Get started with Snowflake Data Clean Rooms

This topic describes the tasks an administrator must complete to set up Snowflake Data Clean Rooms.

Prerequisites

In order to use a Snowflake Data Clean Room, your account must:

If you do not meet certain requirements and need to upgrade, contact Snowflake Support.

Capacity account

You need a Snowflake account that has an upfront capacity commitment to use Snowflake Data Clean Rooms.

Snowflake On Demand accounts cannot create or use a clean room.

Snowflake Edition

Use the following table to determine which Snowflake Edition is required for the Snowflake account of a clean room collaborator:

Collaborator

Task

Required Snowflake Edition

Provider

Create a clean room

Enterprise Edition or higher

Consumer

Join and use a clean room

Standard Edition or higher

Provider & Consumer Terms

Before using a Snowflake Data Clean Room as a provider or consumer, you need to agree to additional Snowflake terms and abide by Snowflake policies. For details, see Legal requirements for providers and consumers of listings.

Set your collation to UTF-8

The only collation that Snowflake clean rooms support is UTF-8. Be sure to set your account collation to 'utf8' before trying to install the clean room environment.

Sign up for a Snowflake Data Clean Room environment

Important

  • The user who initially signs up as a clean room participant must have the ACCOUNTADMIN role in the Snowflake account associated with the clean room environment. This clean room administrator needs to use the ACCOUNTADMIN role to configure the Snowflake account in subsequent steps in the getting started process.

  • Do not install the native app from the Snowflake Marketplace. Instead, use the sign up link to sign up. After signing up for the clean room environment, follow the steps to install the app as described in Configure the Snowflake account.

  • All clean room users, including the user signing up for the first time, must use a supported authenticator app to enable multi-factor authentication (MFA).

To sign up and log in to the clean room environment:

  1. Navigate to the sign-up page.

  2. Enter the account identifier of your Snowflake account using the hyphenated form of the account name format (that is, orgname-acctname).

  3. Enter your email address.

  4. Specify a company name, which is used to identify the clean room environment when users sign in.

  5. Select Sign Up. You are sent an email.

After receiving the email, do the following:

  1. Select Verify Email. The sign up page re-opens.

  2. Specify a Name and Password.

  3. Select Sign up.

  4. When redirected to a new page, sign in to your clean room environment.

Add IP addresses to your allowed list

If your Snowflake account uses a network policy to control network traffic, you must explicitly allow traffic from the IP addresses that the web app uses to communicate with your Snowflake account.

Use the following to determine which IP addresses must be allowed by the network policy based upon the region of your Snowflake account on Amazon Web Service (AWS), Microsoft Azure (Azure), or Google Cloud:

Snowflake account region

Web app IP addresses

  • AWS US West (Oregon)

  • AWS US East (Ohio)

  • AWS US East (N. Virginia)

  • AWS South America (Sao Paulo)

  • Azure West US 2 (Washington)

  • Azure Central US (Iowa)

  • Azure South Central US (Texas)

  • Azure East US 2 (Virginia)

  • GCP US Central1 (Iowa)

  • GCP US East4 (N. Virginia)

  • 52.7.249.136

  • 34.195.16.248

  • 52.7.210.215

  • AWS Canada (Central)

  • Azure Canada Central (Toronto)

  • 15.223.145.218

  • 3.96.6.109

  • 15.222.142.44

  • AWS EU (Ireland)

  • AWS Europe (London)

  • AWS EU (Paris)

  • AWS EU (Frankfurt)

  • AWS EU (Stockholm)

  • AWS EU (Zurich)

  • Azure UK South (London)

  • Azure North Europe (Ireland)

  • Azure West Europe (Netherlands)

  • Azure Switzerland North (Zurich)

  • Azure UAE North (Dubai)

  • GCP Europe West2 (London)

  • GCP Europe West4 (Netherlands)

  • 54.93.86.99

  • 3.126.238.8

  • 3.127.143.168

  • AWS Asia Pacific (Mumbai)

  • Azure Central India (Pune)

