Setting up Snowflake to use Git¶

Create a secret with credentials for authenticating¶

If your remote Git repository requires authentication, you’ll need to create a secret that contains credentials that Snowflake can use to authenticate with the remote repository.

You’ll use the secret in multiple ways. Someone creating an API integration that specifies Snowflake interaction with the Git repository API must specify this secret as a value of the ALLOWED_AUTHENTICATION_SECRETS parameter. In addition, someone setting up Snowflake to use Git specifies the secret.

To create a secret, you must use a role that has been granted the following privileges:

• CREATE SECRET on the schema where you’ll store the secret

  For more information, see CREATE SECRET access control requirements.

• USAGE on the database and schema that will contain the integration

As a best practice, use a personal access token for the secret’s PASSWORD value. For information about creating a personal access token in GitHub, see Managing your personal access tokens in the GitHub documentation.

SQL:

You can use the CREATE SECRET command to create a secret that contains Git repository credentials.

Code in the following example creates a secret called myco_git_secret with a username and the user’s personal access token to use as credentials:

USE ROLE ACCOUNTADMIN;
CREATE ROLE myco_secrets_admin;
GRANT CREATE SECRET ON SCHEMA myco_db.integrations TO ROLE myco_secrets_admin;

USE ROLE myco_db_owner;
GRANT USAGE ON DATABASE myco_db TO ROLE myco_secrets_admin;
GRANT USAGE ON SCHEMA myco_db.integrations TO ROLE myco_secrets_admin;

USE ROLE myco_secrets_admin;
USE DATABASE myco_db;
USE SCHEMA myco_db.integrations;

CREATE OR REPLACE SECRET myco_git_secret
  TYPE = password
  USERNAME = 'gladyskravitz'
  PASSWORD = 'ghp_token';

Copy

Create an API integration for interacting with the repository API¶

To specify details about how Snowflake interacts with the Git repository API, you’ll need to create an API integration.

Someone setting up a Snowflake account to use Git will specify the API integration to use.

To create an API integration, you must use a role that has been granted the following privileges:

• CREATE INTEGRATION on the account

  For more information, see CREATE API INTEGRATION access control requirements.

• USAGE on the database and schema that contain the secret

• USAGE on the secret that the integration references

When creating an API integration for a Git repository API, you must:

• Specify git_https_api as the value of the API_PROVIDER parameter.

• Specify, if authentication is required, a secret that contains the remote repository credentials as a value of the ALLOWED_AUTHENTICATION_SECRETS parameter. You can specify one of the following:

  • One or more Snowflake secrets (in a comma-separated list) that Snowflake can use when authenticating with the repository.

  • all (case insensitive) to specify that any secret can be used.

  • none (case insensitive) to specify that no secrets can be used.

SQL:

You can use the CREATE API INTEGRATION command to create an API integration that specifies details for the Snowflake interaction with the Git repository API.

Code in the following example creates an API integration called git_api_integration:

USE ROLE ACCOUNTADMIN;
CREATE ROLE myco_git_admin;
GRANT CREATE INTEGRATION ON ACCOUNT TO ROLE myco_git_admin;

USE ROLE myco_db_owner;
GRANT USAGE ON DATABASE myco_db TO ROLE myco_git_admin;
GRANT USAGE ON SCHEMA myco_db.integrations TO ROLE myco_git_admin;

USE ROLE myco_secrets_admin;
GRANT USAGE ON SECRET myco_git_secret TO ROLE myco_git_admin;

USE ROLE myco_git_admin;
USE DATABASE myco_db;
USE SCHEMA myco_db.integrations;

CREATE OR REPLACE API INTEGRATION git_api_integration
  API_PROVIDER = git_https_api
  API_ALLOWED_PREFIXES = ('https://github.com/my-account')
  ALLOWED_AUTHENTICATION_SECRETS = (myco_git_secret)
  ENABLED = TRUE;

Copy

Create a Snowflake Git repository clone from the remote repository¶

To set up Snowflake to work with a remote Git repository, create a Git repository clone in Snowflake to contain files fetched from the remote repository.

The Git repository clone specifies the following:

• The remote repository’s origin

  In Git, origin is shorthand for the remote repository’s URL. Use that URL when setting up Snowflake to use a remote Git repository. The URL must use HTTPS. You can retrieve the origin URL in the following ways:

  • In the GitHub user interface, to get the origin URL from the repository home page, select the Code button, and then copy the HTTPS URL from the box displayed beneath the button.

  • From the command line, use the git config command from within your local repository, as in the following example:

    $ git config --get remote.origin.url
    

    Copy

    The command produces output such as the following:

    https://github.com/my-account/snowflake-extensions.git
    

    For reference information about git config, see the git documentation.

• Credentials, if needed, for Snowflake to use when authenticating with the repository

• An API integration specifying details for Snowflake interaction with the repository API

To create a Git repository clone in Snowflake, you must use a role that has been granted the following privileges:

• CREATE GIT REPOSITORY on the schema that contains the Git repository clone

  For more information, see CREATE GIT REPOSITORY access control requirements.

• USAGE on the secret that contains credentials for authenticating with Git

• USAGE on the API integration that the Git repository clone references

You can create a Git repository clone by using either Snowsight or SQL.

USE ROLE ACCOUNTADMIN;
GRANT CREATE GIT REPOSITORY ON SCHEMA myco_db.integrations TO ROLE myco_git_admin;

USE ROLE myco_git_admin;

CREATE OR REPLACE GIT REPOSITORY snowflake_extensions
  API_INTEGRATION = git_api_integration
  GIT_CREDENTIALS = myco_git_secret
  ORIGIN = 'https://github.com/my-account/snowflake-extensions.git';