Product Guide

Access via Snowflake (reader account)

Suggest Edits

Zus can provision and manage a read-only Snowflake reader account hosted by Zus that allows your organization to access your data mart via Snowflake. Any Snowflake compute costs incurred for this reader account will be passed through to your organization in your monthly bill. This integration path works well if your organization does not have its own Business Critical Snowflake account, but still wants to access the data via Snowflake.

If you would like for Zus to provision a Snowflake reader account for your data mart users, please reach out to our support team.

Logging in

After provisioning a new Snowflake reader account, our support team will share a URL for your organization's login page (i.e. https://zus-{company_name}.snowflakecomputing.com/console/login#/). When logging in, you must use the "Sign in using Zus Health" option to login using your Zus Health account.

For security purposes, to access Zus-hosted reader account, a user must have a role provisioned both in the Zus auth service with MFA-enabled (configurable by customers via API or the Zus App), and a separate role provisioned specifically for Snowflake. To request the latter, please contact support.

Note: If you want to give a user access to just data marts (and not Zus UIs or API), then they should be provisioned a role in the Zus auth service of "Permissionless".

Creating custom tables, views, & schemas

Reader account users have the necessary permissions to create custom tables, views, and schemas within their Snowflake account in the database labeled [CUSTOMER_NAME] and the schema SCRATCH. For instructions on how create new tables/views/schemas in Snowflake, please refer to the Snowflake documentation here, here, and here.

Connecting with a keypair

Customers can connect to their Snowflake reader account with a keypair to integrate headless tools such as dbt, Terraform, and SnowSQL without requiring a password.

Keypair creation

Note: These following steps are for MacOS, but should be portable to other operating systems.

  1. Choose a passphrase for encrypting your private key. You will be prompted to enter and confirm the passphrase in the following step.
  2. Create a private key using openssl. The following command will create the private key at ~/.ssh/snowflake_dev_encrypted.p8. Feel free to change this filename if you have many SSH keypairs and use a different naming convention.
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM  
  -out ~/.ssh/snowflake_dev_encrypted.p8
  1. Create a public key from your private key. You will be prompted again for the passphrase (again, feel free to change the filename to suit your own conventions):
openssl rsa -in ~/.ssh/snowflake_dev_encrypted.p8 -pubout
  -out ~/.ssh/snowflake_dev_encrypted.pub
  1. View the contents of ~/.ssh/snowflake_dev_encrypted.pub. It should look similar to this:
\-----BEGIN PUBLIC KEY-----  
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp/zsVHB7GebVDueCetuD  
GQS7kJODUZDEOYurq/8kjZLPwAF8SUfZobcHQr7TrmK1mTg75nuqDaRV2TdjcThf  
SL4nr4duiPzDhjWfAzVBR2tehn0zFs8JXZsj6v5dv11REUCbZAgeJE93UrXLufiJ  
dwsqB1YhnlRnFlkVErjv8SXCN1A+g7G1xM1+VtGUMzmhlQZkmhGjH/1y+5yeKtAg  
vI7kZAZQGnEQV5y+3H8v4qyJDX7yxd8qnZJ+UpuozRZL0AXE8EYLl+xeveAYy2Vg  
ciyRzDVGW4XeD4LKkCYNhVr7Jovs1vyXs+1PPXGCs6YkR2ZrVSDbnvrxauD/ZRbj  
FwIDAQAB  
-----END PUBLIC KEY-----
  1. Share your public key with your Zus account manager so the Zus team can add your public key to your Snowflake reader account.

Keypair rotation

Keypairs should be rotated when they reach a certain age, or if you lose your private key.

Updated about 10 hours ago