Getting started with Snowflake Data Clean Rooms¶

This topic describes the tasks an administrator must complete to set up Snowflake Data Clean Rooms.

Prerequisites¶

In order to use a Snowflake Data Clean Room, your account must:

If you do not meet certain requirements and need to upgrade, contact Snowflake Support.

Capacity account¶

You need a Snowflake account that has an upfront capacity commitment to use Snowflake Data Clean Rooms.

Snowflake On Demand accounts cannot create or use a clean room.

Snowflake Edition¶

Use the following table to determine which Snowflake Edition is required for the Snowflake account of a clean room collaborator:

Collaborator

Task

Required Snowflake Edition

Provider

Create a clean room

Enterprise Edition or higher

Consumer

Join and use a clean room

Standard Edition or higher

Provider & Consumer Terms¶

Before using a Snowflake Data Clean Room as a provider or consumer, you need to agree to additional Snowflake terms and abide by Snowflake policies. For details, see Legal requirements for providers and consumers of listings.

Sign up for a Snowflake Data Clean Room environment¶

Important

  • The user who initially signs up as a clean room participant must have the ACCOUNTADMIN role in the Snowflake account associated with the clean room environment. This clean room administrator needs to use the ACCOUNTADMIN role to configure the Snowflake account in subsequent steps in the getting started process.

  • Do not install the native app from the Snowflake Marketplace. Instead, use the sign up link to sign up. After signing up for the clean room environment, follow the steps to install the app as described in Configure the Snowflake account.

To sign up and log in to the clean room environment:

  1. Navigate to the sign-up page.

  2. Enter the account identifier of your Snowflake account using the hyphenated form of the account name format (that is, orgname-acctname).

  3. Enter your email address.

  4. Specify a company name, which is used to identify the clean room environment when users sign in.

  5. Select Sign Up. You are sent an email.

After receiving the email, do the following:

  1. Select Verify Email. The sign up page re-opens.

  2. Specify a Name and Password.

  3. Select Sign up.

Add IP addresses to your allowed list¶

If your Snowflake account uses a network policy to control network traffic, you must explicitly allow traffic from the IP addresses that the web app uses to communicate with your Snowflake account.

Use the following to determine which IP addresses must be allowed by the network policy based upon the region of your Snowflake account on Amazon Web Service (AWS), Microsoft Azure (Azure), or Google Cloud Platform (GCP):

Snowflake account region

Web app IP addresses

  • AWS US West (Oregon)

  • AWS US East (Ohio)

  • AWS US East (N. Virginia)

  • AWS South America (Sao Paulo)

  • Azure West US 2 (Washington)

  • Azure Central US (Iowa)

  • Azure South Central US (Texas)

  • Azure East US 2 (Virginia)

  • GCP US Central1 (Iowa)

  • GCP US East4 (N. Virginia)

  • 52.7.249.136

  • 34.195.16.248

  • 52.7.210.215

  • AWS Canada (Central)

  • Azure Canada Central (Toronto)

  • 15.223.145.218

  • 3.96.6.109

  • 15.222.142.44

  • AWS EU (Ireland)

  • AWS Europe (London)

  • AWS EU (Paris)

  • AWS EU (Frankfurt)

  • AWS EU (Stockholm)

  • Azure UK South (London)

  • Azure North Europe (Ireland)

  • Azure West Europe (Netherlands)

  • Azure Switzerland North (Zurich)

  • Azure UAE North (Dubai)

  • GCP Europe West2 (London)

  • GCP Europe West4 (Netherlands)

  • 54.93.86.99

  • 3.126.238.8

  • 3.127.143.168

  • AWS Asia Pacific (Mumbai)

  • Azure Central India (Pune)

  • 35.154.94.29

  • 13.235.168.249

  • 15.206.48.175

  • AWS Asia Pacific (Singapore)

  • AWS Asia Pacific (Tokyo)

  • AWS Asia Pacific (Osaka)

  • AWS Asia Pacific (Seoul)

  • AWS Asia Pacific (Jakarta)

  • Azure Southeast Asia (Singapore)

  • Azure Japan East (Tokyo)

  • 13.228.90.174

  • 52.220.42.130

  • 52.220.249.16

  • AWS Asia Pacific (Sydney)

  • Azure Australia East (New South Wales)

  • 52.65.205.236

  • 52.62.198.227

  • 3.104.160.96

Configure the Snowflake account¶

A Snowflake user with the ACCOUNTADMIN role must configure the Snowflake account associated with the clean room environment before users can create and use clean rooms.

Note

The user with the ACCOUNTADMIN role must have a valid first name, last name, and email defined for their user object. To verify whether these properties are defined, execute the DESCRIBE USER command.

To configure the Snowflake account, you complete the following tasks:

  • Create a service account user that represents the clean room environment so clean rooms can access the Snowflake account.

  • Install a Snowflake Native App that allows clean rooms to interact with data in a Snowflake account.

  • Register the databases, schemas, and objects that contain the data that collaborators can access in clean rooms.

