Skip to main content

Celonis Product Documentation

Connecting to Snowflake

You can connect your public facing Snowflake instance to the Celonis Platform. This connection can either be direct or using an uplinked on-premise extractor, with you choice dictated by how much access you want to allow the Celonis Platform to have to your database.

If you want to connect to your public facing Snowflake instance using key pair authentication, you need to generate a private key in your Snowflake account. We recommend using an encrypted private key with a passphrase. This passphrase is then encrypted by the Celonis Platform, giving you an extra layer of security.

With access to a private key and passphrase, you can enter this in the Snowflake configuration settings: Step 4.

Or alternatively, this passphrase can be used when configuring an uplink connection between Snowflake and the Celonis Platform.

For more information about key pair authentication, including generating an encrypted private key, see: Snowflake docs: Key pair authentication.

If you want to connect to your public facing Snowflake instance using OAuth authentication, you must sign into your Snowflake account and complete the following:

  1. Create a new user role, grant permission, and then create a user. Run the below commands as Useradmin in the Worksheets window.

    # Create a new role for celonis
    create role celonis_role;
    
    # Grant permissions for that role 
    grant select on all tables in schema MY_DB.PUBLIC to role celonis_role;
    
    # Create a new user for celonis (needed in Step 5).
    create user celonis password='celonis123';
    
    # Grant celonis permissions to celonis user
    grant role celonis_role to user celonis;
  2. Create a security integration group. Run the below commands as Accountadmin in the Worksheets window.

    # Create security integration for the oauth
    create security integration oauth_kp_int
     type = oauth
     enabled = true
     oauth_client = CUSTOM
     oauth_client_type = 'CONFIDENTIAL'
     oauth_redirect_uri = 'https://auth.redirect.celonis.cloud/snowflake_redirect'
    
     oauth_issue_refresh_tokens = true
     oauth_refresh_token_validity = 7776000;
    
    # Allow celonis user to use the integration as Accountadmin
    ALTER USER celonis ADD DELEGATED AUTHORIZATION OF ROLE celonis_role TO SECURITY INTEGRATION oauth_kp_int;
  3. Retrieve the Client ID and Client secret for the OAuth integration as Accountadmin.

    # Get the client-id & client-secret for the integration; Note that the integration name is case-sensitive and must be uppercase and enclosed in single quotes.
    
    select SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('OAUTH_KP_INT');

Before creating a connection between your Snowflake instance and the Celonis Platform you must decide which connection type you use.

Direct connections to Snowflake

Use this when you want to allow the Celonis Platform to directly access your Snowflake instance.

Uplinked connections to Snowflake via an on-premise extractor

Use this when you don't want to or can't allow the Celonis Platform to directly access your Snowflake instance. The connection between Snowflake and Celonis is then established using an on-premise extractor that's installed within your network and ideally on a dedicated server.

The role of the extractor is to poll and fetch job requests from the Celonis Platform, before then submitting the execution information the the database via an SQL query. Once the data is retrieved from the database, the extractor feathces it and sends it back to the Celonis Platform. As such, the connection between the database and the Celonis Platform is always made by the extractor, with it continously quering the Celonis Platform for any extractions to execute.

For more information about the on-premise extractor (including system requirements), see: On-premise extractors.

The next step is to modify your network settings to allow the database extractor to communicate with Snowflake and the Celonis Platform.

The settings here are based on the connection type you defined in step 1:

Network settings for direct connections

The following network settings apply for direct connections:

Source system

Target system

Port

Protocol

Description

Celonis Platform

Snowflake

Depending on the database, typical ports are 5432 for Postgres and 30015 for HANA for example

TCP

JDBC connection from the Celonis Platform to the database. The port is the one you normally use to connect to the database. The IPs of the Celonis Platform depending on the cloud cluster (which can be seen in the URL).

Network settings for uplinked connections

The following network settings apply for uplinked connections (via the on-premise extractor):

Source system

Target system

Port

Protocol

Description

On-premise extractor server

Snowflake

Depending on the database, typical ports are 5432 for Postgres and 30015 for HANA for example.

TCP

JDBC connection from on-premise extractor server to the database. The port is the one you normally use to connect to the database.

On-premise extractor server

Celonis Platform

443

TCP

HTTPS connection from on-premise extractor server to Celonis cloud endpoint. The IPs of the Celonis Platform depending on the cloud cluster (which can be seen in the URL).

Celonis Platform IP addresses depending on the cluster

The respective clusters use multiple IPs each, so you need to enable all three of them in your firewall configuration to connect the on-premise extractor server and the cloud endpoint.

For a complete list of inbound and outbound Celonis Platform IP addresses to be allowlisted if needed, see:  Allowlisting domain names and IP addresses

Note

This step is only needed if your database is not reachable from the Celonis Platform.

This step is only needed if your database is not reachable from the Celonis Platform.

For more information, see: Setting up

If you would like to use a proxy (optional), see: Proxy settings for on-prem clients.

You can now create the connection between Snowflake and the Celonis Platform from your data pool diagram:

  1. Click Data Connections.

    data_connections_within_data_pool_diagram.png
  2. Click Add Data Connection and select Connect to Data Source.

    add_data_connection.png
  3. For direct connections, select Cloud - Snowflake.

    For uplinked connections, select: On-Premise - Snowflake and then select your uplink (configured as part of step 1).

    creating_snowflake_data_connection.png
  4. Configure the following connection details, with the options here depending on your choice of uplinked or direct connection:

    • Name: An internal reference for the data connection.

    • Uplink Connections: The name of the Uplink Extractor Server installed on your end.

    • Configuration type: Select Standard.

    • Host: The database server name or IP address of the database server.

    • Port: The port to connect to the database server.

    • Service Name: If applicable to a specific database type (e.g. Oracle), enter the Service Name (Alias) associated with the database server.

    • Additional Properties: Additional properties like validateCertificate=false.

    • Credentials: Select either standard, OAuth, or key pair.

      If using OAuth authentication, you must supply the client ID and client secret configured in the prerequisites.

      oauth_authentication.png

      If using key pair authentication, you must supply the username, private key, and if applicable, the passphrase (for encrypted private keys).

      key-pair_authentication.png

      When copying and pasting your private key from Snowflake into the Celonis Platform, you only need to include from '-----BEGIN PRIVATE KEY-----' to '-----END PRIVATE KEY-----' .

      For example (a shortened version for illustration only):

      private_key_examples.png
    • Maximum number of parallel extractions: This is usually governed by the database type you are using. The default value chosen is 4.

    • Timeout for database connections: Timeout for all database connections created in this connection (specific to this connection only). This value will overwrite the local timeout (in application.yaml) in case of uplinked connection.

  5. Click Test Connection and correct any highlighted issues.

  6. Click Save.

  7. If using OAuth: The OAuth workflow starts, asking you to sign into your Snowflake account and authorize the connection.