Overview
The Snowflake integration replaces SFTP/CSV-based data delivery with a direct connection to your Snowflake warehouse. Cora.ai connects using RSA key-pair authentication, queries your Snowflake views on a schedule, ingests the data, and makes it available to agents, dashboards, and workflows.
Integration Type: Key-Pair Auth (RSA Private Key), Organization-Level
Required Role: Snowflake Account Administrator or equivalent
Why Key-Pair?: RSA key-pair is the industry-standard authentication method for Snowflake service accounts — recommended by Snowflake and used by dbt, Fivetran, Airbyte, and other major data tools — because it never expires, requires no token refresh, and transmits no secrets over the wire.
Setup Steps
Note: The steps below represent our recommended setup for security and isolation. Your team is free to adapt the naming, schema structure, and warehouse configuration to fit your existing conventions — the only hard requirements are that Cora.ai's service user has SELECT access to the relevant views and uses key-pair authentication.
Step 1: Create a Dedicated Schema for Cora Views
We recommend a dedicated database and schema that contains only the views Cora.ai should access. This acts as a clear security boundary — Cora.ai has no visibility into any other schema. If your team prefers to grant access to views in an existing schema, that works too.
CREATE DATABASE CORA_INTEGRATION_DB;
CREATE SCHEMA CORA_INTEGRATION_DB.CORA_VIEWS;
Then create views in this schema that mirror your data exports:
CREATE VIEW CORA_INTEGRATION_DB.CORA_VIEWS.ACCOUNTS AS
SELECT account_id, name, industry, created_at
FROM PRODUCTION_DB.CORE.ACCOUNTS;
Keep the same column names and data types so the schema Cora.ai sees is consistent with your source data.
Step 2: Create a Read-Only Service Account
Create a dedicated role and service user scoped exclusively to the Cora views schema.
-- Create a role with no inherited privileges
CREATE ROLE CORA_INTEGRATION_ROLE;
-- Create a service user (cannot log in interactively)
CREATE USER CORA_SVC
DEFAULT_ROLE = CORA_INTEGRATION_ROLE
DEFAULT_WAREHOUSE = CORA_WH
TYPE = SERVICE;
-- Grant the minimum required privileges
GRANT USAGE ON DATABASE CORA_INTEGRATION_DB TO ROLE CORA_INTEGRATION_ROLE;
GRANT USAGE ON SCHEMA CORA_INTEGRATION_DB.CORA_VIEWS TO ROLE CORA_INTEGRATION_ROLE;
GRANT SELECT ON ALL VIEWS IN SCHEMA CORA_INTEGRATION_DB.CORA_VIEWS TO ROLE CORA_INTEGRATION_ROLE;
GRANT SELECT ON FUTURE VIEWS IN SCHEMA CORA_INTEGRATION_DB.CORA_VIEWS TO ROLE CORA_INTEGRATION_ROLE;
-- Dedicated X-Small warehouse with auto-suspend (cost isolation)
CREATE WAREHOUSE IF NOT EXISTS CORA_WH
WAREHOUSE_SIZE = 'XSMALL'
AUTO_SUSPEND = 60
AUTO_RESUME = TRUE
INITIALLY_SUSPENDED = TRUE;
GRANT USAGE ON WAREHOUSE CORA_WH TO ROLE CORA_INTEGRATION_ROLE;
-- Bind role to user
GRANT ROLE CORA_INTEGRATION_ROLE TO USER CORA_SVC;
Step 3: Generate an RSA Key Pair
Generate an unencrypted RSA private key and assign the public key to the service user:
# Generate private key (unencrypted PKCS#8 PEM)
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out cora_svc_key.p8 -nocrypt
# Extract public key
openssl rsa -in cora_svc_key.p8 -pubout -out cora_svc_key.pub
Assign the public key in Snowflake:
ALTER USER CORA_SVC SET RSA_PUBLIC_KEY='<paste public key without BEGIN/END lines>';
See Snowflake's Key-Pair Authentication guide for details.
Step 4: Connect Snowflake in Cora.ai
Log into Cora.ai as an organization administrator
Navigate to Settings → Organization Settings → Integrations
Locate the Snowflake integration card and click Connect
Enter the credentials listed in the table below
Click Connect to save
Field | Description |
Account Identifier | Your Snowflake account identifier in org-account format (e.g., |
Username | The service user from Step 2 (e.g., |
Private Key (PEM) | The full RSA private key including |
Step 5: Validate
Once the Snowflake integration card shows Connected, Cora.ai will begin querying your views on a scheduled basis. Confirm the expected data is flowing correctly in Cora.ai.
Step 6: Enable Data Ingestion
Enable data ingestion to sync information from this integration into Cora.
Click the connected Snowflake integration card to open the settings panel
Under Data Ingestion, toggle the switch on
Click Save
Security Model
Principle | How It's Enforced |
Least privilege | Role has only |
Blast radius isolation | Dedicated database/schema means accidental view creation elsewhere is invisible to Cora |
Cost isolation | Dedicated warehouse prevents Cora queries from competing with production workloads |
No credential expiry | RSA key pairs don't expire; rotate on your schedule, not under deadline pressure |
Credential security | Private key stored in encrypted vault; never logged or persisted in application config |
Revocability | Disable user or drop role to instantly cut access |
Notes
Read-only access: Cora.ai only reads from your Snowflake views. Nothing is written back.
No credential expiry: RSA key pairs do not expire. Rotate at your discretion by generating a new pair and updating both Snowflake and the Cora.ai integration.
Compute costs: Queries consume credits from the designated warehouse. An X-Small with auto-suspend is sufficient for typical workloads.
Schema changes: New columns on existing views are detected automatically. New views added to the Cora schema are picked up via the
FUTURE VIEWSgrant.No passphrase: The private key must be unencrypted (PKCS#8, no passphrase). This simplifies automation and avoids passphrase management overhead.