Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.elementum.io/llms.txt

Use this file to discover all available pages before exploring further.

This page is the chronological setup guide for a Snowflake CloudLink. Follow it top to bottom: prerequisites, IP whitelisting, key-pair authentication, the Snowflake setup script, the Elementum-side connection, and verification. If you’re new to CloudLink or unsure how it differs from Snowflake itself, start with the CloudLink Overview.

How it works

Elementum connects directly to your Snowflake account using a dedicated service user, role, warehouse, and database. The connection is read/write where you grant it, and read-only where you don’t.
SideWhat it owns
Your Snowflake accountYour data (databases, tables, views). You grant access to a dedicated ELEMENTUM user/role with the exact permissions you choose. You can restrict access to known Elementum IP addresses.
Elementum platformA reader/writer service account that connects in-place to your Snowflake account. No data is copied or stored outside Snowflake; all operations execute in your Snowflake environment.
Both Internet and VPN traffic are encrypted with TLS. VPN provides additional security through least-privilege network controls.

Prerequisites

Before starting, confirm you have:
1

Snowflake access

  • ACCOUNTADMIN role for setup
  • Tables/views with a primary key or unique identifier
  • Permission to create network policies
2

Elementum access

  • Admin privileges in Elementum to configure CloudLink connections
  • Your organization domain is already whitelisted on the Elementum side ([your-org].elementum.io)
3

A plan for what to grant

Identify which databases, schemas, and tables Elementum should access, and which need read/write vs read-only.

Step 1: Whitelist Elementum IP addresses

Configure your Snowflake network policy to allow connections from Elementum.
RegionIP Addresses
US East44.210.166.136, 44.209.114.114, 52.72.254.246
Europe18.185.13.42, 63.182.157.140, 3.65.106.188
Use the SQL below for your region (or the combined option for multi-region). The network policy is applied to the ELEMENTUM user later in Step 4. 
USE ROLE ACCOUNTADMIN;

CREATE NETWORK POLICY IF NOT EXISTS ELEMENTUM_ACCESS_POLICY
  ALLOWED_IP_LIST = (
    '44.210.166.136',
    '44.209.114.114',
    '52.72.254.246'
  )
  COMMENT = 'Network policy for Elementum platform access';
Use the combined policy if your organization is configured for multi-region access or if you want to allow connections from both US and Europe.
If your Elementum organization runs on AWS, you can use AWS PrivateLink instead of public-internet IP whitelisting so CloudLink traffic between Elementum and your Snowflake account stays on the AWS network.

Step 2: Get the public key from Elementum

Elementum uses RSA key-pair authentication. The private key stays in Elementum’s infrastructure; you assign the public key to your Snowflake service user.
1

Open CloudLink settings

In Elementum, navigate to Organization SettingsCloudLinks.
2

Start a new connection

Click + CloudLink and select Snowflake as the platform.
3

Copy the public key

The RSA public key is displayed in the connection setup dialog. Click Copy Public Key to copy it. You’ll paste it into the Snowflake setup script in Step 3.
Each Elementum environment generates its own unique key pair. If you’re setting up multiple environments, copy the public key separately from each environment’s CloudLink settings.
Leave the Elementum dialog open—you’ll come back to it in Step 5.

Step 3: Run the Snowflake setup script

The script below creates the user, role, warehouse, database, and platform schema that Elementum needs. Run each step in order, replacing <PASTE_PUBLIC_KEY_FROM_ELEMENTUM_UI> with the key you copied in Step 2.
This script requires the ACCOUNTADMIN role.
1

Create the ELEMENTUM role

USE ROLE ACCOUNTADMIN;
CREATE ROLE IF NOT EXISTS ELEMENTUM;
GRANT ROLE ELEMENTUM TO ROLE SYSADMIN;
2

Create the ELEMENTUM service user

USE ROLE ACCOUNTADMIN;
CREATE USER IF NOT EXISTS ELEMENTUM
  TYPE = SERVICE
  RSA_PUBLIC_KEY = '<PASTE_PUBLIC_KEY_FROM_ELEMENTUM_UI>';
GRANT ROLE ELEMENTUM TO USER ELEMENTUM;
Paste the raw public key value without the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- header/footer lines.
3

