You're in the right place! Segment documentation is now part of Twilio Docs. The content you are used to is still here—just in a new home with a refreshed look.

Snowflake Data Graph Setup

FREE x

TEAM x

BUSINESS ✓

ADDON ✓

(warning)

Warning

Data Graph, Reverse ETL, and Profiles Sync require different warehouse permissions.

On this page, you'll learn how to connect your Snowflake data warehouse to Segment for the Data Graph.

Snowflake credentials

Segment assumes that you already have a warehouse that includes the datasets you'd like to use for the Data Graph. Log in to Snowflake with admin privileges to provide the Data Graph with the necessary permissions below.

Step 1: Create a user and internal database for Segment to store checkpoint tables

Segment recommends setting up a new Snowflake user and only giving this user permissions to access the required databases and schemas. Run the SQL code block below in your SQL worksheet in Snowflake to execute the following tasks:

Create a new role and user for the Segment Data Graph. This new role will only have access to the datasets you provide access to for the Data Graph.
Grant the Segment user access to the warehouse of your choice. If you'd like to create a new warehouse, uncomment the SQL below.
Segment requires write access to this database in order to create a schema for internal bookkeeping and to store checkpoint tables for the queries that are executed. Therefore, Segment recommends creating a new database for this purpose. This is also the database you'll be required to specify for the "Database Name" when connecting Snowflake with the Segment app.

(information)

Info

Segment recommends creating a new database for the Data Graph. If you choose to use an existing database that has also been used for Segment Reverse ETL, you must follow the additional instructions to update user access for the Segment Reverse ETL schema.

1-- ********** SET UP THE FOLLOWING WAREHOUSE PERMISSIONS **********
2
3-- Update the following variables 
4SET segment_connection_username = 'SEGMENT_LINKED_USER';
5SET segment_connection_password = 'my-safe-password';
6SET segment_connection_warehouse = 'SEGMENT_LINKED_WH';
7SET segment_connection_role = 'SEGMENT_LINKED_ROLE';
8
9-- The DB  used for Segment's internal bookkeeping.
10-- Note: Use this DB in the connection settings on the Segment app. This is the only DB that Segment requires write access to.
11SET segment_connection_db = 'SEGMENT_LINKED_PROFILES_DB';
12
13-- ********** [OPTIONAL] UNCOMMENT THE CODE BELOW IF YOU NEED TO CREATE A NEW WAREHOUSE **********
14
15-- CREATE WAREHOUSE IF NOT EXISTS identifier($segment_connection_warehouse)
16-- WITH WAREHOUSE_SIZE = 'XSMALL'
17--   WAREHOUSE_TYPE = 'STANDARD'
18--   AUTO_SUSPEND = 600 -- 5 minutes
19--   AUTO_RESUME = TRUE;
20
21-- ********** RUN THE COMMANDS BELOW TO FINISH SETTING UP THE WAREHOUSE PERMISSIONS **********
22
23-- Use admin role for setting grants
24USE ROLE ACCOUNTADMIN;
25
26-- Create a role for the Data Graph
27CREATE ROLE IF NOT EXISTS identifier($segment_connection_role)
28COMMENT = 'Used for Segment Data Graph';
29
30-- Create a user for the Data Graph
31CREATE USER IF NOT EXISTS identifier($segment_connection_username)
32MUST_CHANGE_PASSWORD = FALSE
33DEFAULT_ROLE = $segment_connection_role
34PASSWORD = $segment_connection_password
35COMMENT = 'Segment Data Graph User'
36TIMEZONE = 'UTC';
37
38-- Grant permission to the role to use the warehouse
39GRANT USAGE ON WAREHOUSE identifier($segment_connection_warehouse) TO ROLE identifier($segment_connection_role);
40
41-- Grant role to the user
42GRANT ROLE identifier($segment_connection_role) TO USER identifier($segment_connection_username);
43
44-- Create and Grant access to a Segment internal DB used for bookkeeping. This is the only DB that Segment requires write access to. This is also the DB you will use in the "Database Name" config while setting up the connection in the Segment app. 
45CREATE DATABASE IF NOT EXISTS identifier($segment_connection_db);
46GRANT USAGE ON DATABASE identifier($segment_connection_db) TO ROLE identifier($segment_connection_role);
47GRANT USAGE ON ALL SCHEMAS IN DATABASE identifier($segment_connection_db) TO ROLE identifier($segment_connection_role);
48GRANT CREATE SCHEMA ON DATABASE  identifier($segment_connection_db) TO ROLE identifier($segment_connection_role);
49

Step 2: Grant read-only access to additional databases for the Data Graph

Next, give the Segment role read-only access to additional databases you want to use for Data Graph including the Profiles Sync database. Repeat the following SQL query for each database you want to use for the Data Graph.

