Set up Openflow - Snowflake Deployment: Core Snowflake¶

Openflow - Snowflake Deployment requires the creation of the following Snowflake specific resources:

Create the OPENFLOW_ADMIN role

Configure required privileges

Enable BCR Bundle 2025_06 for Integration-level Network Policy

Create the OPENFLOW_ADMIN role¶

Create the required Openflow administration role.

Note

<OPENFLOW_USER> denotes the user that will be used to access Openflow.

USE ROLE ACCOUNTADMIN;

CREATE ROLE IF NOT EXISTS OPENFLOW_ADMIN;

GRANT CREATE ROLE ON ACCOUNT TO ROLE OPENFLOW_ADMIN;

GRANT ROLE OPENFLOW_ADMIN TO USER <OPENFLOW_USER>;

Copy

Caution

Users with a default role of ACCOUNTADMIN can’t login to Openflow - Snowflake Deployment runtimes and will get an error message when attempting to do so. Snowflake recommends assigning a different default role to any user that will login to a runtime. In addition, Snowflake recommends setting default secondary roles to ALL for all Openflow users.

To change the default role and enable all secondary roles, execute the following:

For example:

USE ROLE ACCOUNTADMIN;

ALTER USER <openflow_user> SET DEFAULT_ROLE = <openflow_admin>;
ALTER USER <openflow_user> SET DEFAULT_SECONDARY_ROLES = ('ALL');

Copy

Configure required privileges¶

Openflow requires defining specific Snowflake Account level privileges. These privileges are assigned to the ACCOUNTADMIN role as part of the default set of privileges. ACCOUNTADMIN will automatically have the following two privileges and will be able to grant them to a role of their choosing for the Openflow admin role, shown as OPENFLOW_ADMIN role in the following example:

USE ROLE ACCOUNTADMIN;

GRANT CREATE OPENFLOW DATA PLANE INTEGRATION ON ACCOUNT TO ROLE OPENFLOW_ADMIN;
GRANT CREATE OPENFLOW RUNTIME INTEGRATION ON ACCOUNT TO ROLE OPENFLOW_ADMIN;
GRANT CREATE COMPUTE POOL ON ACCOUNT TO ROLE OPENFLOW_ADMIN;

Copy

Enable BCR Bundle 2025_06 for Integration-level Network Policy¶

When using any of the following connector types: Database CDC, SaaS, Streaming, or Slack, you must enable BCR Bundle 2025_06 Bundle (Enabled by default) to ensure connectivity to Snowpipe Streaming.

To check and enable the bundle, perform the following steps:

Determine the status of the specific bundle:
```
call SYSTEM$BEHAVIOR_CHANGE_BUNDLE_STATUS('2025_06');
```
Copy
A result of DISABLED indicates that the bundle is disabled.

if the bundle is disabled, enable it:

call SYSTEM$ENABLE_BEHAVIOR_CHANGE_BUNDLE('2025_06');

Copy

Next steps¶

Create deployment