Data ExportsData destinations

Snowflake

This guide walks you through configuring Snowflake as a destination for your Webflow Analyze and Optimize data export.

Prerequisites

  • Locate your Public Key generated on your behalf. The Public Key will be a long string of text, loosely resembling the format: 'MIIBI...<SHORTENED>...Xrw2nwIDAQAB'
  • In order to complete the following setup steps, you or a Snowflake admin on your team must have the securityadmin and sysadmin roles. (To check your account for these roles, run SHOW GRANTS TO USER <your_username>; and review the role column.)
  • If your Snowflake data warehouse is using Snowflake Access Policies, use the Webflow static IP: 34.69.83.207/32 to complete Step 2.

Recommendation: Key-pair authentication with service user

Snowflake is deprecating single-factor passwords and will disallow passwords for service users (TYPE=SERVICE) by October 2026. For that reason, we strongly recommend configuring the transfer user as a service user with key-pair authentication.

Configuration steps

1

Create role, user, warehouse, and database in the data warehouse

  1. Review and make any changes to the following setup script.

    1begin;
    2
    3-- create variables for user / role / warehouse / database
    4set user_name = 'TRANSFER_USER'; -- all letters must be uppercase
    5set role_name = 'TRANSFER_ROLE'; -- all letters must be uppercase
    6set warehouse_name = 'TRANSFER_WAREHOUSE'; -- all letters must be uppercase
    7set database_name = 'TRANSFER_DATABASE'; -- all letters must be uppercase
    8
    9-- change role to securityadmin for user / role steps
    10use role securityadmin;
    11
    12-- create role for data transfer service
    13create role if not exists identifier($role_name);
    14grant role identifier($role_name) to role SYSADMIN; -- establish SYSADMIN as the parent of the new role. Note: this does not grant the access privileges of SYSADMIN to the new role.
    15
    16-- create a user for data transfer service
    17create user if not exists identifier($user_name)
    18RSA_PUBLIC_KEY='MIIBIjANBgkqh...'; -- replace with the complete public key as required in the prerequisite
    19
    20-- set default role and warehouse to new user
    21alter user identifier($user_name) SET default_role = $role_name;
    22alter user identifier($user_name) SET default_warehouse = $warehouse_name;
    23alter user identifier($user_name) SET type = service;
    24
    25grant role identifier($role_name) to user identifier($user_name);
    26
    27-- change role to sysadmin for warehouse / database steps
    28use role sysadmin;
    29
    30-- create a warehouse for data transfer service
    31create warehouse if not exists identifier($warehouse_name)
    32warehouse_size = xsmall
    33warehouse_type = standard
    34auto_suspend = 60
    35auto_resume = true
    36initially_suspended = true;
    37
    38-- create database for data transfer service
    39create database if not exists identifier($database_name);
    40
    41-- grant service role access to warehouse
    42grant USAGE
    43on warehouse identifier($warehouse_name)
    44to role identifier($role_name);
    45
    46-- grant service access to database
    47grant CREATE SCHEMA, MONITOR, USAGE
    48on database identifier($database_name)
    49to role identifier($role_name);
    50
    51commit;

    Alternative authentication method: username & password

    By default, this script creates a new user using key-pair authentication. If you’d prefer to use username & password authentication, instead of:

    1 create user if not exists identifier($user_name)
    2 RSA_PUBLIC_KEY='MIIBIjANBgkqh...';

    Use the following block:

    1create user if not exists identifier($user_name)
    2password = 'some_password';

    Using an existing schema

    By default, a new schema (with a name you provide) will be created in the target Snowflake database upon the initial connection. If instead you create the schema ahead of time, you may remove the CREATE SCHEMA permission, and instead grant ALL PRIVILEGES on the target schema for the designated role.

    The script below can be used to complete this step:

    1set role_name = 'TRANSFER_ROLE';
    2set database_name = 'TRANSFER_DATABASE';
    3set schema_name = 'PRECREATED_SCHEMA';
    4
    5use database identifier($database_name);
    6grant ALL PRIVILEGES on schema identifier($schema_name) to role identifier($role_name);

    Using an existing warehouse or database

    By default, this script creates a new warehouse and a new database. If you’d prefer to use an existing warehouse/database, change the warehouse_name variable from TRANSFER_WAREHOUSE to the name of the warehouse to be shared/database_name variable from TRANSFER_DATABASE to the name of the database to be shared.

  2. In the Snowflake interface, select the dropdown next to the “Run” button, and click Run All. This will run every query in the script at once. If successful, you will see Statement executed successfully in the query results.

2

Configure the Snowflake access policy

If your Snowflake data warehouse is using Snowflake Access Policies, a new policy must be added to allow Webflow’s static IP to write to the warehouse.

  1. Review current network policies to check for existing IP allowlists.

    1SHOW NETWORK POLICIES;

  2. If there is no existing Snowflake Network Policies (the SHOW query returns no results), you can skip to Step 3.

  3. If there is an existing Snowflake Network Policy, you must alter the existing policy or create a new one to allowlist Webflow’s static IP address. Use the CREATE NETWORK POLICY command to specify the IP addresses that can access your Snowflake warehouse.

    1CREATE NETWORK POLICY <transfer_service_policy_name> ALLOWED_IP_LIST = ('34.69.83.207/32');

Network allowlisting

Webflow Static IP: 34.69.83.207/32

Creating your first network policy

If you have no existing network policies and you create your first as part of this step, all other IPs outside of the ALLOWED_IP_LIST will be blocked. Snowflake does not allow setting a network policy that blocks your current IP address. (An error message results while trying to create a network policy that blocks the current IP address.) But be careful when setting your first network policy.

3

Add your destination

Use the following details to complete the connection setup: host name, database name, your chosen schema name, username, and password.

Permissions checklist

  • Role grants:
    • USAGE on the target warehouse
    • If the destination schema will be created by the service:
      • USAGE and CREATE SCHEMA on the target database (the setup script also includes MONITOR)
    • If using a pre-created schema:
      • USAGE on the target database
      • ALL PRIVILEGES on the target schema
  • User defaults set (optional but recommended): DEFAULT_ROLE, DEFAULT_WAREHOUSE
  • If using key-pair authentication: user has the PKCS#8 RSA_PUBLIC_KEY set
  • If network policies are enforced: Webflow’s egress IP is allowlisted

FAQs

We recommend key-based authentication. You register a public key on a Snowflake user and we authenticate using the corresponding private key, so no password is shared or stored. You can also enforce Snowflake Network Policies to allowlist Webflow’s egress IP.

Minimum grants:

  • USAGE on the warehouse
  • If the destination schema will be created by the service: USAGE and CREATE SCHEMA on the database
  • If using a pre-created schema: USAGE on the database and ALL PRIVILEGES on the schema

Yes. Grant USAGE on that warehouse to the transfer role. You may also size the warehouse to control performance/cost.

No, you should only provide the raw public key string, without the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- tags.