Skip to main content
Connect AnomalyArmor to your Snowflake data warehouse to monitor schemas, track freshness, and detect schema drift across your tables and views.

Requirements

Before connecting, ensure you have:
  • Snowflake account with database access
  • Virtual warehouse for query execution
  • User with SELECT permissions on information_schema and target schemas
  • Network access from AnomalyArmor to your Snowflake account

Connection Settings

FieldDescriptionExample
Connection NameFriendly identifierSnowflake Production
AccountSnowflake account identifierxy12345.us-east-1.aws
DatabaseDatabase (catalog) to monitorPRODUCTION_DB
WarehouseVirtual warehouse nameCOMPUTE_WH
UsernameSnowflake user accountanomalyarmor_user
PasswordUser password••••••••
Schema (Optional)Default schemaPUBLIC
Role (Optional)Role to useANOMALYARMOR_ROLE

Finding Your Account Identifier

Your account identifier format depends on your cloud provider and region:
Cloud ProviderFormat
Standard (AWS)xy12345.us-east-1.aws
Azurexy12345.east-us-2.azure
GCPxy12345.us-central1.gcp
Find your account identifier in the Snowflake web interface URL: Snowflake URL showing account identifier xy12345.us-east-1.aws
Include the full account identifier with region and cloud provider. Using just the account locator (e.g., xy12345) may not work for all regions.

Creating a Read-Only User

Create a dedicated user and role with minimal permissions.
Quick Setup: Download the Snowflake permissions script for a ready-to-use SQL template with role and user setup.
-- Create a read-only role for AnomalyArmor
CREATE ROLE IF NOT EXISTS ANOMALYARMOR_ROLE;

-- Grant database access
GRANT USAGE ON DATABASE your_database TO ROLE ANOMALYARMOR_ROLE;

-- Grant schema access (for all schemas)
GRANT USAGE ON ALL SCHEMAS IN DATABASE your_database TO ROLE ANOMALYARMOR_ROLE;
GRANT USAGE ON FUTURE SCHEMAS IN DATABASE your_database TO ROLE ANOMALYARMOR_ROLE;

-- Grant SELECT on all tables
GRANT SELECT ON ALL TABLES IN DATABASE your_database TO ROLE ANOMALYARMOR_ROLE;
GRANT SELECT ON FUTURE TABLES IN DATABASE your_database TO ROLE ANOMALYARMOR_ROLE;

-- Grant SELECT on all views
GRANT SELECT ON ALL VIEWS IN DATABASE your_database TO ROLE ANOMALYARMOR_ROLE;
GRANT SELECT ON FUTURE VIEWS IN DATABASE your_database TO ROLE ANOMALYARMOR_ROLE;

-- Grant warehouse usage
GRANT USAGE ON WAREHOUSE your_warehouse TO ROLE ANOMALYARMOR_ROLE;

-- Create user and assign role
CREATE USER IF NOT EXISTS anomalyarmor_user
  PASSWORD = 'your_secure_password'
  DEFAULT_ROLE = ANOMALYARMOR_ROLE
  DEFAULT_WAREHOUSE = your_warehouse;

GRANT ROLE ANOMALYARMOR_ROLE TO USER anomalyarmor_user;

Per-Schema Permissions

For more granular control: 
-- Grant access to specific schemas only
GRANT USAGE ON SCHEMA your_database.raw TO ROLE ANOMALYARMOR_ROLE;
GRANT USAGE ON SCHEMA your_database.staging TO ROLE ANOMALYARMOR_ROLE;
GRANT USAGE ON SCHEMA your_database.marts TO ROLE ANOMALYARMOR_ROLE;

-- Grant SELECT per schema
GRANT SELECT ON ALL TABLES IN SCHEMA your_database.raw TO ROLE ANOMALYARMOR_ROLE;
GRANT SELECT ON ALL TABLES IN SCHEMA your_database.staging TO ROLE ANOMALYARMOR_ROLE;
GRANT SELECT ON ALL TABLES IN SCHEMA your_database.marts TO ROLE ANOMALYARMOR_ROLE;

Authentication Methods

Standard username/password authentication. Simplest setup for getting started.In AnomalyArmor:
  • Enter your username and password
  • No additional configuration required

Virtual Warehouse Considerations

Warehouse Sizing

AnomalyArmor runs lightweight metadata queries. Recommended warehouse configuration:
EnvironmentSizeNotes
DevelopmentX-SmallSufficient for testing
ProductionSmallFaster query execution

Auto-Suspend Configuration

Enable auto-suspend to minimize costs: 
-- Configure warehouse for auto-suspend (1-5 minutes recommended)
ALTER WAREHOUSE your_warehouse SET
  AUTO_SUSPEND = 60       -- Suspend after 60 seconds idle
  AUTO_RESUME = TRUE      -- Resume automatically on query
  INITIALLY_SUSPENDED = TRUE;
AnomalyArmor queries typically complete in under a second. With 1-minute auto-suspend, you’ll pay only for actual query time.

