# Configuring Snowflake for Cloud Connected (Legacy)

## Overview

{% hint style="danger" %}
Do not follow the instructions on this page—instead, follow the [Cloud Connected](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected) and [Setting Up a Cloud Connected Panther Instance instructions](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected/set-up). This page exists only for historical reference.
{% endhint %}

In a [Cloud Connected](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected) deployment of Panther, your organization owns the Snowflake account and the AWS account in which your Panther instance is deployed, while Panther manages initial deployments and subsequent upgrades of the platform.

You must start with a new or empty Snowflake account. Panther does not support using Panther-managed Snowflake accounts with Cloud Connected deployments.

This page explains how to configure a Snowflake account for your deployment of Panther, and how to connect your credentials to your AWS account.

### Panther features requiring Snowflake Enterprise or higher

In order to use the following Panther features, you must be using the [Enterprise Edition of Snowflake](https://docs.snowflake.com/en/user-guide/intro-editions) or higher:

* [Query acceleration](https://docs.panther.com/search/backend/snowflake/configuration#query-acceleration)
* [Search optimization](https://docs.panther.com/search/backend/snowflake/configuration#search-optimization)
* [RBAC per log type](https://docs.panther.com/rbac#prerequisites-for-customer-configured-snowflake-accounts)
* [The ACCESS\_HISTORY view of the Snowflake Audit Logs integration](https://docs.panther.com/data-onboarding/supported-logs/snowflake)

## How to create a new Snowflake account and user for Panther

1. In your Snowflake organization, create a new, dedicated Snowflake account for Panther using the template below. `<YOUR_REGION>` should be one of the [supported AWS regions](https://docs.panther.com/system-configuration/panther-deployment-types/..#supported-aws-regions) (and be the same AWS [region](https://docs.snowflake.com/en/user-guide/intro-regions) where your Panther instance will eventually be deployed).

   ```sql
   USE ROLE ORGADMIN;

   CREATE ACCOUNT <YOUR_PANTHER_ACCOUNT_NAME> // Your desired Panther account name
     ADMIN_NAME = <YOUR_ADMIN_NAME>
     ADMIN_PASSWORD = '<YOUR ADMIN PASSWORD>' // It's recommended to use at least 32 characters
     ADMIN_USER_TYPE = 'LEGACY_SERVICE'
     EMAIL = '<your snowflake DBA email>'
     MUST_CHANGE_PASSWORD = FALSE
     EDITION = <YOUR_EDITION> // STANDARD, ENTERPRISE, or BUSINESS_CRITICAL
     REGION = <YOUR_REGION> // The AWS region your Panther instance will eventually be deployed in
     COMMENT =  'Panther Snowflake Cloud Connected Production Environment'; 
   ```
2. In the output of the command above, copy the `url` value, and paste it into a browser window. Log in to the account you just created using the credentials you provided in the command above.
3. In the new account, create a `pantheraccountadmin` user and grant it administrative roles using the following commands:

   ```sql
   USE ROLE SECURITYADMIN;

   CREATE USER pantheraccountadmin
      PASSWORD='<panther_credential>'
      TYPE='LEGACY_SERVICE';

   GRANT ROLE SYSADMIN
      TO USER pantheraccountadmin;
      
   GRANT ROLE SECURITYADMIN
      TO USER pantheraccountadmin;

   GRANT ROLE ACCOUNTADMIN
      TO USER pantheraccountadmin;
      
   ALTER USER pantheraccountadmin SET DEFAULT_ROLE = SYSADMIN;
   ```
4. In your Snowflake console, locate your account URL:
   1. At the bottom of the left-hand navigation bar, click your name.
   2. In the menu that opens, click **Account**.
   3. In the menu that opens, hover over the name of your account.
   4. In the menu that opens, click the **Copy account UR**L icon.
      * The URL will be in this format: `<org-name>-<account-name>.snowflakecomputing.com`
      * Store this value in a secure location, as you will need it in a later step.\
        ![](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-6e4beeafedb4985a50fa14671643f8911d54c7fb%2Fimage%20\(15\).png?alt=media)

{% hint style="info" %}
Return to the [instructions Cloud Connected](https://docs.panther.com/system-configuration/cloud-connected#how-to-configure-your-cloud-connected-account) to continue with the deployment process.
{% endhint %}

## (Optional) Creating read-only roles for Panther data tables

Panther maintains the `PANTHERACCOUNTADMIN` user credentials in a secure location.

If you would like to create and maintain several users with read-only access to the Panther data lake tables, you can use the `PANTHERACCOUNTADMIN` user or another `SECURITYADMIN` enabled user on your Snowflake account to run the following commands:

```sql
USE ROLE SECURITYADMIN;

# If needed, create a new user
CREATE USER IF NOT EXISTS my_readonly_user 
    PASSWORD = '<INITIAL PASSWORD>'
    MUST_CHANGE_PASSWORD = TRUE;

# Grant the PANTHER_READONLY_ROLE to the newly created user
GRANT ROLE PANTHER_READONLY_ROLE TO USER my_readonly_user;
```

## **(Optional) Disabling and Re-enabling the Panther Account Admin User**

{% hint style="danger" %}
Disabling the `PANTHERACCOUNTADMIN` user may prevent Panther from being able to:

* Perform credential rotation
* Enable certain functionality, such as [Role-Based Access Control (RBAC)](https://docs.panther.com/system-configuration/rbac)
* Deploy new capabilities that require Panther to run`snowconfig`
  {% endhint %}

If you choose to disable the `PANTHERACCOUNTADMIN` user despite the implications above, you may do so using the following commands:

```sql
USE ROLE SECURITYADMIN;

ALTER USER PANTHERACCOUNTADMIN SET DISABLED = TRUE
```

If a Panther upgrade requires privileged access, the user can then be temporarily re-enabled:

```sql
USE ROLE SECURITYADMIN;

ALTER USER PANTHERACCOUNTADMIN SET DISABLED = FALSE
```