Loading
CRM Analytics
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Snowflake Private Output Connection

            You are here:

            1. Salesforce Help
            2. Docs
            3. CRM Analytics

            Snowflake Private Output Connection

            Create a remote connection using the Snowflake private output connector to write data from CRM Analytics to a Snowflake table. The private output connector uses a virtual private connection (VPC) for additional security. To use the Snowflake Private Output connector, you configure a network connection, external credential, and named credential. For authentication, use private key or OAuth.

            Note
            Note Use Sync Out for Snowflake to push raw data from CRM Analytics to Snowflake after setting up the connection. If you want to sync data from Snowflake to CRM Analytics, use the Snowflake Private Connection instead.

            How CRM Analytics Output Connectors with Output Nodes Work

            CRM Analytics output connectors allow you to write the outcome of a recipe to an external system for further analysis, business automation, and storage. After you configure an output connector to the data source, create a recipe using Data Prep. Add an Output node to the recipe, select the Output connection, and choose the Snowflake table name from the list of objects. When the recipe runs, CRM Analytics writes the output dataset to the selected table. When you run the recipe again, the data previously written is deleted and the new data is written.Generate your Snowflake private key and private key passphrase using the Snowflake Private Key documentation. If you opt to rotate your Snowflake private key, manually update the connection properties with the new key.

            Prerequisites

            For help with configuring this connection so that it’s consistent with your organization’s security requirements, contact your network security or IT department.

            Allowlist the Salesforce AWS Account for Snowflake Private Connect

            To verify your AWS account is on the allowlist for Salesforce private connect, see Verify Salesforce AWS Account for Private Connect.

            Connect to Snowflake with OAuth

            To use OAuth 2.0 for your Snowflake private connections, see Setup OAuth and Provider for Snowflake Private Connection.

            Create an Outbound Network Connection

            To create an outbound network connection, see Create the Outbound Network Connection.

            Create another connection for the Snowflake integrated S3 storage. This connection is used when the query returns large amounts of data. Snowflake splits the data into multiple files and stages them in the integrated S3 storage for downloading. For outbound S3 connections, an extra private connect license is required.

            1. Find the VPC S3 endpoint service name in the AWS console.
            2. Click Create Outbound Connection.
            3. Select AWS PrivateLink, and click Next.
            4. Give the S3 outbound connection the same name as the primary connection appended with “_S3”. For example, if the primary connection is named SnowflakeVPCOutbound, name the S3 connection SnowflakeVPCOutbound_S3.
            5. For VPC Endpoint Service Name, enter the endpoint service name you found in the AWS console.
            6. For Region, select the AWS region that you’re running Snowflake Private Connect in.
            7. Select Yes, I would like to provision my connection now.
            8. Save the connection.

            Make sure that the Connections status is Ready for both connections. If it isn’t, try syncing the connections.

            Create an External Credential

            1. From Setup, in the Quick Find box, enter Named, and then select Named Credentials.
            2. On the External Credentials tab, click New.
            3. Enter a label and name.
            4. For Authentication Protocol, select No Authentication if you aren't using OAuth.
              New external credentials screen showing entered connection name and label, and the no authentication option selected.
            5. If you're using OAuth, select OAuth 2.0. Then, select Browser Flow for flow type and your external auth identity provider for the Identity Provider.
              New external credentials screen showing entered connection name and label, and the OAuth 2.0 option selected.
            6. Save your external credential.
            7. Open the new external credential
            8. In the Principals section, click New.
            9. Enter SnowflakeVPCOAuthPrincipalAccess for the parameter name, 1 for the sequence, and Named Principal for the identity type.
            10. If you are using OAuth 2.0, set the scope. For the scope, enter two values separated by a space. The first scope value is session:role:target role, matching the scope setup done in the Okta setup step. This allows proper access to the data based on the role. The second scope value is offline_access, allowing the refresh token returned from Okta.
              New principal screen showing entered parameter name, sequence, named principal identity type, and scope.
            11. Save the principal. Find the action menu for the principal and Authenticate
              The Authenicate action for the principal.

              This opens a browser window to login for Okta. When authentication is successful, the browser redirects to Salesforce and the Authentication Status updates to Configured. If the status isn't updated, review the principal scope settings and the Okta setup.

            Now update your user profile with external credential principal access.