Create the Elementum warehouse

USE ROLE SYSADMIN;
CREATE WAREHOUSE IF NOT EXISTS ELEMENTUM
  WITH WAREHOUSE_SIZE = 'MEDIUM',
  MIN_CLUSTER_COUNT = 1,
  MAX_CLUSTER_COUNT = 10,
  AUTO_SUSPEND = 60;

GRANT USAGE ON WAREHOUSE ELEMENTUM TO ROLE ELEMENTUM;
Defaults: Medium size, 1–10 clusters with auto-scaling, 60-second auto-suspend. Adjust based on your workload; see Snowflake warehouses for sizing guidance.
4

Create the Elementum database and platform schema

USE ROLE SYSADMIN;
CREATE DATABASE IF NOT EXISTS ELEMENTUM;
GRANT OWNERSHIP ON DATABASE ELEMENTUM TO ROLE ELEMENTUM;

USE ROLE ELEMENTUM;
USE DATABASE ELEMENTUM;
CREATE SCHEMA IF NOT EXISTS ELEMENTUM_PLATFORM;
Do not modify or add tables to the ELEMENTUM_PLATFORM schema. It’s reserved for Elementum’s internal platform operations. See The platform schema concept.
5

Create a schema for customer data (optional)

Use this only if you want a dedicated schema for tables built specifically for Elementum (such as data-exchange tables). Don’t put these tables in ELEMENTUM_PLATFORM.
USE ROLE ELEMENTUM;
USE DATABASE ELEMENTUM;
CREATE SCHEMA IF NOT EXISTS PUBLIC;

Step 4: Grant permissions and set the network policy

Apply the network policy you created in Step 1, then grant the ELEMENTUM role access to the data you want available in Elementum.

Apply the network policy

USE ROLE ACCOUNTADMIN;
ALTER USER ELEMENTUM SET NETWORK_POLICY = ELEMENTUM_ACCESS_POLICY;

-- Verify
DESC USER ELEMENTUM;

Grant data access

The pattern is database usage → schema usage → table grants. Choose the access level you need. 
USE ROLE SYSADMIN;

-- Database and schema usage
GRANT USAGE ON DATABASE <INSERT_DATABASE_NAME_HERE> TO ROLE ELEMENTUM;
GRANT USAGE ON SCHEMA <INSERT_DATABASE_NAME_HERE>.<INSERT_SCHEMA_NAME_HERE> TO ROLE ELEMENTUM;

-- Table grants (fully qualified)
GRANT INSERT, UPDATE, DELETE, SELECT
  ON TABLE <INSERT_DATABASE_NAME_HERE>.<INSERT_SCHEMA_NAME_HERE>.<INSERT_TABLE_NAME_HERE>
  TO ROLE ELEMENTUM;

USE ROLE SYSADMIN;

GRANT USAGE ON DATABASE SALES_DB TO ROLE ELEMENTUM;
GRANT USAGE ON SCHEMA SALES_DB.PUBLIC TO ROLE ELEMENTUM;

GRANT INSERT, UPDATE, DELETE, SELECT ON TABLE SALES_DB.PUBLIC.CUSTOMERS TO ROLE ELEMENTUM;
GRANT INSERT, UPDATE, DELETE, SELECT ON TABLE SALES_DB.PUBLIC.ORDERS TO ROLE ELEMENTUM;

Optional grants

The following grants are only needed if you plan to use the matching capability. Skip any that don’t apply.
Required if you want Elementum to start workflows when data is added or updated in Snowflake.
-- Enable change tracking on each table you want to monitor
ALTER TABLE <DATABASE>.<SCHEMA>.<TABLE> SET CHANGE_TRACKING = TRUE;
Example:
ALTER TABLE SALES_DB.PUBLIC.CUSTOMERS SET CHANGE_TRACKING = TRUE;
ALTER TABLE SALES_DB.PUBLIC.ORDERS SET CHANGE_TRACKING = TRUE;

