---
title: Manage Snowflake reader account
slug: l4gb2122
canonical_url: https://docs.coveo.com/en/l4gb2122/
collection: coveo-analytics
source_format: adoc
---
# Manage Snowflake reader account
[The Snowflake reader account](https://docs.coveo.com/en/l9e90297/) is created for an individual [Coveo organization](https://docs.coveo.com/en/185/), and therefore only contains [Coveo Analytics data](https://docs.coveo.com/en/259/) related to that organization.
Access to the Snowflake reader account for user or service accounts is managed through the [Coveo Administration Console](https://docs.coveo.com/en/183/).

By default, this access is IP-restricted, therefore an administrator with the [required privileges](#required-privileges) can manage access by [creating user accounts](#add-or-edit-users) and [adding allowed IP addresses](#add-or-block-ip-addresses).

> **Note**
>
> The reader account feature is intended for clients who don't have a Snowflake account.
> By creating a reader account through the Coveo Administration Console, you can access your data through the Snowflake portal.

## Manage your reader account

To manage the reader account, go to the **Raw Data** page, under **Snowflake Access** > [**Reader Account**](https://platform.cloud.coveo.com/admin/#/orgid/usage/raw-data/snowflake/reader-account) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/usage/raw-data/snowflake/reader-account) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/usage/raw-data/snowflake/reader-account) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/usage/raw-data/snowflake/reader-account)).

If you don't yet have a reader account, click **Create Snowflake Reader Account**.
The account is created automatically by using the data from your organization

### Add or edit users

To add or edit users who can access the reader account:

. In the **Snowflake Users** section, click **Add User**.

. In the **Add User** panel that appears:

![Coveo Platform | Add User panel for reader account](https://docs.coveo.com/en/assets/images/coveo-analytics/reader-account-add-user.png)

.. Enter a user name and email.

.. (Optional) If you're granting temporary access to the user, select the **Provide temporary access** checkbox.

... In the list that appears, select the applicable duration.

... If you select **Ends on specific date**, select the date from the dropdown calendar that appears.

.. Click **Add**.

The user is added to the **Snowflake users** list.

![Coveo Platform | Snowflake Users list](https://docs.coveo.com/en/assets/images/coveo-analytics/reader-account-add-user-done.png)

. **Snowflake account password setup:** Once a user has been added, an email containing a temporary link to set the account password will be sent to the user.
Once the password setup is complete, the user must use an [allowed IP address](#add-or-block-ip-addresses) to access the reader account.

. To edit an existing user, click the user name you want to edit, and then click the desired option in the Action bar.

* **Reset password**: Resets the password of the selected user account.
The user will receive an email with a temporary link to reset the account password.

* **Delete**: Deletes the selected user account.
The user will receive an email notifying them that their account has been removed from the Snowflake Users of your Coveo organization.

* **Reactivate user account**: Reactivates an inactive user account.
This option is displayed only if the **Status** of the selected user account is `Expired`.
During reactivation, the option to provide permanent or temporary access will also be provided.

> **Note**
>
> Snowflake users aren't the same as members of your Coveo organization.
> They can either be user accounts or service accounts.

> **Important**
>
> * Following the user setup, we recommend [enrolling in Snowflake's Multi-Factor Authentication (MFA)](https://docs.snowflake.com/en/user-guide/ui-preferences.html#enrolling-in-mfa-multi-factor-authentication) for an additional level of security.
> This feature provides an additional form of authentication during login.
> 
> * Reader account users should take the expiry date of their account into consideration.
> When a user account expires, all Snowflake worksheets and all Snowsight dashboards from that account are lost.
> Therefore, they should create backups by copy-pasting them to a text editor and saving them in their local drive.

### Add or block IP addresses

All IP addresses are blocked by default.
Therefore, to ensure that the newly added user can access the reader account, you must add their IP address as well.

. In the **Network policies** section, under **Allowed IP addresses**, click **Add item**.

. Enter the IP addresses that you want to allow.

. Under **Blocked IP Addresses**, enter the IP addresses you want to block.

. Click **Save**.

> **Notes**
>
> * Only public IP addresses are allowed in the **Snowflake Network Policy**.
> 
> * All IP addresses are blocked by default.
> For this reason, adding addresses to **Blocked IP Addresses** lets you block specific addresses within an allowed range.
>  
> For example, you add `127.0. 0.1/24` to **Allowed IP Addresses**.
> This allows every IP address that starts with `"127.0. 0"`.
> However, you want to block `127.0. 0.100` and `127.0. 0.200` which fall within that range, therefore you add them to **Blocked IP Addresses**.

### Snowflake credits

In the [**Reader Account**](https://platform.cloud.coveo.com/admin/#/orgid/usage/raw-data/snowflake/reader-account) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/usage/raw-data/snowflake/reader-account) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/usage/raw-data/snowflake/reader-account) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/usage/raw-data/snowflake/reader-account)) subpage, the **Snowflake credits** resource monitor displays the monthly credit consumption for the reader account.
As an authenticated administrator, you can view the remaining credits based on your account's consumption for the current month.
Credit consumption is determined by the usage of the reader account's warehouse.

