Skip to main content
Connect your Snowflake data warehouse to Roe to query transaction data, customer information, and other structured data during agent investigations.

Use Cases

  • AML/Fraud Investigation: Query transaction history and customer data during investigations
  • Data Analysis: Enable agents to explore and analyze data using natural language queries
  • Context Enrichment: Provide agents with access to your data warehouse for comprehensive analysis

Prerequisites

Before connecting Snowflake to Roe, ensure you have:
  1. A Snowflake account with appropriate permissions
  2. A Programmatic Access Token (PAT) OR an RSA Key Pair for authentication
  3. Access to a warehouse, database, and schema

Authentication Methods

Roe supports two authentication methods for Snowflake: Programmatic Access Tokens (PAT) and RSA Key Pair authentication. Both methods bypass MFA and are recommended for programmatic access.

Option 1: Programmatic Access Token (PAT)

1

Open Snowsight

Log in to your Snowflake account using Snowsight
2

Navigate to Profile

Click on your user menu (top-right) → My Profile
3

Go to Authentication

Select the Authentication tab
4

Generate Token

Under Programmatic access tokens, click Generate new token
5

Save Token

Copy the token immediately—it’s only shown once!

Option 2: RSA Key Pair Authentication

You can generate an RSA key pair locally and register the public key with your Snowflake user.
1

Generate Key Pair Locally

Run the following OpenSSL commands in your terminal to generate an encrypted private key and a public key:
# Generate an encrypted private key (you will be prompted to create a passphrase)
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out snowflake_private_key.p8

# Generate the public key
openssl rsa -in snowflake_private_key.p8 -pubout -out snowflake_public_key.pub
Note: If you prefer an unencrypted private key, append -nocrypt to the first command.
2

Format the Public Key

Snowflake requires the public key body without the header, footer, or newlines. Extract it using:
awk 'NR > 1 && !/-----END PUBLIC KEY-----/ { printf "%s", $0 }' snowflake_public_key.pub
Copy the output.
3

Register Public Key in Snowflake

Log into Snowflake as an admin (e.g., USERADMIN or ACCOUNTADMIN) and run the following SQL:
ALTER USER your_snowflake_username
SET RSA_PUBLIC_KEY = '<paste-public-key-body-here>';
Verify it was set correctly by running DESC USER your_snowflake_username;.
Store your PAT or Private Key securely. Roe encrypts and stores credentials in AWS Secrets Manager.

Configure the Connection

Provide the following information to connect Snowflake:

Authentication (Sensitive)

Choose your authentication method from the dropdown and provide the corresponding fields:
FieldRequiredDescription
AccountYesSnowflake account identifier (e.g., xy12345.us-east-1)
UsernameYesYour Snowflake username
Authentication MethodYesChoose either Programmatic Access Token or Key Pair
TokenConditionalThe PAT (required if using Token auth)
Private KeyConditionalThe full PEM-encoded RSA private key including header/footer (required if using Key Pair auth)
Private Key PassphraseConditionalThe passphrase for your encrypted private key (required if using Key Pair auth with an encrypted key)

Configuration

FieldRequiredDescription
WarehouseYesSnowflake warehouse (compute resource) to use for queries
DatabaseYesDefault database to use for queries
SchemaYesSchema (namespace) within the database. PUBLIC is a common default
RoleNoSnowflake role for access control
The schema hierarchy in Snowflake is: Account → Database → Schema → TableFor example, PROD_DB.PUBLIC.CUSTOMERS means:
  • Database: PROD_DB
  • Schema: PUBLIC
  • Table: CUSTOMERS

Test the Connection

Click Test Connection to verify that Roe can successfully connect to your Snowflake instance. The test will:
  1. Authenticate using your PAT or Key Pair
  2. Verify access to the specified warehouse, database, and schema
  3. Run a simple query to confirm connectivity

Using Snowflake as a Context Source

Once connected, you can use your Snowflake connection as a context source in agentic workflows like AML Investigation or Fraud Investigation.

Context Source Configuration

When configuring an agent to use Snowflake: 
{
  "connection_type": "snowflake",
  "name": "Transaction History",
  "connection_id": "your-connection-uuid",
  "table": "TRANSACTIONS",
  "description": "Customer transaction data for the last 12 months"
}
FieldDescription
nameFriendly name for this data source
connection_idUUID of your Snowflake connection
tableTable to query (agent generates SELECT queries with filters)
descriptionHelps the agent understand what data is available

Agent Capabilities

When Snowflake is configured as a context source, agents can:
  • Discover schema: Automatically understand table structure
  • Generate SQL: Create appropriate queries based on natural language
  • Filter data: Apply relevant filters (e.g., customer ID, date ranges)
  • Handle errors: Recover from query issues gracefully

Security Best Practices

Use Secure Auth

PATs and Key Pair auth are more secure than passwords and can be revoked independently

Limit Permissions

Create a dedicated role with read-only access to only the required tables

Use Separate Warehouse

Use a dedicated warehouse for Roe to manage resource usage

Monitor Usage

Review Snowflake query history to audit agent data access

Troubleshooting

Verify your account identifier, username, and PAT or Private Key/Passphrase are correct. PATs expire and may need to be regenerated. If using a Key Pair, ensure the public key matches.
Ensure the warehouse name is correct and your user has USAGE permission on the warehouse.
Verify the database and schema exist and your user has appropriate permissions to access them.
Queries have a 30-second timeout. If your queries are timing out, consider optimizing table indexes or filtering to smaller datasets.