Skip to main content

Connect a Snowflake or BigQuery datasource

Goal

You'll add a Snowflake account (or a BigQuery project) to PLACEHOLDER Cloud, confirm the connection, and discover its tables. Both connectors are shipped end-to-end (FEATURE-1, FEATURE-2).

Other warehouses on the same code path: Redshift (FEATURE-3), Databricks SQL (FEATURE-4), Microsoft SQL Server (FEATURE-5), Trino / Presto (FEATURE-6) — all shipped, with the same test + discover UX.

Prereqs

  • A running PLACEHOLDER Cloud.
  • For Snowflake: an account locator, a username, an auth method (password OR a key-pair private key in PEM form), a warehouse, a database, a schema, and a role.
  • For BigQuery: a project ID, a dataset name, and a service-account JSON file with at minimum the roles/bigquery.dataViewer role on the dataset and roles/bigquery.jobUser on the project.

Steps

Snowflake

  1. Datasources → New → pick Snowflake.
  2. Fill in the form: account, user, auth method, warehouse, database, schema, role.
  3. For key-pair auth: paste the unencrypted private key PEM into the key field. PLACEHOLDER Cloud encrypts it before it touches the DB.
  4. Test connection → green check + latency.
  5. Discover assets → PLACEHOLDER Cloud lists tables/views from INFORMATION_SCHEMA.TABLES for the configured database. Tick and add.

BigQuery

  1. Datasources → New → pick BigQuery.
  2. Project ID, dataset, location.
  3. Paste the service-account JSON (the full credential file content) into the secret field. PLACEHOLDER Cloud encrypts and never displays it again.
  4. Test connection → runs SELECT 1 against the region.
  5. Discover assets → PLACEHOLDER Cloud lists tables from region-<region>.INFORMATION_SCHEMA.TABLES.

Verify

The datasource appears in Datasources with a green badge. Discovered assets show up on the detail page.

Caveats

  • For Snowflake key-pair auth, the UI accepts an unencrypted PEM. If you have a passphrase-protected key, decrypt it before pasting (or wait for the encrypted-PEM follow-up ticket).
  • BigQuery service-account JSON contains a private key; treat it like a password. PLACEHOLDER Cloud applies the same AES-256-GCM-at-rest encryption as it does for SQL passwords.
  • The SSRF guard (HARDEN-12) needs explicit awareness of Snowflake / BigQuery API hosts so you don't have to allowlist them by CIDR.