User Guide

Connect Single Origin to Snowflake

Single Origin reads metadata only from your Snowflake account — database, schema, table, view, and column information plus query and usage history. It never reads the contents of your tables.
You now connect Single Origin by creating a dedicated read-only role and service user in your own account and granting them access to Snowflake's metadata. The setup is a single SQL script and nothing leaves your environment.

What you're granting

All metadata Single Origin reads comes from the shared, read-only SNOWFLAKE database that exists in every account. You grant a dedicated role access to it using Snowflake's predefined database roles:

GrantWhat it allows
SNOWFLAKE.OBJECT_VIEWERRead object metadata — databases, schemas, tables, views, and columns — from the ACCOUNT_USAGE views.
SNOWFLAKE.USAGE_VIEWERRead query history and usage metadata from the ACCOUNT_USAGE views.
USAGE on a warehouseLets the service user run the metadata queries. This is compute access only — it grants no access to data.

These database roles grant the SELECT privilege on ACCOUNT_USAGE views only. They expose schema and usage metadata, never the rows inside your tables.

Confirm the exact roles with your Single Origin contact. OBJECT_VIEWER and USAGE_VIEWER cover schema and usage profiling. If your integration also surfaces governance (policies, tags) or security (logins, grants) metadata, you may additionally need SNOWFLAKE.GOVERNANCE_VIEWER or SNOWFLAKE.SECURITY_VIEWER. Grant only what's needed.

Before you start

You'll need:

  1. A user with the ACCOUNTADMIN role. Only ACCOUNTADMIN can grant the SNOWFLAKE database roles, because it owns the shared SNOWFLAKE database.
  2. The Single Origin RSA public key for key-pair authentication, provided in your onboarding email:

<SINGLE_ORIGIN_PUBLIC_KEY>

Paste the key body only — omit the -----BEGIN PUBLIC KEY----- / -----END PUBLIC KEY----- lines and any line breaks. Single Origin holds the matching private key; you never share or store it.

  1. The name of a warehouse Single Origin can use to run metadata queries (shown as <YOUR_WAREHOUSE> below). A small/X-Small warehouse is sufficient.
  2. Your Snowflake account identifier (find it in Snowsight under your account menu → View account details).

Option 1 — Snowsight worksheet

  1. Sign in to Snowsight with a user that can use the ACCOUNTADMIN role.
  2. Open a new SQL worksheet.
  3. Paste the script from Option 2 below, replacing the placeholders with your values.
  4. Run the statements top to bottom.

Option 2 — Full SQL script

Replace <SINGLE_ORIGIN_PUBLIC_KEY> and <YOUR_WAREHOUSE> with your values, then run the whole script:

USE ROLE ACCOUNTADMIN;

-- 1. Create a dedicated role for Single Origin
CREATE ROLE IF NOT EXISTS SINGLE_ORIGIN_ROLE
  COMMENT = 'Read-only metadata access for Single Origin';

-- 2. Create a dedicated service user (key-pair authentication)
CREATE USER IF NOT EXISTS SINGLE_ORIGIN_USER
  DEFAULT_ROLE = SINGLE_ORIGIN_ROLE
  RSA_PUBLIC_KEY = '<SINGLE_ORIGIN_PUBLIC_KEY>'
  COMMENT = 'Service account for Single Origin metadata sync';

GRANT ROLE SINGLE_ORIGIN_ROLE TO USER SINGLE_ORIGIN_USER;

-- 3. Grant read-only metadata access (SNOWFLAKE shared database roles)
GRANT DATABASE ROLE SNOWFLAKE.OBJECT_VIEWER TO ROLE SINGLE_ORIGIN_ROLE;
GRANT DATABASE ROLE SNOWFLAKE.USAGE_VIEWER  TO ROLE SINGLE_ORIGIN_ROLE;

-- 4. Grant usage on a warehouse so the service user can run metadata queries
GRANT USAGE ON WAREHOUSE <YOUR_WAREHOUSE> TO ROLE SINGLE_ORIGIN_ROLE;

Option 3 — Terraform

If you manage Snowflake with the Snowflake Terraform provider, the equivalent configuration is below.

Resource names vary by provider major version. The snippet uses the current resource names; adjust them to match the provider version you've pinned. 

resource "snowflake_account_role" "single_origin" {
  name    = "SINGLE_ORIGIN_ROLE"
  comment = "Read-only metadata access for Single Origin"
}

resource "snowflake_user" "single_origin" {
  name           = "SINGLE_ORIGIN_USER"
  default_role   = snowflake_account_role.single_origin.name
  rsa_public_key = "<SINGLE_ORIGIN_PUBLIC_KEY>"
  comment        = "Service account for Single Origin metadata sync"
}

resource "snowflake_grant_account_role" "single_origin" {
  role_name = snowflake_account_role.single_origin.name
  user_name = snowflake_user.single_origin.name
}

resource "snowflake_grant_database_role" "object_viewer" {
  database_role_name = "SNOWFLAKE.OBJECT_VIEWER"
  parent_role_name   = snowflake_account_role.single_origin.name
}

resource "snowflake_grant_database_role" "usage_viewer" {
  database_role_name = "SNOWFLAKE.USAGE_VIEWER"
  parent_role_name   = snowflake_account_role.single_origin.name
}

resource "snowflake_grant_privileges_to_account_role" "warehouse_usage" {
  account_role_name = snowflake_account_role.single_origin.name
  privileges        = ["USAGE"]

  on_account_object {
    object_type = "WAREHOUSE"
    object_name = "<YOUR_WAREHOUSE>"
  }
}

Finish up

Once the script has run, share your account identifier with your Single Origin contact (or enter it in the onboarding flow). We'll connect as SINGLE_ORIGIN_USER and begin reading metadata — no further action needed on your side.

Revoking access

You can remove Single Origin's access at any time by dropping the role and user. Run as ACCOUNTADMIN

USE ROLE ACCOUNTADMIN;

DROP USER IF EXISTS SINGLE_ORIGIN_USER;
DROP ROLE IF EXISTS SINGLE_ORIGIN_ROLE;

Dropping the role removes every grant associated with it, and dropping the user immediately ends Single Origin's ability to connect.

Updated 24 minutes ago