Configuring Snowflake for Cloud Connected

Overview

In a Cloud Connected deployment of Panther, your organization owns the Snowflake account and the AWS account in which your Panther instance is deployed, while Panther manages initial deployments and subsequent upgrades of the platform.

You must start with a new or empty Snowflake account. Panther does not support using Panther-managed Snowflake accounts with Cloud Connected deployments.

This page explains how to configure a Snowflake account for your deployment of Panther, and how to connect your credentials to your AWS account.

Panther features requiring Snowflake Enterprise or higher

In order to use the following Panther features, you must be using the Enterprise Edition of Snowflake or higher:

• Query acceleration

• Search optimization

• RBAC per log type

How to create a new Snowflake account and user for Panther

1. In your Snowflake organization, create a new, dedicated Snowflake account for Panther using the template below. <YOUR_REGION> should be the same AWS region where your Panther instance will eventually be deployed.

   Copy

   USE ROLE ORGADMIN;
   
   CREATE ACCOUNT <YOUR_PANTHER_ACCOUNT_NAME> // Your desired Panther account name
     ADMIN_NAME = <YOUR_ADMIN_NAME>
     ADMIN_PASSWORD = '<YOUR ADMIN PASSWORD>' // It's recommended to use at least 32 characters
     EMAIL = '<your snowflake DBA email>'
     MUST_CHANGE_PASSWORD = FALSE
     EDITION = <YOUR_EDITION> // STANDARD, ENTERPRISE, or BUSINESS_CRITICAL
     REGION = <YOUR_REGION> // The AWS region your Panther instance will eventually be deployed in
     COMMENT =  'Panther Snowflake Cloud Connected Production Environment'; 

2. In the output of the command above, copy the url value, and paste it into a browser window. Log in to the account you just created using the credentials you provided in the command above.

3. In the new account, create a pantheraccountadmin user and grant it administrative roles using the following commands:

   Copy

   USE ROLE SECURITYADMIN;
   
   CREATE USER pantheraccountadmin
      PASSWORD='<panther_credential>'
      TYPE='LEGACY_SERVICE';
   
   GRANT ROLE SYSADMIN
      TO USER pantheraccountadmin;
      
   GRANT ROLE SECURITYADMIN
      TO USER pantheraccountadmin;
   
   GRANT ROLE ACCOUNTADMIN
      TO USER pantheraccountadmin;
      
   ALTER USER pantheraccountadmin SET DEFAULT_ROLE = SYSADMIN;

4. In your Snowflake console, locate your account URL:

   1. At the bottom of the left-hand navigation bar, click your name.

   2. In the menu that opens, click Account.

   3. In the menu that opens, hover over the name of your account.

   4. In the menu that opens, click the Copy account URL icon.

      • The URL will be in this format: <org-name>-<account-name>.snowflakecomputing.com

      • Store this value in a secure location, as you will need it in a later step.

(Optional) Creating read-only roles for Panther data tables

Panther maintains the PANTHERACCOUNTADMIN user credentials in a secure location.

If you would like to create and maintain several users with read-only access to the Panther data lake tables, you can use the PANTHERACCOUNTADMIN user or another SECURITYADMIN enabled user on your Snowflake account to run the following commands:

USE ROLE SECURITYADMIN;

# If needed, create a new user
CREATE USER IF NOT EXISTS my_readonly_user 
    PASSWORD = '<INITIAL PASSWORD>'
    MUST_CHANGE_PASSWORD = TRUE;

# Grant the PANTHER_READONLY_ROLE to the newly created user
GRANT ROLE PANTHER_READONLY_ROLE TO USER my_readonly_user;

(Optional) Disabling and Re-enabling the Panther Account Admin User

If you choose to disable the PANTHERACCOUNTADMIN user despite the implications above, you may do so using the following commands:

USE ROLE SECURITYADMIN;

ALTER USER PANTHERACCOUNTADMIN SET DISABLED = TRUE

If a Panther upgrade requires privileged access, the user can then be temporarily re-enabled:

USE ROLE SECURITYADMIN;

ALTER USER PANTHERACCOUNTADMIN SET DISABLED = FALSE