# Connection Setup

## General settings for all auth types

#### Step 1 - Locate Snowflake account identifier

Click your user icon -> open account selector -> account details:

<figure><img src="https://1130564041-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FnV9JkcO4iUyWrNlbU4MX%2Fuploads%2FiFtXXNkYxMMpZdpmIulG%2Fimage.png?alt=media&#x26;token=21b03ed4-d9aa-481d-92c3-b801b7492311" alt="" width="375"><figcaption></figcaption></figure>

Copy Account identifier value:

![](https://s3.amazonaws.com/helpscout.net/docs/assets/57fbf3029033600277a688ab/images/6980d2a3b5efef0a56c4e7df/file-A5S464BlRK.png)

#### Step 2 - Configure warehouse, user, and role

This section contains SQL commands to create specific user, warehouse and role to use for Coupler.io integration with Snowflake. If you already have them configured, proceed to step 3.

```
-- Create a specific warehouse for Coupler.io
CREATE WAREHOUSE coupler_warehouse WAREHOUSE_SIZE = XSMALL AUTO_SUSPEND = 30;

-- Create a specific user for the Coupler.io (service one, will not work for user/pass method)
CREATE USER IF NOT EXISTS "coupler_service_user" LOGIN_NAME="coupler_service_user" TYPE = service;

-- Create dedicated role
CREATE ROLE coupler_io_role;

-- Grant warehouse usage
GRANT USAGE ON WAREHOUSE coupler_warehouse TO ROLE coupler_io_role;

-- Option A: Allow database creation (more flexible, allows Coupler to create new databases)
GRANT CREATE DATABASE ON ACCOUNT TO ROLE coupler_io_role;

-- Option B: Restrict to specific database (more secure, access limited to my_database)
GRANT USAGE ON DATABASE my_database TO ROLE coupler_io_role;
GRANT CREATE SCHEMA ON DATABASE my_database TO ROLE coupler_io_role;
GRANT ALL ON ALL SCHEMAS IN DATABASE my_database TO ROLE coupler_io_role;
GRANT ALL ON ALL TABLES IN DATABASE my_database TO ROLE coupler_io_role;
GRANT ALL ON FUTURE TABLES IN DATABASE my_database TO ROLE coupler_io_role;

-- Assign to user
GRANT ROLE coupler_io_role TO USER "coupler_service_user";
```

#### Step 3 - Provide account identifier, warehouse and role settings to Coupler.io

Paste account identifier from step 1:

![](https://s3.amazonaws.com/helpscout.net/docs/assets/57fbf3029033600277a688ab/images/69a1b3ffecd6a35ce511ac9b/file-CddGiXPkLs.png)

Copy name of warehouse created on step 2 or you can use already existing warehouse. To find it: navigate to Compute -> Warehouses menu -> Copy name of warehouse:

![](https://s3.amazonaws.com/helpscout.net/docs/assets/57fbf3029033600277a688ab/images/69a1adc1c29d6ac24fac5a3b/file-e1iqsk0e3T.png)

![](https://s3.amazonaws.com/helpscout.net/docs/assets/57fbf3029033600277a688ab/images/6980d5de1d6a6fe906dcb5f4/file-RSZQ3osbCn.png)

![](https://s3.amazonaws.com/helpscout.net/docs/assets/57fbf3029033600277a688ab/images/69a1b418c29d6ac24fac5b00/file-q0dV55EwTZ.png)

If you defined needed default role for user - keep role field empty. If you want to specify role - enter it's name in field:

![](https://s3.amazonaws.com/helpscout.net/docs/assets/57fbf3029033600277a688ab/images/69a1aecfc29d6ac24fac5a73/file-GrgBGKBjM1.png)

![](https://s3.amazonaws.com/helpscout.net/docs/assets/57fbf3029033600277a688ab/images/69a1d099ecd6a35ce511b098/file-TXcckoKhRE.png)

### Select auth type & configure it

* Connect using Programmatic access token (PAT)
* Key pair
* User & password

### Option A - Connect using Programmatic access token (PAT)

#### **Step 4 - Create a network policy**

A **network policy** controls which IP addresses are allowed to **connect to** Snowflake.

```
-- Create the Network Rule
CREATE NETWORK RULE COUPLER_IP TYPE = 'IPV4' VALUE_LIST = ('34.123.243.115', '34.170.96.92');

-- Create the Network Policy
CREATE NETWORK POLICY COUPLER_NETWORK_POLICY;

-- Apply the rule to the policy
ALTER NETWORK POLICY COUPLER_NETWORK_POLICY SET ALLOWED_NETWORK_RULE_LIST = (COUPLER_IP);

-- Apply the policy to the Coupler user
ALTER USER "coupler_service_user" SET NETWORK_POLICY = COUPLER_NETWORK_POLICY;
```

#### **Step 5 - Generate token**

Option A - Via Snowsight (UI):

1. Sign in to Snowsight
2. Navigate to **Governance & security** > **Users & roles**
3. Select the user
4. Under **Programmatic access tokens**, select **Generate new token**
5. Enter a name, set expiration (up to 365 days, default 15 days), and optionally restrict to a specific role (recommended).
6. Select **Generate** and **copy the token immediately** - it cannot be retrieved later

Option B - Via SQL:

```
ALTER USER "coupler_service_user" ADD PAT coupler_token ROLE_RESTRICTION = coupler_io_role DAYS_TO_EXPIRY = 150;
```

#### Step 6 - Enter auth details to Coupler.io connection settings

Paste username and copied token:

![](https://s3.amazonaws.com/helpscout.net/docs/assets/57fbf3029033600277a688ab/images/69a1d40fecd6a35ce511b0e2/file-WOLFa3KYcF.png)

### Option B - Connect using Key Pair

Key Pair authentication uses an RSA key instead of a password.

#### **Step 1 - Generate an RSA key pair**

On the customer's machine (not in Snowflake):

```
# Generate a private key (unencrypted)
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt

# Or generate an encrypted private key (will prompt for a passphrase)
openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key.p8

# Generate the corresponding public key
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
```

This produces two files:

* `rsa_key.p8`    — the private key (customer keeps this secret)
* `rsa_key.pub`    — the public key (assigned to the Snowflake user)

**Step 2 - Assign the public key to the Snowflake user**

```
-- Copy the public key content (without the BEGIN/END headers)
ALTER USER coupler_service_user SET RSA_PUBLIC_KEY = 'MIIBIjANBgkqh...';
```

> **Important:** Exclude the `-----BEGIN PUBLIC KEY-----`    and `-----END PUBLIC KEY-----`    delimiters and any line breaks when pasting into the SQL command.

**Step 3 - Verify the key was assigned correctly** (optional)

```
DESC USER coupler_service_user;
-- Look for the RSA_PUBLIC_KEY_FP property — it should show a fingerprint
```

**Step 4 - Enter auth details to Coupler.io** connection settings

Username *(required)*

Enter login name of Snowflake user associated with key.

Private key *(required)*

Paste your RSA private key in PEM format:

```
-----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- 
```

Passphrase *(optional)*

If your private key is encrypted, enter the passphrase. If not encrypted, leave it empty.

***

### Option C - Connect using your Username & Password

Password authentication is being deprecated by Snowflake and will be removed later this year. We recommend using Programmatic access token (PAT) authentication instead.

See [Snowflake MFA Rollout](https://docs.snowflake.com/en/user-guide/security-mfa-rollout).

Username *(required)*

Enter your Snowflake user login name.

Password *(required)*

Enter the password for this Snowflake user.

> Note: Your Snowflake user must have permissions to access the destination database/schema and create/write tables.