Learn how to set up Snowflake Openflow using Snowpark Container Services (SPCS) in about 25 minutes. You'll create the foundation needed to start ingesting data from external sources using pre-built connectors.
Openflow is Snowflake's managed service for building data pipelines in Snowpark Container Services (SPCS). It provides pre-built connectors that make it easy to ingest data from various sources into Snowflake.
Key Benefits:
Openflow supports 19+ connectors including:
For a complete list with descriptions, see Openflow connectors.
Before starting, ensure you have:
Setting up Openflow involves four main tasks:
Step | Task | Persona | Duration |
1 | Setup Core Snowflake | Snowflake Administrator | 10 min |
2 | Create Deployment | Deployment Engineer / Administrator | 5 min |
3 | Create Runtime Role | Data Engineer | 5 min |
4 | Create Runtime | Data Engineer | 5 min |
Once you complete this 25-minute setup, you'll have a production-ready Openflow environment. Here's what you can do immediately:
✅ Start Ingesting Data
✅ No Code Required
✅ Production-Ready Infrastructure
Before creating a deployment, you need to configure core Snowflake components including the Openflow admin role, required privileges, and network configuration.
This quickstart references the companion GitHub repository which includes Jupyter notebooks and SQL scripts for various Openflow connectors:
Repository: https://github.com/Snowflake-Labs/sfguide-getting-started-with-openflow-spcs
SQL Scripts:
All SQL commands in this quickstart are available as downloadable scripts:
Key Notebooks:
If you downloaded the SQL scripts from the companion repository, here's how to import and execute them in Snowsight:
Using Projects (Recommended):
.sql
file you downloaded (e.g., quickstart_setup_core.sql
)The OPENFLOW_ADMIN
role is the primary administrative role for managing Openflow deployments.
Log into Snowsight and open a SQL worksheet.
Run the following SQL commands to create the Openflow admin role:
-- Create the Openflow admin role (requires ACCOUNTADMIN or equivalent privileges)
USE ROLE ACCOUNTADMIN;
CREATE ROLE IF NOT EXISTS OPENFLOW_ADMIN;
-- Grant necessary privileges
GRANT CREATE DATABASE ON ACCOUNT TO ROLE OPENFLOW_ADMIN;
GRANT CREATE COMPUTE POOL ON ACCOUNT TO ROLE OPENFLOW_ADMIN;
GRANT CREATE INTEGRATION ON ACCOUNT TO ROLE OPENFLOW_ADMIN;
GRANT BIND SERVICE ENDPOINT ON ACCOUNT TO ROLE OPENFLOW_ADMIN;
-- Grant role to current user and ACCOUNTADMIN
GRANT ROLE OPENFLOW_ADMIN TO ROLE ACCOUNTADMIN;
GRANT ROLE OPENFLOW_ADMIN TO USER IDENTIFIER(CURRENT_USER());
This creates the admin role and grants it the necessary permissions to create and manage Openflow deployments.
Step 1: Check if BCR Bundle 2025_06 is already enabled
-- Check the bundle status
USE ROLE ACCOUNTADMIN;
CALL SYSTEM$BEHAVIOR_CHANGE_BUNDLE_STATUS('2025_06');
Step 2: Enable the bundle if status shows
DISABLED
If the result shows DISABLED
, enable the bundle:
-- Enable BCR Bundle 2025_06
CALL SYSTEM$ENABLE_BEHAVIOR_CHANGE_BUNDLE('2025_06');
Check that all core resources were created successfully:
-- Verify role exists
SHOW ROLES LIKE 'OPENFLOW_ADMIN';
-- Verify grants
SHOW GRANTS TO ROLE OPENFLOW_ADMIN;
-- Verify network rule
DESC NETWORK RULE snowflake_deployment_network_rule;
After configuring core Snowflake, create an Openflow deployment. This is the container environment where Openflow will run.
QUICKSTART_DEPLOYMENT
Check that your deployment is running via the Snowsight UI:
Expected status: ACTIVE
Create a runtime role that will be used by your Openflow runtime. This role needs access to databases, schemas, and warehouses for data ingestion.
-- Create runtime role
USE ROLE ACCOUNTADMIN;
CREATE ROLE IF NOT EXISTS QUICKSTART_ROLE;
-- Create database for Openflow resources
CREATE DATABASE IF NOT EXISTS QUICKSTART_DATABASE;
-- Create warehouse for data processing
CREATE WAREHOUSE IF NOT EXISTS QUICKSTART_WH
WAREHOUSE_SIZE = MEDIUM
AUTO_SUSPEND = 300
AUTO_RESUME = TRUE;
-- Grant privileges to runtime role
GRANT USAGE ON DATABASE QUICKSTART_DATABASE TO ROLE QUICKSTART_ROLE;
GRANT USAGE ON WAREHOUSE QUICKSTART_WH TO ROLE QUICKSTART_ROLE;
-- Grant runtime role to Openflow admin
GRANT ROLE QUICKSTART_ROLE TO ROLE OPENFLOW_ADMIN;
External Access Integrations allow your runtime to connect to external data sources. This quickstart creates one integration with network rules for both Google Drive and PostgreSQL connectors.
