> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cora.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Connect Snowflake to Cora using RSA key-pair authentication

> Connect your Snowflake data warehouse to Cora using RSA key-pair authentication for direct, scheduled access to your customer and product data.

The Snowflake integration replaces SFTP or CSV-based data delivery with a direct connection to your Snowflake warehouse. Cora connects using RSA key-pair authentication, queries your Snowflake views on a schedule, ingests the results, and makes the data available to agents, dashboards, and workflows.

## Overview

| Detail               | Value                                                                                                                                                                                                                                                                          |
| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Integration type** | RSA Key-Pair (private key), Organization-Level                                                                                                                                                                                                                                 |
| **Required role**    | Snowflake Account Administrator or equivalent                                                                                                                                                                                                                                  |
| **Why key-pair?**    | RSA key-pair is the industry-standard authentication method for Snowflake service accounts — recommended by Snowflake and used by dbt, Fivetran, Airbyte, and other major data tools. Key pairs never expire, require no token refresh, and transmit no secrets over the wire. |

<Note>
  The steps below represent the recommended setup for security and isolation. Your team is free to adapt the naming, schema structure, and warehouse configuration to fit your existing conventions. The only hard requirements are that Cora's service user has `SELECT` access to the relevant views and authenticates using a key pair.
</Note>

## Setup

<Steps>
  <Step title="Create a dedicated schema for Cora views">
    Create a dedicated database and schema that contains **only** the views Cora should access. This acts as a clear security boundary — Cora has no visibility into any other schema. If your team prefers to grant access to views in an existing schema, that works too.

    ```sql theme={null}
    CREATE DATABASE CORA_INTEGRATION_DB;

    CREATE SCHEMA CORA_INTEGRATION_DB.CORA_VIEWS;
    ```

    Then create views in this schema that mirror your data exports:

    ```sql theme={null}
    CREATE VIEW CORA_INTEGRATION_DB.CORA_VIEWS.ACCOUNTS AS
    SELECT account_id, name, industry, created_at
    FROM PRODUCTION_DB.CORE.ACCOUNTS;
    ```

    Keep the same column names and data types so the schema Cora sees is consistent with your source data.
  </Step>

  <Step title="Create a read-only service account">
    Create a dedicated role and service user scoped exclusively to the Cora views schema.

    ```sql theme={null}
    -- Create a role with no inherited privileges
    CREATE ROLE CORA_INTEGRATION_ROLE;

    -- Create a service user (cannot log in interactively)
    CREATE USER CORA_SVC
      DEFAULT_ROLE = CORA_INTEGRATION_ROLE
      DEFAULT_WAREHOUSE = CORA_WH
      TYPE = SERVICE;

    -- Grant the minimum required privileges
    GRANT USAGE ON DATABASE CORA_INTEGRATION_DB TO ROLE CORA_INTEGRATION_ROLE;
    GRANT USAGE ON SCHEMA CORA_INTEGRATION_DB.CORA_VIEWS TO ROLE CORA_INTEGRATION_ROLE;
    GRANT SELECT ON ALL VIEWS IN SCHEMA CORA_INTEGRATION_DB.CORA_VIEWS TO ROLE CORA_INTEGRATION_ROLE;
    GRANT SELECT ON FUTURE VIEWS IN SCHEMA CORA_INTEGRATION_DB.CORA_VIEWS TO ROLE CORA_INTEGRATION_ROLE;

    -- Dedicated X-Small warehouse with auto-suspend (cost isolation)
    CREATE WAREHOUSE IF NOT EXISTS CORA_WH
      WAREHOUSE_SIZE = 'XSMALL'
      AUTO_SUSPEND = 60
      AUTO_RESUME = TRUE
      INITIALLY_SUSPENDED = TRUE;

    GRANT USAGE ON WAREHOUSE CORA_WH TO ROLE CORA_INTEGRATION_ROLE;

    -- Bind role to user
    GRANT ROLE CORA_INTEGRATION_ROLE TO USER CORA_SVC;
    ```
  </Step>

  <Step title="Generate an RSA key pair">
    Generate an unencrypted RSA private key and assign the corresponding public key to the service user.

