Updating Observe for Snowflake (O4S) Secret or Token

Data Ingestion
, ,
1

This article provides a step-by-step guide to update the secret or token for Observe for Snowflake (O4S) in your Snowflake environment. Follow these instructions to ensure the secret is updated correctly and the necessary permissions are granted for the Observe for Snowflake application. Note that SEND_TO_OBSERVE is used as an example database name; replace it with your actual database name.

Prerequisites

  • Administrative access to Snowflake with the ability to execute SQL commands.

  • A new secret string (token) for Observe for Snowflake. The full token should be in the format ds1vSbqf04Nd1v3h5MnX:RsNO0EiT4QEZvqWN-W8r5h_ndj3NEe7t (example only, this is not a valid token)

  • The SECURITYADMIN role or equivalent permissions to manage secrets and grant privileges.

  • The database (e.g., SEND_TO_OBSERVE) and O4S schema already set up in your Snowflake environment.

Steps to Update the O4S Secret or Token

  1. Update the Secret Replace the existing OBSERVE_TOKEN with the new secret string. Execute the following SQL command, replacing ds1vSbqf04Nd1v3h5MnX:RsNO0EiT4QEZvqWN-W8r5h_ndj3NEe7t with your new secret string and SEND_TO_OBSERVE with your actual database name:

    CREATE OR REPLACE SECRET
    SEND_TO_OBSERVE.O4S.OBSERVE_TOKEN
    TYPE = GENERIC_STRING
    SECRET_STRING = 'ds1vSbqf04Nd1v3h5MnX:RsNO0EiT4QEZvqWN-W8r5h_ndj3NEe7t';

    This command creates or replaces the OBSERVE_TOKEN secret in the SEND_TO_OBSERVE.O4S schema with the new token value. Note, use CREATE OR REPLACE rather than ALTER SECRET.

  2. Update the External Access Integration Recreate the external access integration to ensure it references the updated secret and any other required configurations. Run the following SQL command, replacing SEND_TO_OBSERVE with your actual database name:

    CREATE OR REPLACE EXTERNAL ACCESS INTEGRATION
    OBSERVE_INGEST_ACCESS_INTEGRATION
    ALLOWED_NETWORK_RULES = (SEND_TO_OBSERVE.O4S.OBSERVE_INGEST_NETWORK_RULE)
    ALLOWED_AUTHENTICATION_SECRETS = (SEND_TO_OBSERVE.O4S.OBSERVE_TOKEN, SEND_TO_OBSERVE.O4S.OBSERVE_ENDPOINT)
    ENABLED = TRUE;

    This command updates the OBSERVE_INGEST_ACCESS_INTEGRATION to use the new OBSERVE_TOKEN and ensures the integration remains enabled.

    a. Switch to the SECURITYADMIN Role To grant the necessary permissions, switch to the SECURITYADMIN role:

    USE ROLE SECURITYADMIN;

    b. Grant Permissions to the Observe for Snowflake Application Assign the required permissions to the OBSERVE_FOR_SNOWFLAKE application to access the database, schema, secrets, and integration. Execute the following SQL commands, replacing SEND_TO_OBSERVE with your actual database name:

    GRANT USAGE ON DATABASE SEND_TO_OBSERVE TO APPLICATION OBSERVE_FOR_SNOWFLAKE;
GRANT USAGE ON SCHEMA SEND_TO_OBSERVE.O4S TO APPLICATION OBSERVE_FOR_SNOWFLAKE;
GRANT READ ON SECRET SEND_TO_OBSERVE.O4S.OBSERVE_TOKEN TO APPLICATION OBSERVE_FOR_SNOWFLAKE;
GRANT READ ON SECRET SEND_TO_OBSERVE.O4S.OBSERVE_ENDPOINT TO APPLICATION OBSERVE_FOR_SNOWFLAKE;
GRANT USAGE ON INTEGRATION OBSERVE_INGEST_ACCESS_INTEGRATION TO APPLICATION OBSERVE_FOR_SNOWFLAKE;

These commands ensure the OBSERVE_FOR_SNOWFLAKE application has the necessary permissions to use the database, schema, secrets, and external access integration.

Verification

After executing the above steps:

  • Confirm that the new secret is correctly stored by checking the OBSERVE_TOKEN in the <your_database>.O4S schema.

  • Verify that the OBSERVE_INGEST_ACCESS_INTEGRATION is enabled and references the updated secret.

  • Test the Observe for Snowflake application to ensure it can authenticate and ingest data using the new token.

  • Confirm you are able to view Snowflake Datasets in your Observe tenant.