect Snowflake to Auxia. You create a dedicated read-only role, a key-pair service user, and a warehouse in your own Snowflake account, and grant Auxia SELECT on the tables to ingest. Auxia connects directly and reads on a recurring schedule — read-only, with no tables copied or exported and no scheduled jobs for you to maintain.

Before proceeding, review the Source Data Requirements to ensure your tables are ready to be connected with Auxia.

1. Overview

You provision three objects in your account — a warehouse, a service user (key-pair auth), and a read-only role — and grant the role access to the tables you want shared. Auxia authenticates as that user and reads each table directly, on a schedule, using your warehouse for compute.

Flow:

Your Snowflake account                                   Auxia

│ tables / views to ingest
│ │ GRANT SELECT to a read-only role
│ ▼
│ read-only role + key-pair service user + warehouse
│ │
│ │ Auxia connects directly (key-pair auth) and reads
│ │ on your schedule, using your warehouse
│ ▼
│ ───────────────(reads in place, read-only)──────────────> Auxia platform

Time required: ~15 minutes.

Prerequisites:

  • A role that can CREATE WAREHOUSE, CREATE USER, CREATE ROLE, and GRANT (typically ACCOUNTADMIN).
  • Each shared table/view should have a timestamp column marking when a row was added/updated (e.g., UPDATE_DATE), so Auxia can read incrementally rather than rescanning the full table.

What Auxia provides: an RSA public key to register on the service user (Auxia holds the matching private key in its secret manager — no password is ever exchanged). Auxia then configures and schedules the connection on our side — the initial historical load and recurring incremental reads — and validates row counts against the source.

2. Create a Warehouse

A dedicated, auto-suspending warehouse for Auxia's reads keeps compute cost low and isolates it for easy attribution.

CREATE WAREHOUSE IF NOT EXISTS AUXIA_INGESTION_WH
AUTO_SUSPEND = 60 -- suspend after 60s idle (per-second billing after a 1-min minimum)
AUTO_RESUME = TRUE -- resumes automatically on the next read
INITIALLY_SUSPENDED = TRUE;

3. Create a Key-Pair Service User

Auxia uses key-pair authentication (no password). Your Auxia solutions engineer provides the public key to paste in below.

CREATE USER IF NOT EXISTS AUXIA_INGESTION_USER
PASSWORD = NULL
RSA_PUBLIC_KEY = '<auxia_public_key>' -- base64 body only — no PEM markers, no whitespace
DEFAULT_WAREHOUSE = AUXIA_INGESTION_WH;

4. Create a Read-Only Role and Grant Access

Run the following, repeating the GRANT SELECT line for each table or view you want Auxia to read:

CREATE ROLE IF NOT EXISTS AUXIA_INGESTION_ROLE;

GRANT USAGE ON WAREHOUSE AUXIA_INGESTION_WH TO ROLE AUXIA_INGESTION_ROLE;
GRANT USAGE ON DATABASE <your_database> TO ROLE AUXIA_INGESTION_ROLE;
GRANT USAGE ON SCHEMA <your_database>.<your_schema> TO ROLE AUXIA_INGESTION_ROLE;

-- Repeat per object to ingest:
GRANT SELECT ON TABLE <your_database>.<your_schema>.<table> TO ROLE AUXIA_INGESTION_ROLE;

GRANT ROLE AUXIA_INGESTION_ROLE TO USER AUXIA_INGESTION_USER;

5. Send the Details to Auxia

Share the following with your Auxia solutions engineer:

  • Account URL — e.g. https://<org>-<account>.snowflakecomputing.com
  • Username (AUXIA_INGESTION_USER), role (AUXIA_INGESTION_ROLE), and warehouse (AUXIA_INGESTION_WH)
  • Database / schema / table (or view) names to ingest
  • The timestamp/watermark column for each object (used for incremental reads)
  • Desired refresh cadence (e.g., hourly or daily) and when source data typically lands

Auxia configures the connection on our side, reads each object incrementally on the agreed schedule, validates row counts, and confirms before go-live.

6. Cost

  • Reads run on your warehouse, in your account — so warehouse compute and any Snowflake data-transfer-out are billed to you, and Auxia bears no Snowflake cost. A dedicated warehouse that auto-suspends, combined with watermark-scoped incremental reads, keeps this minimal. Auxia advises on warehouse sizing for your data volume during onboarding.
  • No data is copied or staged on your side — Auxia reads the tables in place; there is nothing to store or clean up.

7. Security & Governance

  • Read-only, scoped to exactly the tables you GRANT.
  • Key-pair auth, no password — Auxia holds only the private key (in its secret manager); you register only the public key.
  • Revocable — drop the role or disable the user to cut off all access immediately.
  • Rotatable — replace the user's RSA_PUBLIC_KEY at any time; Auxia coordinates the matching private-key rotation.
  • Network-restrictable — you can attach a Snowflake network policy to the service user if you want to limit it to Auxia's egress addresses (ask your solutions engineer).
  • Grant least privilege — only the databases, schemas, and tables to be ingested, on a dedicated role.
  • Use a dedicated, auto-suspending warehouse so Auxia's read cost is isolated and easy to attribute; size it to your data volume (Auxia will advise).
  • Ensure a watermark column on each table so reads stay incremental rather than full scans.
  • Share base tables, not views, where possible — Auxia reads the underlying tables directly.

9. Summary

StepActionOwner
1Provide the RSA public keyAuxia
2Create the warehouse, service user, and read-only roleYou
3Grant USAGE + SELECT on the objects to ingestYou
4Send account URL, username, role, warehouse, and the table listYou
5Configure and schedule the connection; run the initial and incremental loadsAuxia

10. FAQ

Does Auxia create or modify anything in our environment? No. Auxia reads your existing tables in place — no copies, no exports, no schema changes, and no new pipelines.

Who bears the Snowflake cost? You do, but minimally — reads run on a dedicated, auto-suspending warehouse in your account and are scoped to the watermark window. Auxia bears no Snowflake compute.

Can we revoke Auxia's access? Yes, at any time — drop the role or disable the service user.

How do we rotate the credential? Replace the user's RSA_PUBLIC_KEY; Auxia stores the private key by reference and coordinates the rotation, so it does not require reconfiguring the connection.

note

Prefer not to grant direct access to your account? Two alternatives are available: Secure Data Sharing (you share into Auxia's account) and GCS Export (you push files to Auxia's bucket). Discuss the trade-offs with your Auxia solutions engineer.

Need Help?

Contact support@auxia.io or your Auxia solutions engineer.