    ```bash theme={null}
    # Generate private key (unencrypted PKCS#8 PEM)
    openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out cora_svc_key.p8 -nocrypt

    # Extract public key
    openssl rsa -in cora_svc_key.p8 -pubout -out cora_svc_key.pub
    ```

    Assign the public key to the service user in Snowflake:

    ```sql theme={null}
    ALTER USER CORA_SVC SET RSA_PUBLIC_KEY='<paste public key without BEGIN/END lines>';
    ```

    See Snowflake's [Key-Pair Authentication guide](https://docs.snowflake.com/en/user-guide/key-pair-auth) for full details.
  </Step>

  <Step title="Connect Snowflake in Cora.ai">
    1. Log into Cora.ai as an **organization administrator**.
    2. Navigate to **Settings** → **Organization Settings** → **Integrations**.
    3. Locate the **Snowflake** integration card and click **Connect**.
    4. Enter the following credentials:

    | Field                  | Description                                                                                                 |
    | ---------------------- | ----------------------------------------------------------------------------------------------------------- |
    | **Account identifier** | Your Snowflake account identifier (e.g., `xy12345.us-east-1`). Run the query below to find yours reliably.  |
    | **Username**           | The service user from step 2 (e.g., `CORA_SVC`)                                                             |
    | **Private key (PEM)**  | The full RSA private key, including the `-----BEGIN PRIVATE KEY-----` and `-----END PRIVATE KEY-----` lines |

    To find your account identifier, run this query in Snowflake:

    ```sql theme={null}
    SELECT
      CURRENT_ACCOUNT() AS account_locator,
      CURRENT_ORGANIZATION_NAME() || '-' || CURRENT_ACCOUNT_NAME() AS org_account_id;
    ```

    Use the `account_locator` value together with your region to form the full identifier. Your Snowflake web UI URL may also contain it, but the SQL query is the most reliable way to confirm.

    5. Click **Connect** to save.
  </Step>

  <Step title="Validate">
    Once the Snowflake integration card shows **Connected**, Cora will begin querying your views on a scheduled basis. Confirm that the expected data is flowing correctly in Cora.ai.
  </Step>
</Steps>

## Security model

| Principle                  | How it's enforced                                                                                                |
| -------------------------- | ---------------------------------------------------------------------------------------------------------------- |
| **Least privilege**        | Role has only `USAGE` + `SELECT` on a dedicated schema — no `CREATE`, `INSERT`, `DELETE`, or cross-schema access |
| **Blast radius isolation** | Dedicated database and schema means accidental view creation elsewhere is invisible to Cora                      |
| **Cost isolation**         | Dedicated warehouse prevents Cora queries from competing with production workloads                               |
| **No credential expiry**   | RSA key pairs don't expire; rotate on your schedule, not under deadline pressure                                 |
| **Credential security**    | Private key is stored in an encrypted vault; never logged or persisted in application config                     |

## Notes

<Note>
  **Read-only access** — Cora only reads from your Snowflake views. Nothing is written back to your warehouse.
</Note>

<Note>
  **No credential expiry** — RSA key pairs do not expire. Rotate at your discretion by generating a new pair and updating both Snowflake and the Cora.ai integration.
</Note>

<Note>
  **Compute costs** — Queries consume credits from the designated warehouse. An X-Small warehouse with auto-suspend is sufficient for typical workloads.
</Note>

<Note>
  **Schema changes** — New columns on existing views are detected automatically. New views added to the Cora schema are picked up via the `FUTURE VIEWS` grant.
</Note>

<Note>
  **No passphrase** — The private key must be unencrypted (PKCS#8, no passphrase). This simplifies automation and avoids passphrase management overhead.
</Note>
