Skip to main content

Authentication Method: Margin uses RSA key pair authentication to connect to Snowflake. You’ll generate an RSA private key (.p8 file) and configure the public key on your Snowflake user.If you encrypt your private key with a passphrase, you’ll need to enter it in Margin during setup.

1. Snowflake Credential Setup

It’s recommended to create a dedicated Snowflake user with the permissions needed to query and write to your data warehouse. If you’d prefer to use an existing user, ensure it has the appropriate privileges for both reading and writing to the relevant databases and schemas. The preferred way is to create a margin_user with the minimum required permissions.

Create a Snowflake User

Below is a step-by-step guide to set up a Snowflake user with the necessary permissions:
Generate RSA Key PairRun these commands in your terminal to generate your private key and public key:
$ openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8
$ openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
FileWhat to do with it
rsa_key.p8Upload to Margin during setup (keep secure)
rsa_key.pubCopy contents into the ALTER USER statement below
⚠️ If you set a passphrase, remember it—you’ll need to enter it in Margin.
Locations to fill in required fields are highlighted in green
-- Margin user/role details--------------
SET margin_default_warehouse = '<warehouse>';    -- e.g. 'COMPUTE_WH'
SET margin_database = '<database>';                -- e.g. 'DATA_DB'
SET margin_comment = 'For Margin integrations';

-- Source data you want to read from (for granular access)
SET source_database = '<database>';                -- e.g. 'APP_DB'
SET source_schema   = '<schema>';                 -- e.g. 'EVENTS_SCHEMA'
SET source_table_1 = '<table1>';                  -- e.g. 'PAYMENT_EVENTS'
SET source_table_2 = '<table2>';                  -- e.g. 'KYC_EVENTS'
-- etc. list all the tables here you want to read from 

--Use a high-privileged role and create Margin role/user-----------
USE ROLE ACCOUNTADMIN;

CREATE ROLE IF NOT EXISTS MARGIN_ROLE -- leave it as MARGIN_ROLE, do not change
COMMENT = $margin_comment;

CREATE USER IF NOT EXISTS MARGIN_USER -- leave it as MARGIN_USER, do not change
DEFAULT_WAREHOUSE = $margin_default_warehouse
DEFAULT_ROLE = MARGIN_ROLE
COMMENT = $margin_comment;

ALTER USER MARGIN_USER
SET RSA_PUBLIC_KEY='MIIB...'; -- Copy the public key here from the step above

GRANT ROLE MARGIN_ROLE
TO USER MARGIN_USER;

---------------------------------------------------------------------------
-- Grant usage on warehouse
---------------------------------------------------------------------------
GRANT USAGE ON WAREHOUSE identifier($margin_default_warehouse)
  TO ROLE MARGIN_ROLE;

----------------------------------------------------------------------------
-- Create MARGIN_SCHEMA (for cost/revenue data)
----------------------------------------------------------------------------
USE DATABASE identifier($margin_database);


CREATE SCHEMA IF NOT EXISTS MARGIN_SCHEMA; -- leave it as MARGIN_SCHEMA, do not change

GRANT USAGE ON DATABASE identifier($margin_database)
TO ROLE MARGIN_ROLE;


----------------------------------------------------------------------------
-- Granular access to existing data (USAGE on DB/Schema)
----------------------------------------------------------------------------
GRANT USAGE
  ON DATABASE identifier($source_database)
  TO ROLE MARGIN_ROLE;

SET grant_schema_usage_sql_command = 'GRANT USAGE ON SCHEMA ' || $source_database || '.' || $source_schema || ' TO ROLE MARGIN_ROLE';


EXECUTE IMMEDIATE $grant_schema_usage_sql_command;
Copy and paste for each table you want to read from the selected database:
----------------------------------------------------------------------------
-- Table-level SELECT for <table1>
----------------------------------------------------------------------------
SET grant_table_select_1 = 'GRANT SELECT ON TABLE ' || $source_database || '.' || $source_schema || '.' || $source_table_1 || ' TO ROLE MARGIN_ROLE';

EXECUTE IMMEDIATE $grant_table_select_1;

----------------------------------------------------------------------------
-- Table-level SELECT for <table2>
----------------------------------------------------------------------------
SET grant_table_select_2 = 'GRANT SELECT ON TABLE ' || $source_database || '.' || $source_schema || '.' || $source_table_2 || ' TO ROLE MARGIN_ROLE';

EXECUTE IMMEDIATE $grant_table_select_2;

-- do this for all tables you added in Step 1 (all tables you want to read from)
Configure the columns you want to mask in specific tables.
  • [Strongly Recommended] Use Option 1: built in masking policies if you have Snowflake Enterprise.
  • Otherwise, Option 2: secure views shows how to create secure views within MARGIN_SCHEMA.
----------------------------------------------------------------------------
-- Snowflake masking policies are strongly typed. You must create a separate
-- masking policy for each data type. Below are examples for common types.
----------------------------------------------------------------------------