            1. From Setup, in the Quick Find box, enter Profiles, and then select Profiles.
            2. Select the profile for the Analytics Cloud Integration User.
            3. Click Enabled External Credential Principal Access at the top of the profile page.
            4. Click Edit and add SnowflakeVPCOAuthExtCred - SnowflakeVPCOAuthPrincipalAccess.
            5. Click Save.

            Create a Named Credential

            1. From Snowflake, determine your Snowflake account name from the Account URL field of SYSTEM$GET_PRIVATELINK_CONFIG.
            2. From Setup, in the Quick Find box, enter Named, and then select Named Credential.
            3. On the Named Credentials tab, click New.
            4. Enter a label and name.
            5. For URL, enter https://<your Snowflake account name>.<your AWS region>.privatelink.snowflakecomputing.com.
            6. Select the external credential and outbound network connection that you created.
              New Named Credentials screen showing entered connection name and label, URL, and external credentials and outbound network connection values selected.
            7. Save your named credential.

            Enable and Add the Snowflake Private Output Connector

            1. In the Data Manager, click the Connections tab.
            2. Click New Connection.
            3. Click Private, select Snowflake Private Connector (Output) then click Next.
            4. Enter the connection settings, as described in the Connection Settings section.
            5. Click Save & Test. Save & Test validates your settings by attempting to connect to the source. If the connection fails, CRM Analytics shows possible reasons.

            All settings require a value, unless otherwise indicated.

            Connection Setting Description
            Connection Name Identifies the connection. Use a convention that lets you easily distinguish between different connections.
            Developer Name API name for the connection. This name can’t include spaces. You can’t change the developer name after you create the connection.
            Description The description for the connection
            Authentication Type

            The type of authentication used for this connection. Accepted values are OAuth, Password, or PrivateKey. PrivateKey is recommended as the most secure option.

            • If you use OAuth, enter a value in the Named Credential field.
            • If you use Password, enter a value in the Username and Password fields.
            • If you use PrivateKey, enter a value in the Username, Private Key, and Private Key Passphrase fields
            Named Credential The Name field from a named credential stored in your Salesforce org.
            Username User name for the Snowflake account.
            Private Key

            Optional setting*. A private key associated with your Snowflake account.

            Note
            Note You must use an encrypted private key and password generated with the Advanced Encryption Standard (AES). For the detailed steps, refer to Key-pair authentication and key-pair rotation in Snowflake Help. When using the openssl command to generate the encrypted key, be sure to replace des3 with aes256 to ensure advanced encryption is used.
            Private Key Passphrase Optional setting*. The passphrase associated with your specified private key.
            Warehouse Snowflake warehouse name. This setting is case-sensitive, so enter the value exactly as it appears in Snowflake.
            Role Optional setting. Snowflake role assigned to the user that you’re using to connect.
            Database Snowflake database name. This setting is case-sensitive, so enter the value exactly as it appears in Snowflake.
            Schema Snowflake schema name. This setting is case-sensitive, so enter the value exactly as it appears in Snowflake.

            *Enter the Password or both the Private Key and Private Key Passphrase. Learn more about private keys in the Snowflake Private Key documentation.

            Push Data to Snowflake

            With the Snowflake Output Connector configured, you have two options to push data to Snowflake from CRM Analytics. To push augmented and transformed data, build a Data Prep recipe that merges and transforms the data to push to Snowflake. Add an output node and configure it to use the Snowflake Output connector.

            1. Select to write to an Output Connection.
            2. Select the connection name of the Snowflake Output connection you created.
            3. Select Apply.
            4. Save the recipe.

            To push raw data, without augmentation or transformation, use Sync Out for Snowflake. Data is pushed with each Data Sync run. You don’t use a Data Prep recipe. Keep these behaviors in mind when working with the Snowflake output connector and using a Data Prep recipe output node.

            • You can use an output connection more than once per recipe, but each output node must use a different object. The connector's per-run limit applies to each output node, and each output node is subject to the rolling 24-hour limit. To push again from the same recipe, add another connection with the same credentials
            • Output connections are only available for recipes built with Data Prep.
            • When the prior run’s data is deleted in preparation for the current run, the earlier version of an output dataset is inaccessible. Set up a process to copy or use the output after each run.
             
            Loading
            Salesforce Help | Article