  • 35.154.94.29

  • 13.235.168.249

  • 15.206.48.175

  • AWS Asia Pacific (Singapore)

  • AWS Asia Pacific (Tokyo)

  • AWS Asia Pacific (Osaka)

  • AWS Asia Pacific (Seoul)

  • AWS Asia Pacific (Jakarta)

  • Azure Southeast Asia (Singapore)

  • Azure Japan East (Tokyo)

  • 13.228.90.174

  • 52.220.42.130

  • 52.220.249.16

  • AWS Asia Pacific (Sydney)

  • Azure Australia East (New South Wales)

  • 52.65.205.236

  • 52.62.198.227

  • 3.104.160.96

Configure the Snowflake account

A Snowflake user with the ACCOUNTADMIN role must configure the Snowflake account associated with the clean room environment before users can create and use clean rooms.

Important

  • As part of the instructions in this section, you create and log in as a service account user. When logging in as this user, do not enroll in multi-factor authentication (MFA).

  • The user with the ACCOUNTADMIN role must have a valid first name, last name, and email defined for their user object. To verify whether these properties are defined, execute the DESCRIBE USER command.

You’ll complete the following general tasks as you configure the Snowflake account:

  • Create a service account user that represents the clean room environment so clean rooms can access the Snowflake account.

  • Install a Snowflake Native App that allows clean rooms to interact with data in a Snowflake account.

  • Register the databases, schemas, and objects that contain the data that collaborators can access in clean rooms.

To complete these tasks, execute the following steps:

  1. Access the Snowflake Admin console in the clean room environment. Do the following:

    1. Navigate to the Snowflake Data Clean Rooms login page.

    2. Enter your email address, and select Continue.

    3. Enter your password.

    4. If you are associated with multiple clean room environments, select the Snowflake account that you are configuring.

    5. In the left navigation, select Snowflake Admin.

    6. Select Login to Snowflake, and authenticate as a Snowflake user with the ACCOUNTADMIN role.

  2. Specify the details for the service account user that clean rooms use to interact with Snowflake. Be sure to remember these details as you will need them in a subsequent step. Note that after implementation, Snowflake uses key-pair authentication, not username/password, to authenticate the service account user. Do the following:

    1. Enter the email address associated with the service account user.

    2. In the New Snowflake Username field, specify a name that is unique to the Snowflake account.

    3. Specify a password.

    4. Select Create to create the service account user.

  3. Verify the email of the new service account user. Do the following:

    1. Select Log into your Snowflake account.

    2. Sign in to Snowsight using the credentials of the service account user. You specified these in the previous step. If prompted, do not enroll in multi-factor authentication (MFA).

    3. To open the user menu, select the username of the service account user, and then select My profile.

    4. Select Resend verification email. A verification email is sent to the email address of the service account user.

    5. Access the email inbox of the service account user, open the verification email, and select Validate Your Email.

    6. Return to the Snowflake Admin console of the clean room environment, and select Verify Status.

  4. To install the Snowflake Native App associated with Snowflake Data Clean Rooms (SAMOOHA_BY_SNOWFLAKE), follow these steps:

    1. Optional: Use the Setup Scripts section to review the code that is executed in your account to install the Snowflake Native App. Do not execute this code manually.

    2. Do not change the default name of the application.

    3. Select Install to install the Snowflake Native App.

      The process of installing the Snowflake Native App can take some time. Periodically select Refresh to check whether it is complete before proceeding to the next step.

  5. In the Database Registration section, select the databases, schemas, and objects that contain the data that you want collaborators to be able to access in clean rooms. Registering a database or schema registers all of the objects within that database or schema.

    The web app of Snowflake Data Clean Rooms supports the following objects:

    • Tables

    • External tables

    • Apache Iceberg™ tables

    • Dynamic tables

    • Views

    • Materialized views

    • Secure views. The owner of a secure view must be the SAMOOHA_APP_ROLE role.

    Note

    Once you complete these steps, new objects added to registered databases or schemas are not available to clean room collaborators immediately. If an object is added to a registered database or schema, you need to use the web app’s Snowflake Admin option to return to the Database Registration section, and then select Resync.