![Coveo Platform | Snowflake Credits consumption](https://docs.coveo.com/en/assets/images/coveo-analytics/reader-account-snowflake-credits.png)

The default size of a warehouse assigned to a reader account is `x-small`.
It contains 10 credits, equivalent to approximately 10 hours of data processing.
For more information regarding warehouse sizes and how their respective credits are computed, see [Understanding compute cost](https://docs.snowflake.com/en/user-guide/cost-understanding-compute).

A reader account that's linked to a Coveo organization is automatically assigned a `customer_wh` warehouse.
The warehouse is required to execute SQL queries.
The credits consumed by the warehouse count toward your monthly limit.

[cols="1,1",options="header"]
|===
|Actions
|Credit consumption

|View dashboards and reports, and generate CSV exports in the Coveo Administration Console.
|[x]

|Perform API calls to the [UA Read API](https://docs.coveo.com/en/2671/).
|[x]

|Connect an external [BI tool](https://www.snowflake.com/trending/business-intelligence-tool) to the reader account.
|[check]

|Perform queries in the Snowflake console.
|[check]

|Perform queries against Snowflake with a user created on the **Reader Account** page.
|[check]

|===

### Access the reader account

To access the reader account from the Coveo Administration Console:

. On the [**Reader Account**](https://platform.cloud.coveo.com/admin/#/orgid/usage/raw-data/snowflake/reader-account) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/usage/raw-data/snowflake/reader-account) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/usage/raw-data/snowflake/reader-account) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/usage/raw-data/snowflake/reader-account)) page, click [dots], and then select **Access Snowflake**.

. In the **Sign in to Snowflake** page, enter your Snowflake username and password.

### Enable key-pair authentication

[A key-pair authentication](https://docs.snowflake.com/en/user-guide/key-pair-auth) for the Snowflake reader account is recommended if you're using an external integration, such as Snowflake Connector for Python, or a driver, such as Snowflake JDBC.

To set up key-pair authentication

. Generate an RSA key-pair:

.. On your device, open a terminal window.

.. Verify whether your integration requires an encrypted or non-encrypted key, then run one of the following commands:

* For an encrypted key:

[source,language=bash]
```
openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key.p8
```

* For a non-encrypted key:

[source,language=bash]
```
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt
```

.. Retrieve and store the private key from the `rsa_key.p8` file, which is automatically saved in the current working directory where you ran the command.

.. Generate a public key from the private key:

[source,language=bash]
```
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
```

.. Retrieve and store the public key from the `rsa_key.pub` file, which is automatically saved in the current working directory where you ran the command.

. Register the public key with your Snowflake user:

> **Note**
>
> You must have the `CUSTOMER_READWRITE` role to register the key.

.. In a Snowflake worksheet, run the following command:

[source,language=sql]
```
CALL CUSTOMER.PROCEDURES.set_rsa_key_on_current_user('<RSA KEY>');
```

where you replace `<RSA KEY>` with the public key you retrieved from the `rsa_key.pub` file.

> **Notes**
>
> * The key must be in a single line and must not contain any line breaks.
> 
> * `-----BEGIN PUBLIC KEY-----` and `-----END PUBLIC KEY-----` are delimiters and aren't part of the key.

The result will look like this:

![RSA Key Registration result in Snowflake](https://docs.coveo.com/en/assets/images/coveo-platform/reader-account-rsa.png)

Now that the public key is registered, you can use your username, your private key, and your password (if you encrypted your key) to authenticate with Snowflake.

### Delete the reader account

At a certain point, you may want to delete the reader account.
For example, if you're no longer using the reader account or if you're switching to your own Snowflake account.

> **Important**
>
> Deleting a reader account is irreversible, therefore if you have worksheets that you want to keep, make sure to copy and save the them to your local drive beforehand.

To delete the reader account:

. On the [**Reader Account**](https://platform.cloud.coveo.com/admin/#/orgid/usage/raw-data/snowflake/reader-account) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/usage/raw-data/snowflake/reader-account) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/usage/raw-data/snowflake/reader-account) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/usage/raw-data/snowflake/reader-account)) subpage, click [dots], and then select **Delete Snowflake Reader account**.

. In the **Snowflake Reader Account Management** panel that appears, click **Delete**.

## Security recommendations

To ensure the reader account remains secure, consider the following practices:

* [Monitor and remove](#add-or-edit-users) inactive users to prevent unauthorized access to the reader account.

For increased security, set a [network policy](#add-or-block-ip-addresses).

* For advanced features, security, and long-lived solutions, consider using your [own Snowflake account](https://docs.coveo.com/en/o4oh0190/) for added flexibility and control.

* Reader account passwords don't expire.
Therefore it's important to encourage users to create strong and unique passwords.
Since a password reset isn't enforced, it's equally important to manually reset them periodically.

## Required privileges

The following [privileges](https://docs.coveo.com/en/228/) are required to view or manage the Snowflake reader account.

[cols="3",options="header"]
|===

|Action     |Service - Domain   |Required access level

|View and export data
|Analytics - Snowflake Management  
Organization - Organization
|View

.3+|Add or edit users
|Organization - Organization
|View

|Analytics - Snowflake Management
|Edit

|Analytics - Administrate
|Allowed

.3+|Add or block IP addresses
|Organization - Organization
|View

|Analytics - Snowflake Management
|Edit

|Analytics - Administrate
|Allowed
|===