-- Verify
SHOW TABLES LIKE 'CUSTOMERS' IN SCHEMA SALES_DB.PUBLIC;
Required if you plan to use Snowflake Cortex as your AI provider, AI Search, AI Automations, or ML forecasting.
USE ROLE ACCOUNTADMIN;

-- Enable cross-region Cortex access
ALTER ACCOUNT SET CORTEX_ENABLED_CROSS_REGION = 'ANY_REGION';

-- Cortex user role
GRANT DATABASE ROLE SNOWFLAKE.CORTEX_USER TO ROLE ELEMENTUM;

-- Cortex Search Service creation
GRANT CREATE CORTEX SEARCH SERVICE ON SCHEMA ELEMENTUM_PLATFORM TO ROLE ELEMENTUM;

-- ML model creation
GRANT CREATE SNOWFLAKE.ML.ANOMALY_DETECTION ON SCHEMA ELEMENTUM.ELEMENTUM_PLATFORM TO ROLE ELEMENTUM;
GRANT CREATE SNOWFLAKE.ML.CLASSIFICATION   ON SCHEMA ELEMENTUM.ELEMENTUM_PLATFORM TO ROLE ELEMENTUM;
GRANT CREATE SNOWFLAKE.ML.FORECAST         ON SCHEMA ELEMENTUM.ELEMENTUM_PLATFORM TO ROLE ELEMENTUM;
Capabilities enabled: anomaly detection, classification, forecasting, LLM access (Cortex Complete), and Cortex Search.
Required only if you plan to expose Elementum data to external BI tools (Power BI, Tableau, Looker) through Elementum’s BI view feature.
USE ROLE ACCOUNTADMIN;

GRANT USAGE ON DATABASE <DB_NAME> TO ROLE ELEMENTUM;
GRANT USAGE ON SCHEMA  <DB_NAME>.<SCHEMA_NAME> TO ROLE ELEMENTUM;
GRANT CREATE VIEW ON SCHEMA <DB_NAME>.<SCHEMA_NAME> TO ROLE ELEMENTUM;
Example:
USE ROLE ACCOUNTADMIN;

GRANT USAGE ON DATABASE ANALYTICS_DB TO ROLE ELEMENTUM;
GRANT USAGE ON SCHEMA ANALYTICS_DB.BI_VIEWS TO ROLE ELEMENTUM;
GRANT CREATE VIEW ON SCHEMA ANALYTICS_DB.BI_VIEWS TO ROLE ELEMENTUM;
Users and BI tools also need separate SELECT grants to query the views Elementum creates. See Tables for the full permission set.
Maintain view ownership: the ELEMENTUM role retains ownership of any BI views it creates. Do not transfer ownership, or Elementum will lose the ability to update or manage the views.

Step 5: Add credentials in Elementum

Return to the CloudLink dialog you opened in Step 2.
1

Enter connection details

FieldValue
NameA descriptive name (for example, Production Snowflake)
Account URLYour Snowflake account URL (for example, your-account.snowflakecomputing.com)
UsernameELEMENTUM
AuthenticationRSA Key Pair (configured automatically using the public key from Step 2)
RoleELEMENTUM
WarehouseELEMENTUM
SchemaELEMENTUM_PLATFORM (Elementum’s platform schema, not your data schema)
The Schema field must be the empty ELEMENTUM_PLATFORM schema, not your business data schema. See The platform schema concept.
2

Test the connection

Click Test Connection to verify credentials, key-pair authentication, and network access end-to-end. A successful test confirms the IP whitelist, public key, role grants, and warehouse usage are all set correctly.
3

Select tables to integrate

Once connected, browse your Snowflake environment:
  1. Database — Choose the database that contains your tables.
  2. Schema — Pick the schema with your data.
  3. Table — Choose the table(s) to bring into Elementum.
Only databases, schemas, and tables that the ELEMENTUM role has access to will appear.Performance check: when you select a table, Elementum runs a test query to measure response time. If the table responds slowly, you’ll see a warning before completing the connection.
Warning levelQuery timeRecommendation
OptimalUnder 3 secondsProceed
Moderate3–5 secondsReview optimization before proceeding
SlowOver 5 secondsStrongly consider optimization before connecting
Slow tables affect workflow execution times, record load times, and automation reliability. See Snowflake warehouses and Snowflake table types for optimization guidance.
4

