Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.cora.ai/llms.txt

Use this file to discover all available pages before exploring further.

The Snowflake integration replaces SFTP or CSV-based data delivery with a direct connection to your Snowflake warehouse. Cora connects using RSA key-pair authentication, queries your Snowflake views on a schedule, ingests the results, and makes the data available to agents, dashboards, and workflows.

Overview

DetailValue
Integration typeRSA Key-Pair (private key), Organization-Level
Required roleSnowflake Account Administrator or equivalent
Why key-pair?RSA key-pair is the industry-standard authentication method for Snowflake service accounts — recommended by Snowflake and used by dbt, Fivetran, Airbyte, and other major data tools. Key pairs never expire, require no token refresh, and transmit no secrets over the wire.
The steps below represent the recommended setup for security and isolation. Your team is free to adapt the naming, schema structure, and warehouse configuration to fit your existing conventions. The only hard requirements are that Cora’s service user has SELECT access to the relevant views and authenticates using a key pair.

Setup

1

Create a dedicated schema for Cora views

Create a dedicated database and schema that contains only the views Cora should access. This acts as a clear security boundary — Cora has no visibility into any other schema. If your team prefers to grant access to views in an existing schema, that works too.
CREATE DATABASE CORA_INTEGRATION_DB;

CREATE SCHEMA CORA_INTEGRATION_DB.CORA_VIEWS;
Then create views in this schema that mirror your data exports:
CREATE VIEW CORA_INTEGRATION_DB.CORA_VIEWS.ACCOUNTS AS
SELECT account_id, name, industry, created_at
FROM PRODUCTION_DB.CORE.ACCOUNTS;
Keep the same column names and data types so the schema Cora sees is consistent with your source data.
2

Create a read-only service account

Create a dedicated role and service user scoped exclusively to the Cora views schema.
-- Create a role with no inherited privileges
CREATE ROLE CORA_INTEGRATION_ROLE;

-- Create a service user (cannot log in interactively)
CREATE USER CORA_SVC
  DEFAULT_ROLE = CORA_INTEGRATION_ROLE
  DEFAULT_WAREHOUSE = CORA_WH
  TYPE = SERVICE;

-- Grant the minimum required privileges
GRANT USAGE ON DATABASE CORA_INTEGRATION_DB TO ROLE CORA_INTEGRATION_ROLE;
GRANT USAGE ON SCHEMA CORA_INTEGRATION_DB.CORA_VIEWS TO ROLE CORA_INTEGRATION_ROLE;
GRANT SELECT ON ALL VIEWS IN SCHEMA CORA_INTEGRATION_DB.CORA_VIEWS TO ROLE CORA_INTEGRATION_ROLE;
GRANT SELECT ON FUTURE VIEWS IN SCHEMA CORA_INTEGRATION_DB.CORA_VIEWS TO ROLE CORA_INTEGRATION_ROLE;

-- Dedicated X-Small warehouse with auto-suspend (cost isolation)
CREATE WAREHOUSE IF NOT EXISTS CORA_WH
  WAREHOUSE_SIZE = 'XSMALL'
  AUTO_SUSPEND = 60
  AUTO_RESUME = TRUE
  INITIALLY_SUSPENDED = TRUE;

GRANT USAGE ON WAREHOUSE CORA_WH TO ROLE CORA_INTEGRATION_ROLE;

-- Bind role to user
GRANT ROLE CORA_INTEGRATION_ROLE TO USER CORA_SVC;
3

Generate an RSA key pair

Generate an unencrypted RSA private key and assign the corresponding public key to the service user.
# Generate private key (unencrypted PKCS#8 PEM)
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out cora_svc_key.p8 -nocrypt

# Extract public key
openssl rsa -in cora_svc_key.p8 -pubout -out cora_svc_key.pub
Assign the public key to the service user in Snowflake:
ALTER USER CORA_SVC SET RSA_PUBLIC_KEY='<paste public key without BEGIN/END lines>';
See Snowflake’s Key-Pair Authentication guide for full details.
4

Connect Snowflake in Cora.ai

  1. Log into Cora.ai as an organization administrator.
  2. Navigate to SettingsOrganization SettingsIntegrations.
  3. Locate the Snowflake integration card and click Connect.
  4. Enter the following credentials:
FieldDescription
Account identifierYour Snowflake account identifier (e.g., xy12345.us-east-1). Run the query below to find yours reliably.
UsernameThe service user from step 2 (e.g., CORA_SVC)
Private key (PEM)The full RSA private key, including the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- lines
To find your account identifier, run this query in Snowflake:
SELECT
  CURRENT_ACCOUNT() AS account_locator,
  CURRENT_ORGANIZATION_NAME() || '-' || CURRENT_ACCOUNT_NAME() AS org_account_id;
Use the account_locator value together with your region to form the full identifier. Your Snowflake web UI URL may also contain it, but the SQL query is the most reliable way to confirm.
  1. Click Connect to save.
5

Validate

Once the Snowflake integration card shows Connected, Cora will begin querying your views on a scheduled basis. Confirm that the expected data is flowing correctly in Cora.ai.

Security model

PrincipleHow it’s enforced
Least privilegeRole has only USAGE + SELECT on a dedicated schema — no CREATE, INSERT, DELETE, or cross-schema access
Blast radius isolationDedicated database and schema means accidental view creation elsewhere is invisible to Cora
Cost isolationDedicated warehouse prevents Cora queries from competing with production workloads
No credential expiryRSA key pairs don’t expire; rotate on your schedule, not under deadline pressure
Credential securityPrivate key is stored in an encrypted vault; never logged or persisted in application config

Notes

Read-only access — Cora only reads from your Snowflake views. Nothing is written back to your warehouse.
No credential expiry — RSA key pairs do not expire. Rotate at your discretion by generating a new pair and updating both Snowflake and the Cora.ai integration.
Compute costs — Queries consume credits from the designated warehouse. An X-Small warehouse with auto-suspend is sufficient for typical workloads.
Schema changes — New columns on existing views are detected automatically. New views added to the Cora schema are picked up via the FUTURE VIEWS grant.
No passphrase — The private key must be unencrypted (PKCS#8, no passphrase). This simplifies automation and avoids passphrase management overhead.