Installing the Snowflake Data Clean Rooms environment¶

Before you begin¶

A Clean Room environment is installed in the Snowflake account for all users in that account.

Users within an account are granted access to the Clean Room environment by a clean rooms administrator.

  • If the Clean Room environment is not installed for your account: Follow the installation instructions on this page.

  • If you have received an email invitation to join a clean room: Follow the link, provide your email and a new password, if directed. This will open the clean rooms web application where you can join and use a clean room. Note that you must provide the email address where you received the invitation. The password will be specific to your clean rooms account; we recommend not reusing your Snowflake password.

  • If the Clean Room environment is installed for your account, and you want access to it: Ask a clean rooms administrator for access to the API, the UI, or both.

Overview¶

Snowflake Data Clean Rooms comprises two environments:

  • The clean rooms UI: A no-code, browser-based environment that makes it easy for users to create or run analyses.

  • The Clean Room API: Access to a set of stored procedures used to create and manage clean rooms and run analyses.

These environments provide similar, but not exactly equivalent, capabilities. A clean rooms administrator installs one or both components in a Snowflake account, and can then grant users access to each environment individually.

Requirements to install Snowflake Data Clean Rooms¶

Account and user requirements¶

Here are the requirements to install Snowflake Data Clean Rooms in your Snowflake account:

  • The account must be the required Snowflake Edition:

    • To create clean rooms, you must have Enterprise Edition or higher.

    • To join and use a clean room created in another account, you must have Standard Edition or higher.

  • The account must allow key-pair authentication, which is used by the service account for authentication.

  • You must accept data sharing terms. If you have not accepted the Snowflake Customer-Controlled Data Sharing Functionality Terms, please contact Snowflake Support. Snowflake Data Clean Rooms leverage listings, which are part of the Snowflake Service and subject to your Service terms with Snowflake, including the Snowflake Customer-Controlled Data Sharing Functionality Terms and Snowflake Acceptable Use Policy.

  • You must not define an account-level default collation. You can check your collation state by running the following command: SHOW PARAMETERS LIKE 'DEFAULT_DDL_COLLATION' IN ACCOUNT;

  • (Clean rooms UI only) The Snowflake account must be a capacity account: this is an account that has an up-front capacity commitment. Snowflake On-Demand accounts cannot access the clean rooms UI.

  • (Clean rooms UI only) You must use multi-factor authentication (MFA) with a supported authenticator app.

If you do not meet all these requirements and need to upgrade, contact Snowflake Support.

Installer requirements¶

Here are the requirements for the person installing the Clean Room environment:

  • You must have an ACCOUNTADMIN role in a Snowflake account in order to install the Clean Room environment in that account.

  • The user with the ACCOUNTADMIN role must have a valid first name, last name, and email defined for their user object. To check, run DESCRIBE USER.

Install the Clean Room environment¶

Follow these steps to install a Clean Room environment in your Snowflake account.

You must always install the native app (step 1), but after that you can enable the clean rooms UI for browser usage, the Clean Room API for code usage, or both. We recommend installing both the UI and the API to support both coders and non-coders in your organization.

1. Install the native application¶

Install the native application either in code or from the marketplace:

If you do not want to agree to the Marketplace provider and consumer terms:

Run the following code in your Snowflake account:

USE ROLE ACCOUNTADMIN;
CALL system$accept_legal_terms('DATA_EXCHANGE_LISTING', 'GZSTZTP0KKO');
CREATE APPLICATION SAMOOHA_BY_SNOWFLAKE FROM LISTING 'GZSTZTP0KKO';
Copy
If you agree to the Marketplace provider and consumer terms:

  1. Set your current role to ACCOUNTADMIN

  2. Install the Snowflake Data Clean Rooms application from the Snowflake Marketplace

  3. Select Get and accept the default options.

Installation takes several minutes.

2. Install the Clean Room API¶

The Clean Room API is used for programmatic creation and usage of clean rooms.

Here are the steps to install the Clean Room API in your Snowflake account:

  1. After installing the native application, launch it in Snowflake: Data products » Apps » Snowflake Data Clean Rooms » Launch app. This opens a worksheet with SQL commands.

  2. Run the SQL commands to install Clean Room API, with the following notes:

    • If you renamed the native application during installation you will need to modify the script as indicated in the script comments.

    • If you want to review the full installation script before running it, uncomment the DRY_RUN=TRUE script line and run all commands up to and including that line to see the script contents. Note that you should not run the installation script exposed by that command manually, as it might result in an incomplete installation.

    • Note that installation takes several minutes.

  3. Confirm that you can access the API:

    USE ROLE samooha_app_role;
USE WAREHOUSE app_wh;
CALL SAMOOHA_BY_SNOWFLAKE_LOCAL_DB.LIBRARY.CHECK_MOUNT_STATUS();
    Copy

    If this returns FALSE, see the troubleshooting section below.

