Integrations

Snowflake

ContractHQ can connect directly to your Snowflake account to validate live table schemas and run quality checks. Connection details are stored securely and never logged.

Authentication Options

Username + PasswordSimple

Least secure. Use only for local development or testing.

Key Pair AuthRecommended

RSA private key. No password transmitted over the wire.

OAuthEnterprise

Delegate access via your SSO provider (Okta, Azure AD).

External BrowserInteractive

Opens a browser window for SSO-based MFA login.

Step 1 — Create a Service User

Create a dedicated Snowflake user for ContractHQ. This keeps audit logs clean and lets you revoke access independently:

Snowflake SQL
-- Create dedicated user and role
CREATE USER contracthq_user
  LOGIN_NAME = 'contracthq_user'
  DEFAULT_WAREHOUSE = COMPUTE_WH
  DEFAULT_ROLE = CONTRACTHQ_ROLE;

CREATE ROLE CONTRACTHQ_ROLE;
GRANT ROLE CONTRACTHQ_ROLE TO USER contracthq_user;

Step 2 — Grant Required Privileges

ContractHQ needs USAGE on the warehouse and SELECT on the tables it validates:

Snowflake SQL
-- Warehouse access
GRANT USAGE ON WAREHOUSE COMPUTE_WH TO ROLE CONTRACTHQ_ROLE;

-- Database + schema access
GRANT USAGE ON DATABASE ANALYTICS TO ROLE CONTRACTHQ_ROLE;
GRANT USAGE ON SCHEMA ANALYTICS.RAW TO ROLE CONTRACTHQ_ROLE;

-- Table access (or grant on all tables)
GRANT SELECT ON TABLE ANALYTICS.RAW.USER_SIGNUPS TO ROLE CONTRACTHQ_ROLE;
-- Or: GRANT SELECT ON ALL TABLES IN SCHEMA ANALYTICS.RAW TO ROLE CONTRACTHQ_ROLE;
💡
ContractHQ only ever reads from your warehouse — it never writes. You do not need INSERT, UPDATE, or DELETE privileges.

Step 3 — Configure the Connection

Add Snowflake credentials to your contracthq.ymlproject config (use environment variable references — never hardcode credentials):

contracts/contracthq.yml
warehouse:
  type: snowflake
  account: ${{ env.SNOWFLAKE_ACCOUNT }}
  user: ${{ env.SNOWFLAKE_USER }}
  private_key_path: ~/.snowflake/rsa_key.p8
  database: ANALYTICS
  schema: RAW
  warehouse: COMPUTE_WH
  role: CONTRACTHQ_ROLE
⚠️
Store your Snowflake private key as a CI/CD secret. Never commit it to the repository.

Step 4 — Test the Connection

terminal
contracthq warehouse test
✔ Connecting to Snowflake (acme.eu-west-1)...
✔ Authenticated as CONTRACTHQ_USER
✔ Warehouse COMPUTE_WH is accessible
✔ Database ANALYTICS is accessible
Connection successful.

Controlling Compute Costs

ContractHQ minimises Snowflake credits by using an X-Small warehouse and automatically suspending it after each run. You can override the warehouse size per contract:

contract.yml
warehouse_override:
  size: x-small
  auto_suspend_seconds: 60
← dbt IntegrationGitHub Actions →