1
2SET segment_connection_role = 'SEGMENT_LINKED_ROLE';
3
4-- ********** REPEAT THE SQL QUERY BELOW FOR EACH DATABASE YOU WANT TO USE FOR THE DATA GRAPH **********
5-- Change this for each DB you want to grant the Data Graph read-only access to
6SET linked_read_only_database = 'MARKETING_DB';
7
8GRANT USAGE ON DATABASE identifier($linked_read_only_database) TO ROLE identifier($segment_connection_role);
9GRANT USAGE ON ALL SCHEMAS IN DATABASE identifier($linked_read_only_database) TO ROLE identifier($segment_connection_role);
10GRANT SELECT ON ALL TABLES IN DATABASE identifier($linked_read_only_database) TO ROLE identifier($segment_connection_role);
11GRANT SELECT ON FUTURE TABLES IN DATABASE identifier($linked_read_only_database) TO ROLE identifier($segment_connection_role);
12GRANT SELECT ON ALL VIEWS IN DATABASE identifier($linked_read_only_database) TO ROLE identifier($segment_connection_role);
13GRANT SELECT ON FUTURE VIEWS IN DATABASE identifier($linked_read_only_database) TO ROLE identifier($segment_connection_role);
14GRANT SELECT ON ALL EXTERNAL TABLES IN DATABASE identifier($linked_read_only_database) TO ROLE identifier($segment_connection_role);
15GRANT SELECT ON FUTURE EXTERNAL TABLES IN DATABASE identifier($linked_read_only_database) TO ROLE identifier($segment_connection_role);
16GRANT SELECT ON ALL MATERIALIZED VIEWS IN DATABASE identifier($linked_read_only_database) TO ROLE identifier($segment_connection_role);
17GRANT SELECT ON FUTURE MATERIALIZED VIEWS IN DATABASE identifier($linked_read_only_database) TO ROLE identifier($segment_connection_role);
18

(Optional) Step 3: Restrict read-only access to schemas

If you want to restrict access to specific Snowflake schemas and tables, then run the following commands:

1-- [Optional] Further restrict access to only specific schemas and tables 
2SET db = 'MY_DB';
3SET schema = 'MY_DB.MY_SCHEMA_NAME';
4SET segment_connection_role = 'SEGMENT_LINKED_ROLE';
5
6-- View specific schemas in database
7GRANT USAGE ON DATABASE identifier($db) TO ROLE identifier($segment_connection_role);
8GRANT USAGE ON SCHEMA identifier($schema) TO ROLE identifier($segment_connection_role);
9GRANT SELECT ON ALL TABLES IN SCHEMA identifier($schema) TO ROLE identifier($segment_connection_role);
10GRANT SELECT ON FUTURE TABLES IN SCHEMA identifier($schema) TO ROLE identifier($segment_connection_role);
11GRANT SELECT ON ALL VIEWS IN SCHEMA identifier($linked_read_only_database) TO ROLE identifier($segment_connection_role);
12GRANT SELECT ON FUTURE VIEWS IN SCHEMA identifier($linked_read_only_database) TO ROLE identifier($segment_connection_role);
13GRANT SELECT ON ALL EXTERNAL TABLES IN SCHEMA identifier($linked_read_only_database) TO ROLE identifier($segment_connection_role);
14GRANT SELECT ON FUTURE EXTERNAL TABLES IN SCHEMA identifier($linked_read_only_database) TO ROLE identifier($segment_connection_role);
15GRANT SELECT ON ALL MATERIALIZED VIEWS IN SCHEMA identifier($linked_read_only_database) TO ROLE identifier($segment_connection_role);
16GRANT SELECT ON FUTURE MATERIALIZED VIEWS IN SCHEMA identifier($linked_read_only_database) TO ROLE identifier($segment_connection_role);
17

Step 4: Confirm permissions

To verify you have set up the right permissions for a specific table, log in with the username and password you created for SEGMENT_CONNECTION_USERNAME and run the following command to verify the role you created has the correct permissions. If this command succeeds, you should be able to view the respective table.

1set segment_connection_role = 'SEGMENT_LINKED_ROLE';
2set linked_read_only_database = 'YOUR_DB';
3set table_name = 'YOUR_DB.SCHEMA.TABLE';
4
5USE ROLE identifier($segment_connection_role);
6USE DATABASE identifier($linked_read_only_database) ;
7SHOW SCHEMAS;
8SELECT * FROM identifier($table_name) LIMIT 10;
9

Step 5: Connect your warehouse to the Data Graph

To connect your warehouse to the Data Graph:

Navigate to Unify > Data Graph. This should be a Unify space with Profiles Sync already set up.
Click Connect warehouse.
Select Snowflake as your warehouse type.
Enter your warehouse credentials. Segment requires the following settings to connect to your Snowflake warehouse:

Account ID: The Snowflake account ID that uniquely identifies your organization account.
Database: The only database that Segment requires write access to in order to create tables for internal bookkeeping. This database is referred to as segment_connection_db in the script below.
Warehouse: The warehouse in your Snowflake account that you want to use for Segment to run the SQL queries. This warehouse is referred to as segment_connection_warehouse in the script below.
Username: The Snowflake user that Segment uses to run SQL in your warehouse. This user is referred to as segment_connection_username in the script below.
Authentication: Snowflake only supports authentication using a key pair as Snowflake plans to deprecate password-only authentication starting August 2026. Learn more in the Snowflake docs.
- Key Pair: You need to first create the user and assign it a key pair following the instructions in the Snowflake docs. Then, set the segment_connections_username variable in the SQL script to the user you just created.

Test your connection, then click Save.

Update user access for Segment Reverse ETL schema

If Segment Reverse ETL has ever run in the database you are configuring as the Segment connection database, a Segment-managed schema is already created and you need to provide the new Segment user access to the existing schema. Run the following SQL if you run into an error on the Segment app indicating that the user doesn't have sufficient privileges on an existing _segment_reverse_etl schema.

1-- If you want to use an existing database that already has Segment Reverse ETL schemas, you'll need to run some additional steps below to grant the role access to the existing schemas.
2
3SET retl_schema = concat($segment_connection_db,'.__segment_reverse_etl');
4GRANT USAGE ON SCHEMA identifier($retl_schema) TO ROLE identifier($segment_connection_role);
5GRANT CREATE TABLE ON SCHEMA identifier($retl_schema) TO ROLE identifier($segment_connection_role);
6GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA identifier($retl_schema) TO ROLE identifier($segment_connection_role);