Cost Estimation

MetricValue
Query duration< 1 second per discovery
With 1-min auto-suspend~$0.01-0.05 per discovery
Hourly monitoring~$15-30/month

Network Policies

If your Snowflake account uses network policies, add AnomalyArmor’s IP addresses: 
-- View existing network policies
SHOW NETWORK POLICIES;

-- Add AnomalyArmor IPs to your allowlist
ALTER NETWORK POLICY your_policy SET
  ALLOWED_IP_LIST = ('34.xxx.xxx.xxx/32', '35.xxx.xxx.xxx/32', ...);
Find AnomalyArmor’s current IP addresses in Settings > Security in the AnomalyArmor dashboard.

What We Monitor

AnomalyArmor discovers and monitors these Snowflake objects:
Object TypeMonitoredNotes
TablesYesIncluding managed and external
ViewsYesStandard and materialized
SchemasYesSchema-level metadata
StagesNoExternal/internal stages not monitored
StreamsNoChange data capture not monitored
TasksNoScheduled tasks not monitored

Metadata Captured

For each table and view:
  • Table name and schema
  • Column names and data types
  • Nullability and default values
  • Last modified timestamp (for freshness)
  • Partition information (where applicable)

Multiple Databases

To monitor multiple databases, create separate data sources for each:
Data SourceDatabase
Snowflake ProductionPRODUCTION_DB
Snowflake StagingSTAGING_DB
Snowflake AnalyticsANALYTICS_DB
Each data source needs access to its respective database. Use the same credentials if they have permissions across databases.

Connection Architecture

Snowflake Connection Architecture

What We Query

AnomalyArmor runs these types of queries: 
-- List tables and views
SELECT table_catalog, table_schema, table_name, table_type
FROM YOUR_DATABASE.INFORMATION_SCHEMA.TABLES
WHERE table_schema NOT IN ('INFORMATION_SCHEMA');

-- Get column details
SELECT column_name, data_type, is_nullable, column_default
FROM YOUR_DATABASE.INFORMATION_SCHEMA.COLUMNS
WHERE table_schema = 'YOUR_SCHEMA' AND table_name = 'YOUR_TABLE';

-- Check freshness (for tables with timestamp columns)
SELECT MAX(your_timestamp_column) FROM your_table;
Impact: Minimal. These are metadata queries that don’t scan table data.

Troubleshooting

Common causes:
  1. Invalid account identifier
  2. Wrong username or password
  3. Warehouse doesn’t exist or is suspended
Solutions:
  1. Verify account identifier includes region and cloud (e.g., xy12345.us-east-1.aws)
  2. Test credentials in Snowflake web interface first
  3. Ensure warehouse exists: SHOW WAREHOUSES;
  4. Resume warehouse if suspended: ALTER WAREHOUSE your_wh RESUME;
Causes:
  • Typo in credentials
  • User doesn’t exist
  • Password expired
Solutions:
  1. Verify user exists: SHOW USERS LIKE 'anomalyarmor%';
  2. Reset password if needed
  3. For key-pair auth, verify public key is assigned to user
Causes:
  • Missing region or cloud in account identifier
  • Account locator typo
Solutions:
  1. Get full account identifier from Snowflake URL
  2. Include region and cloud: xy12345.us-east-1.aws
  3. Try alternative formats if needed
Causes:
  • Typo in warehouse name
  • User lacks USAGE on warehouse
  • Warehouse was deleted
Solutions:
  1. List warehouses: SHOW WAREHOUSES;
  2. Grant usage: GRANT USAGE ON WAREHOUSE wh TO ROLE role;
  3. Check warehouse name is exact match (case-sensitive)
Causes:
  • Network policy restricting access
  • AnomalyArmor IPs not allowlisted
Solutions:
  1. Check network policies: SHOW NETWORK POLICIES;
  2. Add AnomalyArmor IPs to allowlist
  3. Contact your Snowflake admin for policy changes
Causes:
  • Role typo
  • Role was deleted
  • User not granted the role
Solutions:
  1. List roles: SHOW ROLES;
  2. Check grants: SHOW GRANTS TO USER your_user;
  3. Grant role: GRANT ROLE role TO USER user;
Causes:
  • User lacks SELECT permissions
  • Schema filter excluding all schemas
  • Empty database
Solutions:
  1. Test query as user: SELECT * FROM your_db.INFORMATION_SCHEMA.TABLES LIMIT 5;
  2. Check grants: SHOW GRANTS TO ROLE your_role;
  3. Grant SELECT on schemas: GRANT SELECT ON ALL TABLES IN SCHEMA schema TO ROLE role;

Best Practices

Use Dedicated Service Account

Create a dedicated user for AnomalyArmor rather than using personal accounts:
  • Dedicated users persist regardless of employee changes
  • Easier to audit and manage permissions
  • Can be easily rotated or disabled

Use Key-Pair Authentication for Production

Password authentication works but key-pair is more secure:
  • No password to rotate
  • Keys can’t be phished
  • Better audit trail
  • Supports hardware security modules

Monitor Your Production Database

Start with your production database where schema changes have the most impact:
PriorityDatabaseImportance
1Production databaseCritical
2Staging databaseImportant
3Development databasesOptional

Choose the Right Warehouse Size

Metadata queries are lightweight. X-Small is sufficient but Small provides faster startup:
Warehouse SizeCredit/HourRecommendation
X-Small1Development
Small2Production

Next Steps

Run Discovery

Scan your Snowflake database

Set Up Alerts

Get notified of schema changes