Installing the Snowflake Data Clean Rooms environment¶
The clean room environment is installed in the Snowflake account for all users in that account.
Users within an account are granted access to the clean rooms environment either by the Snowflake Administrator or the DCR administrator.
If the clean room environment is not installed for your account: Follow the installation instructions on this page.
If you have received an email invitation to join a clean room: No need to install anything, just follow the link and choose a name and password, if directed. This will open the clean rooms web application where you can join and use a clean room.
If the clean room environment is installed for your account, and you want access to it: If you want permission to create or use clean rooms in your Snowflake account, ask your Snowflake administrator to add you as a developer (for code access) and/or a Clean Rooms Manager (for web app access).
Requirements to install Snowflake Data Clean Rooms¶
Here are the requirements to install Snowflake Data Clean Rooms in your Snowflake account:
The Snowflake account must be a capacity account. This is an account that has an up-front capacity commitment. Snowflake On-Demand accounts cannot create or use a clean room.
The account must be the required Snowflake Edition:
To create clean rooms, you must have Enterprise Edition or higher.
To join and use a clean room created in another account, you must have Standard Edition or higher.
You must accept data sharing terms. If you have not accepted these terms, please contact Snowflake Support. Snowflake Data Clean Rooms leverage Listings, which are part of the Snowflake service and subject to your service terms with Snowflake, including the Snowflake Customer-Controlled Data Sharing Functionality Terms and Snowflake Acceptable Use Policy.
Your account must not have defined an account-level collation. You can check this by running the following command:
SHOW PARAMETERS LIKE 'DEFAULT_DDL_COLLATION' IN ACCOUNT;
If you do not meet all these requirements and need to upgrade, contact Snowflake Support.
Prerequisites for the installer¶
Here are the requirements to install the clean rooms environment:
The account where you will install the clean rooms environment must meet these prerequisites.
You must have ACCOUNTADMIN privileges in a Snowflake account in order to install the clean rooms environment in that account.
The user with the ACCOUNTADMIN role must have a valid first name, last name, and email defined for their user object. To check, run DESCRIBE USER.
Do not install the native app from the Snowflake Marketplace. Follow the instructions here.
All clean room users, including the user signing up for the first time, must use multi-factor authentication (MFA) with a supported authenticator app.
The account must allow key-pair authentication, which is used by the service account used by the clean rooms application for authentication.
If your Snowflake account uses a network policy to control network traffic, you must configure your account to allow traffic between the web app and your Snowflake account.
About the accounts used on this page¶
Three sets of account credentials are involved in installing a clean rooms environment:
Your Snowflake account: This is a Snowflake account used to install the clean rooms environment with ACCOUNTADMIN privilege. Use these credentials only when specified.
Your clean rooms administrator account: This is the account used to log into the clean rooms web application. These credentials are maintained and managed by Snowflake Data Clean Room independently of your Snowflake account. Use a new name and password for this account. When you are signed in to the clean rooms web application, if you need to perform Snowflake administrator functions, you will sign in with your Snowflake credentials within the web app.
A service account: The web application uses a service account to communicate with Snowflake. This account is granted limited permissions from your Snowflake account. You will create the service account during clean rooms installation, after which you do not need to save your service account credentials or manage the service account.
Install the clean rooms environment¶
Follow these steps to install a clean room environment in your Snowflake account.
Important
You will choose a name and password for the clean rooms environment. This name and password are managed by the clean rooms application and have no relation to your Snowflake name and password. We recommend not using the same name and password for your clean rooms account and your Snowflake account.
1. Request a Snowflake Data Clean Room environment¶
You must first request a clean rooms environment for your Snowflake account:
1.1 Request a clean rooms environment:
Visit the sign-up page.
Enter your Snowflake account identifier in hyphenated format: ORGNAME-ACCOUNT_NAME. This account must have ACCOUNTADMIN privileges.
Enter an email address for your clean rooms account. You must be able to receive email to this address. It can be a group address if you want to share clean room management with multiple users. It does not need to be the email address associated with your Snowflake account.
Provide a company name used to brand clean rooms for this account. You can change this name later.
Select Sign Up, which will send a verification email.
1.2 When you receive the verification email:
Select Verify Email` to re-open the sign up page in your browser.
Specify a name and password for your clean rooms account. We recommend not re-using your Snowflake name and password.
Select Sign up.
When redirected to a new page, sign in to your clean room environment your clean rooms credentials (the email, name, and password you provided when requesting an environment).
Enroll in a multi-factor authentication (MFA) system to use clean rooms.
If you are associated with multiple clean room environments, select the Snowflake account that you are configuring.