To configure the Snowflake account for a clean room environment:

  1. Access the Snowflake Admin console in the clean room environment. Do the following:

    1. Navigate to the sign in page.

    2. Enter your email address, and select Continue.

    3. Enter your password.

    4. If you are associated with multiple clean room environments, select the Snowflake account that you are configuring.

    5. In the left navigation, select Snowflake Admin.

    6. Select Login to Snowflake, and authenticate as a Snowflake user with the ACCOUNTADMIN role.

  2. Specify the details for the service account user that clean rooms use to interact with Snowflake. Be sure to remember these details as you will need them in a subsequent step. Do the following:

    1. Enter the email address associated with the service account user.

    2. In the New Snowflake Username field, specify a name that is unique to the Snowflake account.

    3. Specify a password.

    4. Select Create to create the service account user.

  3. Verify the email of the new service account user. Do the following:

    1. Select Log into your Snowflake account.

    2. Sign in to Snowsight using the credentials of the service account user. You specified these in the previous step.

    3. To open the user menu, select the username of the service account user, and then select My profile.

    4. Select Resend verification email. A verification email is sent to the email address of the service account user.

    5. Access the email inbox of the service account user, open the verification email, and select Validate Your Email.

    6. Return to the Snowflake Admin console of the clean room environment, and select Verify Status.

  4. To install the Snowflake Native App associated with Snowflake Data Clean Rooms (SAMOOHA_BY_SNOWFLAKE), follow these steps:

    1. Optional: Use the Setup Scripts section to review the code that is executed in your account to install the Snowflake Native App. Do not execute this code manually.

    2. Do not change the default name of the application.

    3. Select Install to install the Snowflake Native App.

      The process of installing the Snowflake Native App can take some time. Periodically select Refresh to check whether it is complete before proceeding to the next step.

  5. In the Database Registration section, select the databases, schemas, and objects that contain the data that you want collaborators to be able to access in clean rooms. Registering a database or schema registers all of the objects within that database or schema.

    The web app of Snowflake Data Clean Rooms supports the following objects:

    • Tables

    • Views

    • Materialized views

    • Secure views. The owner of a secure view must be the SAMOOHA_APP_ROLE role.

    Note

    Once you complete these steps, new objects added to registered databases or schemas are not available to clean room collaborators immediately. If an object is added to a registered database or schema, you need to use the web app’s Snowflake Admin option to return to the Database Registration section, and then select Resync.

Enable collaboration with consumers in different regions¶

In order to collaborate with a Snowflake customer whose account is in a different region than your account, you must enable Cross-Cloud Auto-Fulfillment for your clean room environment. A Snowflake user with the ACCOUNTADMIN role must enable Cross-Cloud Auto-Fulfillment before clean room administrators can add accounts in other regions as collaborators.

To configure your clean room environment to allow collaborators to be in a different region:

  1. Navigate to the sign in page.

  2. Enter your email address, and select Continue.

  3. Enter your password.

  4. If you are associated with multiple clean room environments, select the Snowflake account that you are configuring.

  5. In the left navigation, select Snowflake Admin.

  6. Select Login to Snowflake, and authenticate as a Snowflake user with the ACCOUNTADMIN role.

  7. Toggle on Cross-Cloud Auto-Fulfillment.

Costs associated with cross-region collaboration¶

There are additional costs associated with collaborators who are in a different region. For more information about how these costs are incurred, see Understand Cross-Cloud Auto-Fulfillment costs.

Limitations on cross-region collaboration¶

Limitations on cross-region collaboration include the following:

  • Collaborators must share the same web app hosting region. For example, if the web app hosting region for one account is Amazon Web Services: US East (N. Virginia) and the web hosting region for another account is Amazon Web Services: Asia Pacific (Mumbai), then the two Snowflake customers cannot collaborate. To determine whether two collaborators share the same web app hosting region, see Web app hosting.

  • A provider cannot use differential privacy in the clean room.

  • A provider cannot view the request logs being sent from the consumer of a clean room.

  • A consumer cannot run a multi-provider analysis.

  • Collaborators cannot use masking policies or row access policies.

Troubleshooting¶

Use this section to troubleshoot problems you might have after completing the steps in this topic.

Symptom: Insufficient privileges

Solution: Ensure that the IP addresses associated with the web app are allowed by your network policies. For a list of these IP addresses, see Add IP addresses to your allowed list.

Symptom: Installation is successful, but the web app is not functioning properly.

Solution #1: Use the DESCRIBE USER command to double-check that the Snowflake user that you used to configure Snowflake has a valid first name, last name, and email. If the user is missing any of these, execute the ALTER USER command to specify them.

Solution #2: Try uninstalling the Snowflake Native App for Snowflake Data Clean Rooms, and then re-installing it.

  • To uninstall the app, see Uninstall a Snowflake Native App. If you installed the application with its default name, it is called SAMOOHA_BY_SNOWFLAKE.

  • To re-install the app:

    1. Sign in to the web app.

    2. In the left navigation, select Snowflake Admin.

    3. Select Login to Snowflake, and authenticate as a Snowflake user with the ACCOUNTADMIN role.

    4. Use the DESCRIBE USER command to confirm that the Snowflake user with the ACCOUNTADMIN role that you just used to authenticate has a valid first name, last name, and email. If the user is missing any of these, execute the ALTER USER command to specify them.

    5. To install the Snowflake Native App, select Install.

    6. Accept the default name of the application during the installation process.

Next steps¶

For additional steps needed to set up a clean room environment, including adding users and collaborators, see Snowflake Data Clean Rooms: Administrator tasks.

Language: English