-- (A) Masking Policy for STRING columns:
CREATE OR REPLACE MASKING POLICY HIDE_STRING_FROM_MARGIN AS (VAL STRING) RETURNS STRING ->
  CASE 
    WHEN CURRENT_ROLE() = 'MARGIN_ROLE' THEN '****'
    ELSE VAL
  END;

-- (B) Masking Policy for NUMBER columns:
CREATE OR REPLACE MASKING POLICY HIDE_NUMBER_FROM_MARGIN AS (VAL NUMBER) RETURNS NUMBER ->
  CASE
    WHEN CURRENT_ROLE() = 'MARGIN_ROLE' THEN 0
    ELSE VAL
  END;

-- (C) Masking Policy for DATE columns:
CREATE OR REPLACE MASKING POLICY HIDE_DATE_FROM_MARGIN AS (VAL DATE) RETURNS DATE ->
  CASE
    WHEN CURRENT_ROLE() = 'MARGIN_ROLE' THEN NULL
    ELSE VAL
  END;

-- (D) Masking Policy for VARIANT (and semi-structured) columns:
CREATE OR REPLACE MASKING POLICY HIDE_VARIANT_FROM_MARGIN AS (VAL VARIANT) RETURNS VARIANT ->
  CASE 
    WHEN CURRENT_ROLE() = 'MARGIN_ROLE' THEN NULL
    ELSE VAL
  END;

----------------------------------------------------------------------------
-- Apply the masking policies to the corresponding columns in your table.
----------------------------------------------------------------------------

ALTER TABLE <database>.<schema>.<table>
  MODIFY COLUMN <secret_string_column> SET MASKING POLICY HIDE_STRING_FROM_MARGIN;

ALTER TABLE <database>.<schema>.<table>
  MODIFY COLUMN <secret_number_column> SET MASKING POLICY HIDE_NUMBER_FROM_MARGIN;

ALTER TABLE <database>.<schema>.<table>
  MODIFY COLUMN <secret_date_column> SET MASKING POLICY HIDE_DATE_FROM_MARGIN;

ALTER TABLE <database>.<schema>.<table>
  MODIFY COLUMN <secret_variant_column> SET MASKING POLICY HIDE_VARIANT_FROM_MARGIN;
Margin needs full control of MARGIN_SCHEMA to create tables, views, and stages for your cost/revenue data.
----------------------------------------------------------------------------
-- Transfer ownership of MARGIN_SCHEMA to MARGIN_ROLE
----------------------------------------------------------------------------
GRANT OWNERSHIP ON SCHEMA MARGIN_SCHEMA
  TO ROLE MARGIN_ROLE
  REVOKE CURRENT GRANTS;
This only grants control over MARGIN_SCHEMA. MARGIN_USER cannot create users/roles or access other schemas beyond what was explicitly granted.
If you need to connect to multiple databases, reach out to [email protected], we can enable this for you.

2. Snowflake Connection Configuration

A. Add a Snowflake Source in Margin

Go to your Integrations page in the Margin dashboard & click Add Source and select Snowflake.
Connect to Snowflake

B.Enter Snowflake Credentials

Enter the following required fields into Margin:
FieldDescription
Account IdentifierAccount Name prefixed by its Organization (e.g. myorg-account123). Format may differ based on Snowflake account age. For details, visit Snowflake docs.
WarehouseThe warehouse name Margin should use to run queries.
DatabaseThe default database for Margin queries.
UsernameThe Snowflake user you created (e.g., MARGIN_USER).
Private Key (.p8)The RSA private key file generated during credential setup.
Private Key Passphrase(Optional) Required if your private key is encrypted with a passphrase.
RoleThe role you created (or an existing role with the necessary privileges).
Snowflake accounts can have different identifier formats depending on when they were created. For example, older accounts might look like ACCOUNT_LOCATOR.CLOUD_REGION_ID.CLOUD, while newer ones may look like ORGNAME-ACCOUNT_NAME. Check Snowflake’s documentation if unsure.

3. Testing the Connection

When you set up Snowflake, Margin verifies:
  1. Basic connectivity check: Network connection & credential validation
  2. Verify user can fully manage objects in MARGIN_SCHEMA:
    • Table lifecycle (CREATE, INSERT, SELECT, UPDATE, DELETE, RENAME, DROP)
    • View lifecycle (CREATE, RENAME, DROP)
    • Create/Drop STAGE
    • Create/Drop FILE FORMAT
Sometimes the initial test might time out, especially if Snowflake is resuming from a suspended state. Simply click Test again to retry. Once a connection is established, further requests usually run quickly.

Troubleshooting

Authentication failures

  • Ensure you’re using an RSA private key (.p8 file), not an SSH key
  • Verify the public key is set on your Snowflake user: DESC USER MARGIN_USER
  • If you used a passphrase when generating the key, enter it in Margin

Permission errors during testing

  • The wizard shows exactly which permissions are missing
  • Ensure you completed Step 6 (ownership transfer) in the setup script

Connection timeout

  • Snowflake warehouses may be suspended—click “Test” again to retry
  • Check that your account identifier format is correct

Next Steps

Once the connection is established, you can connect your finance sources to model over your event data.

Sources: Finance Data

Connect your finance data sources