For information about what gets installed in your Snowflake account when you use Snowflake Data Clean Rooms, see Snowflake Data Clean Rooms: Installation details.

Allow key-pair authentication

The service account user that the clean room environment uses to communicate with your Snowflake account uses key-pair authentication to authenticate. If your Snowflake account uses authentication policies to control how users authenticate, then the authentication policy controlling the service account user must allow key-pair authentication.

To allow key-pair authentication, an authentication policy must be created with AUTHENTICATION_METHODS = ALL or AUTHENTICATION_METHODS = KEYPAIR. If your Snowflake account has an account-level authentication policy that does not allow key-pair authentication, you need to create a new authentication policy with the appropriate parameter, then assign the policy to the service account user that was created during the installation process.

Enable collaboration with consumers in different regions

In order to collaborate with a Snowflake customer whose account is in a different region than your account, you must enable Cross-Cloud Auto-Fulfillment for your clean room environment. A Snowflake user with the ACCOUNTADMIN role must enable Cross-Cloud Auto-Fulfillment before clean room administrators can add accounts in other regions as collaborators.

To configure your clean room environment to allow collaborators to be in a different region:

  1. Navigate to the Snowflake Data Clean Rooms login page.

  2. Enter your email address, and select Continue.

  3. Enter your password.

  4. If you are associated with multiple clean room environments, select the Snowflake account that you are configuring.

  5. Select Admin » Snowflake Admin.

  6. Select Login to Snowflake, and authenticate as a Snowflake user with the ACCOUNTADMIN role.

  7. Toggle on Cross-Cloud Auto-Fulfillment.

Costs associated with cross-region collaboration

There are additional costs associated with collaborators who are in a different region. For more information about how these costs are incurred, see Understand Cross-Cloud Auto-Fulfillment costs.

Limitations on cross-region collaboration

Limitations on cross-region collaboration include the following:

  • Collaborators must share the same web app hosting region. For example, if the web app hosting region for one account is Amazon Web Services: US East (N. Virginia) and the web hosting region for another account is Amazon Web Services: Asia Pacific (Mumbai), then the two Snowflake customers cannot collaborate. To determine whether two collaborators share the same web app hosting region, see Web app hosting.

  • A provider cannot use differential privacy in the clean room.

  • Collaborators cannot link external tables and iceberg tables in clean rooms.

  • A provider cannot view the request logs being sent from the consumer of a clean room.

  • A consumer cannot run a multi-provider analysis.

  • Collaborators cannot use masking policies or row access policies.

Troubleshooting

Use this section to troubleshoot problems you might have after completing the steps in this topic.

Symptom: Insufficient privileges

Solution: Ensure that the IP addresses associated with the web app are allowed by your network policies. For a list of these IP addresses, see Add IP addresses to your allowed list.

Symptom: Installation is successful, but the web app is not functioning properly.

Solution #1: Use the DESCRIBE USER command to double-check that the Snowflake user that you used to configure Snowflake has a valid first name, last name, and email. If the user is missing any of these, execute the ALTER USER command to specify them.

Solution #2: Try uninstalling the Snowflake Native App for Snowflake Data Clean Rooms, and then re-installing it.

  • To uninstall the app, see Uninstall a Snowflake Native App. If you installed the application with its default name, it is called SAMOOHA_BY_SNOWFLAKE.

  • To re-install the app:

    1. Sign in to the web app.

    2. In the left navigation, select Snowflake Admin.

    3. Select Login to Snowflake, and authenticate as a Snowflake user with the ACCOUNTADMIN role.

    4. Use the DESCRIBE USER command to confirm that the Snowflake user with the ACCOUNTADMIN role that you just used to authenticate has a valid first name, last name, and email. If the user is missing any of these, execute the ALTER USER command to specify them.

    5. To install the Snowflake Native App, select Install.

    6. Accept the default name of the application during the installation process.

Next steps

For additional steps needed to set up a clean room environment, including adding users and collaborators, see Snowflake Data Clean Rooms: Administrator tasks.