Add naming and field mapping

For each table, set:
  • App name — the application this data belongs to
  • Table display name — user-friendly name shown in Elementum
  • Description — optional context
  • Primary key — the unique identifier column
  • Field mappings — column-to-field-type, labels, and visibility
Field types include: Text, Number, Date, Timestamp, Boolean, JSON, Array, Currency, Percentage, and References (for relationships).
5

Set the resource scheduler

The default sync interval is 20 minutes. Adjust based on data freshness needs:
  • Shorter intervals = fresher data, more Snowflake credits consumed.
  • Longer intervals = lower cost, suitable for slower-changing data.
More frequent syncs consume more Snowflake credits. Balance freshness against cost.
6

Provision the Query Profile Table

After the CloudLink is created, open its details by clicking the CloudLink name on the CloudLinks page in Organization Settings. In the Query Profile Table section, copy the provided DDL and run it in your Snowflake warehouse to provision the dynamic table that backs query-profile lookups. This improves query performance by giving Elementum fast, low-cost access to query execution metrics without scanning ACCOUNT_USAGE on every request.
The DDL requires the ACCOUNTADMIN role and grants the ELEMENTUM role the permissions it needs to read SNOWFLAKE.ACCOUNT_USAGE and execute the scheduled task. Once provisioned, the Query Profile Table status updates to Provisioned in the CloudLink dialog.

Step 6: Verify the connection

Run these checks in Snowflake to confirm the role, warehouse, and data access work as expected.
1

Verify role and warehouse

USE ROLE ELEMENTUM;
USE WAREHOUSE ELEMENTUM;
USE DATABASE ELEMENTUM;

SELECT CURRENT_ROLE(), CURRENT_WAREHOUSE(), CURRENT_DATABASE();
Expected: ELEMENTUM for all three.
2

Verify data access

USE ROLE ELEMENTUM;
USE WAREHOUSE ELEMENTUM;

SELECT COUNT(*) FROM SALES_DB.PUBLIC.CUSTOMERS;
Replace with your actual database, schema, and table.
3

Verify change tracking (if enabled)

SHOW TABLES LIKE 'CUSTOMERS' IN SCHEMA SALES_DB.PUBLIC;
-- Look for "change_tracking" = "ON"

SELECT *
FROM SALES_DB.PUBLIC.CUSTOMERS
CHANGES(INFORMATION => DEFAULT)
AT(TIMESTAMP => DATEADD(HOUR, -1, CURRENT_TIMESTAMP()))
LIMIT 5;
4

Verify Cortex access (if enabled)

USE ROLE ELEMENTUM;
USE DATABASE ELEMENTUM;
USE SCHEMA ELEMENTUM_PLATFORM;

SELECT SNOWFLAKE.CORTEX.COMPLETE(
  'mistral-large',
  'What is machine learning?'
) AS response;
A successful response confirms Cortex access is configured.
5

Verify in Elementum

  1. The connection shows as Connected on the CloudLinks page.
  2. The integrated table loads correctly in Elementum.
  3. Creating or updating a record (where write access was granted) syncs back to Snowflake.

Use the connection

After verification, use the connection from elsewhere in Elementum:
  • Preview data — On the CloudLinks page, click Explore next to the connection to preview rows from any table that connection can access. Useful for confirming the data and column names match what you expect before referencing the table in a workflow.
  • Save Snowflake functions for automations — Click Functions next to the connection, choose the database and schema that contain the function, and select the function to save it. Saved functions are available in the Run Function action in automations. If a function doesn’t appear, confirm the function is set up correctly in Snowflake (see Snowflake’s function reference) and that the ELEMENTUM role has the privileges it needs: 
    GRANT USAGE ON DATABASE DATABASE_NAME TO ROLE ELEMENTUM;
GRANT USAGE ON SCHEMA DATABASE_NAME.SCHEMA_NAME TO ROLE ELEMENTUM;
GRANT USAGE ON STAGE DATABASE_NAME.SCHEMA_NAME.STAGE_NAME TO ROLE ELEMENTUM;
GRANT SELECT ON VIEW DATABASE_NAME.SCHEMA_NAME.VIEW_NAME TO ROLE ELEMENTUM;
For full capability docs, see What you can do once connected on the CloudLink Overview.

