Set up and access Openflow¶

Set up the Openflow admin roles¶

The Openflow Admin role is used by a deployment engineer to set up Openflow workflows. A Snowflake administrator adds this role by performing the following steps:

1. Sign in to Snowsight.

2. Open a SQL worksheet.

3. Create a role for the Openflow admin, allowing it the required permissions to manage integrations and compute pools required for deployments. In the SQL below, OPENFLOW_ADMIN is the default name for the Openflow admin, but you can choose any name.

   USE ROLE ACCOUNTADMIN;
   
   CREATE ROLE IF NOT EXISTS OPENFLOW_ADMIN;
   
   GRANT CREATE ROLE ON ACCOUNT TO ROLE OPENFLOW_ADMIN;
   
   GRANT CREATE OPENFLOW DATA PLANE INTEGRATION ON ACCOUNT
      TO ROLE OPENFLOW_ADMIN;
   
   GRANT CREATE OPENFLOW RUNTIME INTEGRATION ON ACCOUNT
      TO ROLE OPENFLOW_ADMIN;
   

   Copy

4. Grant the admin role and secondary roles to a user.

   To prevent issues with login, when you create an Openflow user, Snowflake recommends that you also assign and set default secondary roles to that user. This is helpful because Openflow doesn’t allow users with the following roles to log in: ACCOUNTADMIN, ORGADMIN, GLOBALORGADMIN, or SECURITYADMIN. While logged in, Openflow actions can be authorized by any of the authenticated user’s roles, not just the default role.

   Substitute <OPENFLOW_USER> with the appropriate username:

   USE ROLE ACCOUNTADMIN;
   GRANT ROLE OPENFLOW_ADMIN TO USER <OPENFLOW_USER>;
   ALTER USER <OPENFLOW_USER> SET DEFAULT_ROLE = OPENFLOW_ADMIN;
   ALTER USER <OPENFLOW_USER> SET DEFAULT_SECONDARY_ROLES = ('ALL');
   

   Copy

Create a database, schema, and image repository for Openflow¶

Before logging in to Openflow, you must first create a database. During setup, you can also create a schema and image repository for Openflow, which you’ll need later. It’s OK to use a common database, schema, and image repository across all Openflow deployments in your Snowflake account:

1. Sign in to Snowsight.

2. Open a SQL worksheet.

3. Create a database, schema, and image repository for Openflow. In the SQL below, the names of the database, schema, and the image repository are all OPENFLOW, but you can choose any names.

   USE ROLE ACCOUNTADMIN;
   
   CREATE DATABASE IF NOT EXISTS OPENFLOW;
   USE OPENFLOW;
   CREATE SCHEMA IF NOT EXISTS OPENFLOW;
   USE SCHEMA OPENFLOW;
   CREATE IMAGE REPOSITORY IF NOT EXISTS OPENFLOW;
   
   GRANT USAGE ON DATABASE OPENFLOW TO ROLE PUBLIC;
   GRANT USAGE ON SCHEMA OPENFLOW TO ROLE PUBLIC;
   GRANT READ ON IMAGE REPOSITORY OPENFLOW.OPENFLOW.OPENFLOW TO ROLE PUBLIC;
   

   Copy

Enable BCR Bundle 2025_06 for Integration-level Network Policy¶

Check to make sure this bundle is enabled in your account. The bundle is enabled by default for new accounts created after its release.

This bundle improves maintainability of network policies for both BYOC and SPCS deployments, and is required for SPCS deployments that use the following connector types: Database CDC, SaaS, Streaming, or Slack. For more information, see 2025_06 Bundle (Enabled by default).

To check and enable the bundle, do the following:

1. Determine the status of the specific bundle:

   call SYSTEM$BEHAVIOR_CHANGE_BUNDLE_STATUS('2025_06');
   

   Copy

   A result of DISABLED indicates that the bundle is disabled.

2. if the bundle is disabled, enable it:

   call SYSTEM$ENABLE_BEHAVIOR_CHANGE_BUNDLE('2025_06');
   

   Copy

Accept the Openflow terms of service¶

This step is only required once for your organization.

1. Sign in to Snowflake as a user with the ORGADMIN role.

2. In the navigation menu, select Ingestion » Openflow.

3. Review the agreement and select Accept.

Start Openflow¶

Log in to Openflow by performing the following steps:

1. Sign in to Snowsight.

2. In the navigation menu, select Ingestion » Openflow.

3. Select Launch Openflow.