Connect a Snowflake or BigQuery datasource
Goal
You'll add a Snowflake account (or a BigQuery project) to PLACEHOLDER Cloud, confirm the connection, and discover its tables. Both connectors are shipped end-to-end (FEATURE-1, FEATURE-2).
Other warehouses on the same code path: Redshift (FEATURE-3), Databricks SQL (FEATURE-4), Microsoft SQL Server (FEATURE-5), Trino / Presto (FEATURE-6) — all shipped, with the same test + discover UX.
Prereqs
- A running PLACEHOLDER Cloud.
- For Snowflake: an account locator, a username, an auth method (password OR a key-pair private key in PEM form), a warehouse, a database, a schema, and a role.
- For BigQuery: a project ID, a dataset name, and a service-account JSON file with at minimum the
roles/bigquery.dataViewerrole on the dataset androles/bigquery.jobUseron the project.
Steps
Snowflake
- Datasources → New → pick Snowflake.
- Fill in the form: account, user, auth method, warehouse, database, schema, role.
- For key-pair auth: paste the unencrypted private key PEM into the key field. PLACEHOLDER Cloud encrypts it before it touches the DB.
- Test connection → green check + latency.
- Discover assets → PLACEHOLDER Cloud lists tables/views from
INFORMATION_SCHEMA.TABLESfor the configured database. Tick and add.
BigQuery
- Datasources → New → pick BigQuery.
- Project ID, dataset, location.
- Paste the service-account JSON (the full credential file content) into the secret field. PLACEHOLDER Cloud encrypts and never displays it again.
- Test connection → runs
SELECT 1against the region. - Discover assets → PLACEHOLDER Cloud lists tables from
region-<region>.INFORMATION_SCHEMA.TABLES.
Verify
The datasource appears in Datasources with a green badge. Discovered assets show up on the detail page.
Caveats
- For Snowflake key-pair auth, the UI accepts an unencrypted PEM. If you have a passphrase-protected key, decrypt it before pasting (or wait for the encrypted-PEM follow-up ticket).
- BigQuery service-account JSON contains a private key; treat it like a password. PLACEHOLDER Cloud applies the same AES-256-GCM-at-rest encryption as it does for SQL passwords.
- The SSRF guard (HARDEN-12) needs explicit awareness of Snowflake / BigQuery API hosts so you don't have to allowlist them by CIDR.