Multi-environment setup

If you use organization environments for development, staging, and production, create separate Snowflake resources for each environment.

Required isolation

EnvironmentUserRoleDatabaseSchema
ProductionELEMENTUM_PRODELEMENTUM_PRODELEMENTUM_PRODELEMENTUM_PLATFORM
StagingELEMENTUM_STAGINGELEMENTUM_STAGINGELEMENTUM_STAGINGELEMENTUM_PLATFORM
DevelopmentELEMENTUM_DEVELEMENTUM_DEVELEMENTUM_DEVELEMENTUM_PLATFORM

Setup script for additional environments

Run this for each environment, replacing DEV with your environment name. Copy the public key separately from each Elementum environment’s CloudLink settings. 
USE ROLE ACCOUNTADMIN;

CREATE ROLE IF NOT EXISTS ELEMENTUM_DEV;
GRANT ROLE ELEMENTUM_DEV TO ROLE SYSADMIN;

CREATE USER IF NOT EXISTS ELEMENTUM_DEV
  TYPE = SERVICE
  RSA_PUBLIC_KEY = '<PASTE_PUBLIC_KEY_FROM_ELEMENTUM_UI>';
GRANT ROLE ELEMENTUM_DEV TO USER ELEMENTUM_DEV;

USE ROLE SYSADMIN;
CREATE WAREHOUSE IF NOT EXISTS ELEMENTUM_DEV
  WITH WAREHOUSE_SIZE = 'MEDIUM',
  MIN_CLUSTER_COUNT = 1,
  MAX_CLUSTER_COUNT = 10,
  AUTO_SUSPEND = 60;
GRANT USAGE ON WAREHOUSE ELEMENTUM_DEV TO ROLE ELEMENTUM_DEV;

CREATE DATABASE IF NOT EXISTS ELEMENTUM_DEV;
GRANT OWNERSHIP ON DATABASE ELEMENTUM_DEV TO ROLE ELEMENTUM_DEV;

USE ROLE ELEMENTUM_DEV;
USE DATABASE ELEMENTUM_DEV;
CREATE SCHEMA IF NOT EXISTS ELEMENTUM_PLATFORM;

Sharing external data across environments (optional)

You can grant multiple environment users access to the same external business data tables if you need realistic data for testing. 
USE ROLE SYSADMIN;

-- Grant the same business data to both PROD and DEV
GRANT USAGE ON DATABASE BUSINESS_DATA TO ROLE ELEMENTUM_PROD;
GRANT USAGE ON SCHEMA BUSINESS_DATA.PUBLIC TO ROLE ELEMENTUM_PROD;
GRANT SELECT ON ALL TABLES IN SCHEMA BUSINESS_DATA.PUBLIC TO ROLE ELEMENTUM_PROD;

GRANT USAGE ON DATABASE BUSINESS_DATA TO ROLE ELEMENTUM_DEV;
GRANT USAGE ON SCHEMA BUSINESS_DATA.PUBLIC TO ROLE ELEMENTUM_DEV;
GRANT SELECT ON ALL TABLES IN SCHEMA BUSINESS_DATA.PUBLIC TO ROLE ELEMENTUM_DEV;
When environments share access to external data, changes made in one environment are visible in all of them. This is usually fine for read-only reference data; be cautious with shared write access.

