For each data connection, there are different ways to connect to Snowflake, these are outlined below. You can of course, have multiple connections to Snowflake. For each Astrato workbook and data view, one connection is supported at each time - these can be swapped later.
Service account
The same snowflake user is used by all Astrato tenant members (doesn’t support Snowflake’s row policy access)
Snowflake connection doesn’t expire
Supports public & restricted embeds
Utilises snowflake personal access tokens
Each Astrato user may use their own snowflake credentials with their own snowflake role, etc. (supports Snowflake’s row policy access)
Uses Snowflake’s default role
Astrato Prompts each user to login to Snowflake to create connection for them
User needs to refresh their snowflake connection when it expires (up to 90 days) by login to Astrato and visiting workbook
Emails don’t need to be matched between Astrato and Snowflake.
User needs to know both Astrato and Snowflake credentials
Doesn’t support public embeds
Restricted embeds stop working when Snowflake connection expires, user needs to login to Astrato and refresh his Snowflake connection
Federated Identity (recommended)
Utilises snowflake personal access tokens
Astrato maintains trust relationship between itself and Snowflake
Uses Snowflake’s default role
Astrato generates personal access tokens that are trusted by snowflake (supports Snowflake row policy access)
Astrato automatically refreshes snowflake connection for each user.
Emails need to be matched between Astrato and Snowflake.
User logins only once to Astrato, he doesn’t have to know snowflake credentials/password
Doesn’t support public embeds
Restricted embeds just work as Snowflake connection is refreshed automatically
Designed for future uses cases like cyclic reports per user
Full support for OEM passthrough authentication