  4. Grant API access to other users in your Snowflake account:

    • To add users with full abilities to create and manage clean rooms, run GRANT ROLE SAMOOHA_APP_ROLE to USER USER

    • To add users with consumer-run permissions only, create one or more Snowflake roles and grant users access to this role. Then grant run access to specific clean rooms by calling consumer.grant_run_on_cleanrooms_to_role.

  5. (Optional) Install the clean rooms UI to enable no-code access to your clean rooms or other features such as scheduled queries.

3. Enable the clean rooms UI¶

The clean rooms UI provides an easy no-code environment to manage your clean rooms account and create clean rooms and run analyses. It also provides some additional functionality not available in the Clean Room API, such as scheduled queries, third-party activation, and useful predefined templates.

Here is how to enable the clean rooms UI in your Snowflake account:

  1. Configure your network policies to allow the clean rooms UI to access your Snowflake account. (Required only if your Snowflake account uses a network policy to control network traffic.)

  2. Create a service user. This service user is used by the clean rooms UI to communicate with Snowflake.

    1. Sign in to Snowsight with your Snowflake administrator credentials and create a service user as shown below. Provide a password and an email address that you can access. We recommend using a distribution list rather than a personal email.

      -- Create the service user account.

USE ROLE USERADMIN;
CREATE USER <SERVICE-USER-USERNAME> PASSWORD='<SERVICE-USER-PASSWORD>'
FIRST_NAME='DCR' LAST_NAME='Service User'
EMAIL='<SERVICE-USER-EMAIL-ADDRESS>';
      Copy

    2. Save the service user name and password outside of Snowsight, because you’ll use it during the installation process.

    3. Sign out of the current user in Snowsight, then sign back in to the same Snowflake account but with the service user’s credentials.

    4. Open the profile and select Resend verification email.

    5. Open the verification email and follow the link to verify the service user email address. No need to sign in to Snowsight again with the service user’s credentials. You can see the service user details in the clean rooms UI in the Admin » Snowflake Admin page, under Snowflake.

  3. Complete the UI setup. This step applies your network policy to the service user, migrates the service user from password authentication to key-pair authentication, and grants SAMOOHA_APP_ROLE to the service user. Follow these steps to complete the basic UI setup:

    1. Sign in to the clean rooms UI with your Snowflake credentials.

    2. Open Admin » Snowflake Admin » Connect to Snowflake account.

    3. Enter your service account user name and select Save.

    4. You can now use the clean rooms UI.

Configure the clean rooms UI environment¶

After you have installed the native application, API, and UI, you should configure the environment and add users:

  • Add clean room UI administrators and users. Administrators manage the environment on a day-to-day basis and can perform many actions, such as managing collaborators and configuring third-party connectors. Users can create or join clean rooms and run analyses.

  • Add developers. Grant API access to developers in your Snowflake account so they can create or consume clean rooms in your account.

  • Enable Cross-Cloud Auto-Fulfillment. By default, clean rooms can be shared only with consumers in the same underlying cloud region as the clean room creator. If you want to let providers share clean rooms with consumers in a different cloud region, you must enable Cross-Cloud Auto-Fulfillment for your account.

  • Register datasets available in the UI. A collaborator using the clean room UI can import only data that has been pre-registered by a clean rooms UI administrator into their clean room.

Troubleshooting installation¶

Use this section to troubleshoot problems you might have after completing the steps in this topic.

Symptom: Insufficient privileges

Solution: Ensure that the IP addresses associated with the web app are allowed by your network policies. For a list of these IP addresses, see Configure network policies.

Symptom: Installation is successful, but the web app is not functioning properly.

Solution #1: Use the DESCRIBE USER command to double-check that the Snowflake user that you used to configure Snowflake has a valid first name, last name, and email. If the user is missing any of these, execute the ALTER USER command to specify them.

Solution #2: Try uninstalling the Snowflake Native App for Snowflake Data Clean Rooms, and then re-installing it.

  • To uninstall the app, see Uninstall a Snowflake Native App. If you installed the application with its default name, it is called SAMOOHA_BY_SNOWFLAKE.

  • To re-install the app:

    1. Sign in to the web app.

    2. In the left navigation pane, select Snowflake Admin.

    3. Select Login to Snowflake, and authenticate as a Snowflake user with the ACCOUNTADMIN role.

    4. Use the DESCRIBE USER command to confirm that the Snowflake user with the ACCOUNTADMIN role that you just used to authenticate has a valid first name, last name, and email. If the user is missing any of these, execute the ALTER USER command to specify them.

    5. To install the Snowflake Native App, select Install.

    6. Accept the default name of the application during the installation process.

Language: English