Key rotation

Snowflake supports two simultaneous public keys per user (RSA_PUBLIC_KEY and RSA_PUBLIC_KEY_2), enabling zero-downtime rotation. Elementum recommends rotating keys every 90 days.
1

Generate a new key pair in Elementum

In Organization Settings → CloudLinks, click Rotate Key for the connection. Copy the new public key from the dialog.
2

Assign the new key to the secondary slot

ALTER USER ELEMENTUM SET RSA_PUBLIC_KEY_2 = '<NEW_PUBLIC_KEY>';
3

Verify the new key works

Click Test Connection in Elementum.
4

Promote the new key and remove the old one

ALTER USER ELEMENTUM UNSET RSA_PUBLIC_KEY;
ALTER USER ELEMENTUM SET RSA_PUBLIC_KEY = '<NEW_PUBLIC_KEY>';
ALTER USER ELEMENTUM UNSET RSA_PUBLIC_KEY_2;
Do not remove the old key before confirming the new key works. Use Snowflake’s dual-key support to avoid disrupting active connections.

Disable password authentication

If the Snowflake user was previously created with a password, disable password-based login after key-pair authentication is confirmed: 
ALTER USER ELEMENTUM SET DISABLE_DIRECT_LOGIN = TRUE;
This ensures the service account can only be accessed through key-pair authentication.

Key-pair authentication reference

For background on how key-pair authentication works (private vs public key, why it’s required for Cortex features), see Authentication on the CloudLink Overview.

Troubleshooting

  • Verify Elementum IP addresses are whitelisted in your Snowflake network policy.
  • Confirm the RSA public key was added correctly to the Snowflake user (run DESC USER ELEMENTUM and check RSA_PUBLIC_KEY_FP).
  • Check that the ELEMENTUM user has the ELEMENTUM role granted.
  • Verify the warehouse is not suspended and has available compute.
  • Ensure the user was created with TYPE = SERVICE.
  • Verify the user creation script ran successfully.
  • Check that ACCOUNTADMIN was the active role.
  • Verify the public key was copied completely from the Elementum UI without extra whitespace or line breaks.
  • Confirm the key was assigned to the correct user (DESC USER ELEMENTUM should show a value for RSA_PUBLIC_KEY_FP).
  • Ensure the key was pasted without the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines.
The public key in Snowflake doesn’t match the private key Elementum holds. Re-copy the public key from Elementum and re-assign:
ALTER USER ELEMENTUM SET RSA_PUBLIC_KEY = '<NEW_PUBLIC_KEY>';
  • Run DESC USER ELEMENTUM to see which key slots have values.
  • Ensure the current Elementum public key is in either RSA_PUBLIC_KEY or RSA_PUBLIC_KEY_2.
  • Follow the key rotation procedure to safely rotate without downtime.
  • Most likely cause: you entered your data schema in the Schema field instead of ELEMENTUM_PLATFORM.
  • Verify GRANT statements include all required tables.
  • Confirm database and schema usage is granted on top of table grants.
  • Verify GRANT statements were executed for all required tables.
  • Check that the role has warehouse usage permission.
  • Confirm database and schema USAGE grants exist.
  • Verify CORTEX_ENABLED_CROSS_REGION is set to 'ANY_REGION'.
  • Confirm SNOWFLAKE.CORTEX_USER database role is granted to ELEMENTUM.
  • Check that Cortex is available in your Snowflake region.
  • Verify ACCOUNTADMIN was used to grant Cortex permissions.
  • Ensure the connection uses key-pair authentication (Cortex features require it).
  • Increase warehouse size or cluster count.
  • Add clustering keys / partitioning on large tables.
  • Review sync interval—shorter intervals consume more credits.
  • See Snowflake warehouses and Snowflake table types for tuning guidance.

Security best practices

  • Grant only the permissions the ELEMENTUM role needs.
  • Use read-only access where write access isn’t required.
  • Audit granted permissions regularly.
  • Remove access to tables no longer in use.

Next steps

Snowflake warehouses

Size and configure your Snowflake warehouse for Elementum workloads.

Snowflake table types

Choose Standard vs Hybrid tables for the right performance/cost balance.

Snowflake stages

Process files stored in Snowflake stages with Elementum automations.

License Patrol setup

Additional steps for License Patrol customers.

Snowflake Cortex AI provider

Use Snowflake Cortex for AI services in Elementum.

Build automations

Create workflows that act on your Snowflake data.