Create a dedicated Snowflake user with read-only access for ContextFlo. This script sets up a role, user, warehouse, and grants the necessary permissions.

Prerequisites

Admin access to Snowflake (ACCOUNTADMIN or SECURITYADMIN role)
Knowledge of which database(s) and schema(s) you want ContextFlo to access

Complete Setup Script

Run this script in a Snowflake worksheet. Update the variables at the top before running.

-- =====================================================
-- ContextFlo Snowflake User Setup Script
-- =====================================================
-- UPDATE THESE 3 VARIABLES before running:

SET CF_PASSWORD = 'your-secure-password';        -- Use a strong password
SET CF_DATABASE = 'YOUR_DATABASE';               -- Your database name
SET CF_SCHEMA = 'YOUR_DATABASE.YOUR_SCHEMA';     -- Full path: DATABASE.SCHEMA

-- =====================================================
-- 1. Create Role
-- =====================================================
USE ROLE SECURITYADMIN;

CREATE ROLE IF NOT EXISTS CONTEXTFLO_ROLE;
GRANT ROLE CONTEXTFLO_ROLE TO ROLE SYSADMIN;

-- =====================================================
-- 2. Create User
-- =====================================================
CREATE USER IF NOT EXISTS CONTEXTFLO_USER
  PASSWORD = $CF_PASSWORD
  DEFAULT_ROLE = CONTEXTFLO_ROLE
  DEFAULT_WAREHOUSE = CONTEXTFLO_WAREHOUSE
  MUST_CHANGE_PASSWORD = FALSE;

GRANT ROLE CONTEXTFLO_ROLE TO USER CONTEXTFLO_USER;

-- =====================================================
-- 3. Create Warehouse
-- =====================================================
USE ROLE SYSADMIN;

CREATE WAREHOUSE IF NOT EXISTS CONTEXTFLO_WAREHOUSE
  WAREHOUSE_SIZE = 'XSMALL'
  AUTO_SUSPEND = 60
  AUTO_RESUME = TRUE
  INITIALLY_SUSPENDED = TRUE;

GRANT USAGE ON WAREHOUSE CONTEXTFLO_WAREHOUSE TO ROLE CONTEXTFLO_ROLE;

-- =====================================================
-- 4. Grant Database & Schema Access
-- =====================================================
GRANT USAGE ON DATABASE IDENTIFIER($CF_DATABASE) TO ROLE CONTEXTFLO_ROLE;
GRANT USAGE ON SCHEMA IDENTIFIER($CF_SCHEMA) TO ROLE CONTEXTFLO_ROLE;

-- =====================================================
-- 5. Grant SELECT on Existing Objects
-- =====================================================
GRANT SELECT ON ALL TABLES IN SCHEMA IDENTIFIER($CF_SCHEMA) TO ROLE CONTEXTFLO_ROLE;
GRANT SELECT ON ALL VIEWS IN SCHEMA IDENTIFIER($CF_SCHEMA) TO ROLE CONTEXTFLO_ROLE;
GRANT SELECT ON ALL MATERIALIZED VIEWS IN SCHEMA IDENTIFIER($CF_SCHEMA) TO ROLE CONTEXTFLO_ROLE;
GRANT SELECT ON ALL EXTERNAL TABLES IN SCHEMA IDENTIFIER($CF_SCHEMA) TO ROLE CONTEXTFLO_ROLE;

-- =====================================================
-- 6. Grant SELECT on Future Objects
-- =====================================================
GRANT SELECT ON FUTURE TABLES IN SCHEMA IDENTIFIER($CF_SCHEMA) TO ROLE CONTEXTFLO_ROLE;
GRANT SELECT ON FUTURE VIEWS IN SCHEMA IDENTIFIER($CF_SCHEMA) TO ROLE CONTEXTFLO_ROLE;
GRANT SELECT ON FUTURE MATERIALIZED VIEWS IN SCHEMA IDENTIFIER($CF_SCHEMA) TO ROLE CONTEXTFLO_ROLE;
GRANT SELECT ON FUTURE EXTERNAL TABLES IN SCHEMA IDENTIFIER($CF_SCHEMA) TO ROLE CONTEXTFLO_ROLE;

-- =====================================================
-- Done! Verify the grants:
-- =====================================================
SHOW GRANTS TO ROLE CONTEXTFLO_ROLE;

What This Script Does

Creates a dedicated role - CONTEXTFLO_ROLE
Creates a user - CONTEXTFLO_USER with the role assigned
Creates an X-Small warehouse - With auto-suspend after 60 seconds
Grants database and schema access - Usage permissions on your database/schema
Grants SELECT on existing objects - All tables, views, materialized views, and external tables
Grants SELECT on future objects - New tables/views are automatically accessible

Connection Details for ContextFlo

After running the script, use these details to connect in ContextFlo:

Account: Your Snowflake account identifier (e.g., orgname-accountname)
Username: CONTEXTFLO_USER
Password: The password you set in the script
Warehouse: CONTEXTFLO_WAREHOUSE
Role: CONTEXTFLO_ROLE (optional)

Verify Permissions

To check what permissions were granted:

SHOW GRANTS TO ROLE CONTEXTFLO_ROLE;

To test as the new user:

USE ROLE CONTEXTFLO_ROLE;
USE WAREHOUSE CONTEXTFLO_WAREHOUSE;
SELECT * FROM YOUR_DATABASE.YOUR_SCHEMA.your_table LIMIT 10;

Security Notes

Read-only access: This setup only grants SELECT permissions. ContextFlo cannot modify or delete your data.
Auto-suspend: The warehouse automatically suspends after 60 seconds of inactivity to minimize costs.
Strong password: Use a secure password with at least 16 characters including numbers and symbols.

Troubleshooting

"Insufficient privileges" Error

Run the grants again using SYSADMIN role:

USE ROLE SYSADMIN;
SET CF_SCHEMA = 'YOUR_DATABASE.YOUR_SCHEMA';
GRANT SELECT ON ALL TABLES IN SCHEMA IDENTIFIER($CF_SCHEMA) TO ROLE CONTEXTFLO_ROLE;

User Cannot Access Warehouse

Ensure the warehouse grant was applied:

GRANT USAGE ON WAREHOUSE CONTEXTFLO_WAREHOUSE TO ROLE CONTEXTFLO_ROLE;

New Tables Not Accessible

The FUTURE grants only apply to tables created after the grant. For existing tables, run:

SET CF_SCHEMA = 'YOUR_DATABASE.YOUR_SCHEMA';
GRANT SELECT ON ALL TABLES IN SCHEMA IDENTIFIER($CF_SCHEMA) TO ROLE CONTEXTFLO_ROLE;

Next Steps

Go back to Onboarding

Create a Snowflake User for ContextFlo