-- Create schema for network rules
USE ROLE ACCOUNTADMIN;
CREATE SCHEMA IF NOT EXISTS QUICKSTART_DATABASE.NETWORKS;
-- Create network rule for Google APIs
CREATE OR REPLACE NETWORK RULE google_api_network_rule
MODE = EGRESS
TYPE = HOST_PORT
VALUE_LIST = (
'admin.googleapis.com',
'oauth2.googleapis.com',
'www.googleapis.com',
'google.com'
);
-- Create network rule for your Google Workspace domain (optional)
-- Replace 'your-domain.com' with your actual domain
CREATE OR REPLACE NETWORK RULE workspace_domain_network_rule
MODE = EGRESS
TYPE = HOST_PORT
VALUE_LIST = ('your-domain.com');
-- Create network rule for PostgreSQL endpoint
-- Replace 'your-postgres-host.com:5432' with your actual endpoint
CREATE OR REPLACE NETWORK RULE postgres_network_rule
MODE = EGRESS
TYPE = HOST_PORT
VALUE_LIST = ('your-postgres-host.com:5432');
-- Create ONE external access integration with ALL network rules
CREATE OR REPLACE EXTERNAL ACCESS INTEGRATION quickstart_access
ALLOWED_NETWORK_RULES = (
QUICKSTART_DATABASE.NETWORKS.google_api_network_rule,
QUICKSTART_DATABASE.NETWORKS.workspace_domain_network_rule,
QUICKSTART_DATABASE.NETWORKS.postgres_network_rule
)
ENABLED = TRUE
COMMENT = 'Openflow SPCS runtime access for Google Drive and PostgreSQL connectors';
-- Grant usage to runtime role
GRANT USAGE ON INTEGRATION quickstart_access TO ROLE QUICKSTART_ROLE;
-- Verify role and grants
SHOW ROLES LIKE 'QUICKSTART_ROLE';
SHOW GRANTS TO ROLE QUICKSTART_ROLE;
-- Verify integration
SHOW INTEGRATIONS LIKE 'quickstart_access';
DESC INTEGRATION quickstart_access;
Create a runtime associated with the previously created runtime role. A runtime is the execution environment for your Openflow connectors.
Follow these steps to create your runtime:
QUICKSTART_RUNTIME
QUICKSTART_ROLE
from the dropdownquickstart_access
from the dropdownCheck that your runtime is active:
QUICKSTART_RUNTIME
with status ACTIVEExpected status: ACTIVE
Once your runtime is active, you can access the Openflow canvas to add and configure connectors:
Click on the runtime name (QUICKSTART_RUNTIME
) to open the canvas where you can add connectors and build data pipelines.
With your Openflow SPCS infrastructure set up, you're ready to configure connectors to ingest data from external sources.
After completing this guide, you have:
OPENFLOW_ADMIN
role - Administrative role with deployment and integration privilegesQUICKSTART_DEPLOYMENT
) - Container environment running in SPCSQUICKSTART_ROLE
) - With database, schema, and warehouse accessquickstart_access
) - Network rules for Google Drive and PostgreSQL connectorsQUICKSTART_RUNTIME
) - Ready to host connectorsYou're now ready to configure connectors and build data pipelines!
Now that your infrastructure is ready, here are your next options:
Add and configure connectors for your data sources:
Use the notebooks from the companion repository for detailed connector setup:
Try these common use cases:
Issue: Deployment status stuck in CREATING
or shows ERROR
Solutions:
-- Check OPENFLOW_ADMIN has required privileges
SHOW GRANTS TO ROLE OPENFLOW_ADMIN;
-- Query event table for errors
SELECT * FROM OPENFLOW_CONFIG.EVENTS.openflow_events
WHERE RECORD:severity = 'ERROR'
ORDER BY TIMESTAMP DESC
LIMIT 100;
-- Verify network rule exists
DESC NETWORK RULE snowflake_deployment_network_rule;
Issue: Connector fails to connect to external services (e.g., Google Drive, databases)
Solutions:
-- Check integration exists and is enabled
SHOW INTEGRATIONS LIKE 'openflow_%';
DESC INTEGRATION your_integration_name;
-- Verify all required hostnames are in network rules
DESC NETWORK RULE your_network_rule;
-- Verify runtime role has access
SHOW GRANTS ON INTEGRATION your_integration_name;
Issue: "Insufficient privileges" errors when creating resources
Solutions:
-- Check which role you're using
SELECT CURRENT_ROLE();
-- Switch to appropriate role
USE ROLE OPENFLOW_ADMIN;
-- or
USE ROLE ACCOUNTADMIN;
-- Verify role grants
SHOW GRANTS TO ROLE OPENFLOW_ADMIN;
SHOW GRANTS TO USER your_username;
-- Example: Grant database creation if missing
USE ROLE ACCOUNTADMIN;
GRANT CREATE DATABASE ON ACCOUNT TO ROLE OPENFLOW_ADMIN;
If you continue experiencing issues:
When you're finished with the quickstart or want to remove resources, use Snowsight UI to clean up.
Via Snowsight:
QUICKSTART_RUNTIME
QUICKSTART_DEPLOYMENT
After removing deployments and runtimes, clean up the supporting resources:
-- Switch to ACCOUNTADMIN
USE ROLE ACCOUNTADMIN;
-- Drop external access integration
DROP INTEGRATION IF EXISTS quickstart_access;
-- Drop network rules
DROP NETWORK RULE IF EXISTS google_api_network_rule;
DROP NETWORK RULE IF EXISTS workspace_domain_network_rule;
DROP NETWORK RULE IF EXISTS postgres_network_rule;
-- Drop warehouse
DROP WAREHOUSE IF EXISTS QUICKSTART_WH;
-- Drop database
DROP DATABASE IF EXISTS QUICKSTART_DATABASE;
-- Drop role
DROP ROLE IF EXISTS QUICKSTART_ROLE;
Congratulations! You've successfully set up Snowflake Openflow using Snowpark Container Services (SPCS). You now have a fully functional data integration platform ready to connect to external data sources.
EAI_GDRIVE.ipynb
or EAI_POSTGRES.ipynb
) to set up Google Drive or PostgreSQLOfficial Documentation:
Code and Notebooks:
Management and Operations:
We would love your feedback on this QuickStart Guide! Please submit your feedback using the GitHub issues link.