Next, install the clean room environment in your account.
2. Install the clean rooms native application¶
When your initial clean rooms request is granted, you will be able install the clean room environment. The clean room environment is a native web application that runs in your account. These steps will install the native application into your account. After installation, you can grant access to the environment to anyone in that Snowflake account.
2.1 Create a service account user. The clean room environment uses this service account to access Snowflake for all clean room users.
If you aren’t already in the web application, open the clean rooms web application with your clean room credentials and, if prompted, select the Snowflake account that you are configuring.
In the left navigation pane, select Admin > Snowflake Admin > Log in to Snowflake and sign in with Snowflake credentials you provided when requesting a clean room environment.
Navigate to Admin > Snowflake Admin > Install data clean room native app > Service account - new Snowflake user. Follow the steps to create a service account user that clean rooms will use when accessing Snowflake. Save these account details, you will use them again when you verify the service account email.
Enter an email address to identify the service account. You must have access to this email address.
In the New Snowflake Username field, specify a service account name unique to this Snowflake account. We recommend using a name that indicates this is a service account.
Specify a service account password.
Select Create to create the service account user.
Select Verify Status to send a verification email to your service account email.
Open the verification email and select Validate your email.
Sign in using the service account credentials you just provided above. ⚠️ If prompted, do not enroll in multi-factor authentication (MFA). This is because once you have verified the service account user, name+password authentication will no longer be used for the service user account; key-pair authentication will be used instead.
Select Verify Status and sign out of the account or close the browser tab.
2.2 Install the Snowflake Native App associated with Snowflake Data Clean Rooms:
Open the clean rooms web application with your clean rooms administrator account credentials.
Navigate to Admin > Snowflake Admin > Install data clean room native app > Service account - new Snowflake user. Your service account information should be shown at the top of the page, marked Authenticated.
(Optional) Review the code that will install the Snowflake Native App by scrolling down to the Setup Scripts section. Do not execute this code manually and do not change the default name of the application.
Select Install to install the Snowflake Native App. The process of installing the Snowflake Native App takes several minutes. Periodically select Refresh to check whether it is complete before proceeding to the next step.
For information about what is installed in your Snowflake account when you use Snowflake Data Clean Rooms, see Snowflake Data Clean Rooms: Installation details
Next, configure your environment.
3. Configure the clean rooms environment¶
You need to configure the clean rooms environment after it has been installed:
Register data in your environment. In order to use Snowflake data in a clean room, it must first be registered by an account administrator. Only registered data can be linked into a clean room by a clean room creator.
Add DCR administrators. DCR administrators manage the web application on a day-to-day basis, add other administrators and clean room managers, can enable and configure connectors available to clean rooms, and do other tasks.
Add clean room managers. Clean room managers are able to use the web application to create clean rooms, or act as consumers when a clean room is shared with them.
Add developers. Grant API access to developers in your Snowflake account so they can create or consume clean rooms in your account.
Enable SSO for your account. If your account uses SSO to manage authentication, learn how to enable SSO for your clean room environment.
Enable Cross-Cloud Auto-Fulfillment. By default, clean rooms can be shared only with consumers in the same underlying cloud region as the clean room creator. If you want to enable a clean room to be shared with consumers in a different cloud region, you must enable Cross-Cloud Auto-Fulfillment for your account.
Troubleshooting installation¶
Use this section to troubleshoot problems you might have after completing the steps in this topic.
- Symptom: Insufficient privileges
Solution: Ensure that the IP addresses associated with the web app are allowed by your network policies. For a list of these IP addresses, see Configure network policies.
- Symptom: Installation is successful, but the web app is not functioning properly.
Solution #1: Use the DESCRIBE USER command to double-check that the Snowflake user that you used to configure Snowflake has a valid first name, last name, and email. If the user is missing any of these, execute the ALTER USER command to specify them.
Solution #2: Try uninstalling the Snowflake Native App for Snowflake Data Clean Rooms, and then re-installing it.
To uninstall the app, see Uninstall a Snowflake Native App. If you installed the application with its default name, it is called SAMOOHA_BY_SNOWFLAKE.
To re-install the app:
In the left navigation pane, select Snowflake Admin.
Select Login to Snowflake, and authenticate as a Snowflake user with the ACCOUNTADMIN role.
Use the DESCRIBE USER command to confirm that the Snowflake user with the ACCOUNTADMIN role that you just used to authenticate has a valid first name, last name, and email. If the user is missing any of these, execute the ALTER USER command to specify them.
To install the Snowflake Native App, select Install.
Accept the default name of the application during the installation process.