Skip to main content
Runlayer Deploy Required: This server requires Runlayer Deploy to be enabled.
Connect your AI assistant to Snowflake for data warehouse queries and schema exploration. Uses Snowflake OAuth for authentication.

Available Tools

ToolDescription
read_queryExecute read-only SQL queries against the warehouse
list_databasesList all accessible databases
list_schemasList schemas in a database
list_tablesList tables in a schema
describe_tableGet column details for a table

Setup

1

Create Security Integration

Run the following SQL in your Snowflake console. Replace <your-tenant> with your Runlayer subdomain:Snowflake console with SQL commands
CREATE SECURITY INTEGRATION RUNLAYER_SNOWFLAKE_MCP_OAUTH
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = 'https://<your-tenant>.runlayer.com/oauth/callback'
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 86400
  OAUTH_ALLOW_NON_TLS_REDIRECT_URI = FALSE;

-- Keep default blocked roles for security
ALTER SECURITY INTEGRATION RUNLAYER_SNOWFLAKE_MCP_OAUTH
  SET BLOCKED_ROLES_LIST = ('ACCOUNTADMIN', 'SECURITYADMIN', 'ORGADMIN');
Security Note: Never set BLOCKED_ROLES_LIST to empty. Always block at minimum ACCOUNTADMIN, SECURITYADMIN, and ORGADMIN to prevent OAuth tokens from having administrative access.
2

Get OAuth Credentials

Run this SQL to get your credentials:
SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('RUNLAYER_SNOWFLAKE_MCP_OAUTH');
Copy the OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET from the result.Snowflake OAuth credentials output
3

Add Server in Runlayer

  1. In Runlayer, go to Catalog > Snowflake > Install MCP
Runlayer Catalog showing Snowflake MCP server
  1. Enter:
    • SNOWFLAKE_ACCOUNT: Your account identifier (e.g., SNFKACCT-EL36949)
    • SNOWFLAKE_HOST: Your Snowflake host (e.g., snfkacct-el36949.snowflakecomputing.com)
    • SNOWFLAKE_OAUTH_CLIENT_ID: Client ID from Step 2
    • SNOWFLAKE_OAUTH_CLIENT_SECRET: Client Secret from Step 2
    • SNOWFLAKE_WAREHOUSE: Default warehouse (e.g., COMPUTE_WH)
  2. Click Deploy Server
Snowflake server configuration form
4

Authorize

  1. Click Connect on the server page
Snowflake server with Missing auth status
  1. Log in with your Snowflake credentials
Snowflake OAuth login page
  1. Review permissions and click Allow
Each user will need to complete this authorization process with their own Snowflake credentials. This ensures that queries run with each user’s individual permissions.
5

Test the Connection

In your MCP client, try asking:
“Show me who am I using the Snowflake MCP”
The agent will run a query and return your connected user details.Cursor showing Snowflake connection test results

Configuration Reference

Required:
VariableDescription
SNOWFLAKE_ACCOUNTAccount identifier (e.g., SNFKACCT-EL3694 or myorg-account_xyz)
SNOWFLAKE_HOSTSnowflake host (e.g., myorg-account_xyz.snowflakecomputing.com)
SNOWFLAKE_OAUTH_CLIENT_IDOAuth client ID from security integration
SNOWFLAKE_OAUTH_CLIENT_SECRETOAuth client secret from security integration
SNOWFLAKE_WAREHOUSEDefault warehouse for queries
Optional:
VariableDescription
SNOWFLAKE_ROLEDefault role for OAuth scopes (defaults to PUBLIC)

Account vs Host

  • SNOWFLAKE_ACCOUNT: Account identifier, required for OAuth URL construction (e.g., SNFKACCT-EL3694)
  • SNOWFLAKE_HOST: Snowflake hostname — use default ({account}.snowflakecomputing.com) or custom for proxy/private endpoints

Updating Configuration

After initial deployment, you can update configuration options via CLI: 
# Pull existing configuration
runlayer deploy pull --deployment-id <deployment-id>

# Edit runlayer.yaml locally

# Deploy updated configuration
runlayer deploy

Troubleshooting

Check your Snowflake URL for the correct format. For regional accounts, include the region (e.g., abc12345.us-east-1).
Verify the OAUTH_REDIRECT_URI in your security integration matches exactly, including the trailing slash.
Ensure the role you authorized has USAGE privilege on the warehouse: GRANT USAGE ON WAREHOUSE <name> TO ROLE <role>;
Remove the role from BLOCKED_ROLES_LIST or choose a different role during authorization.