July 5, 2026
Production-Grade Snowflake Account Setup: A Complete 11-Step Implementation Guide using Coco
A step-by-step technical tutorial to configure security, roles, cost management, and governance for your new Snowflake account — with all…

By Satish Kumar
10 min read
A step-by-step technical tutorial to configure security, roles, cost management, and governance for your new Snowflake account — with all code available on GitHub.
Introduction
You've just created a Snowflake account and you're staring at the welcome page: "Complete your account setup to configure security, roles, and cost management. 0 of 11 tasks completed — 0% production grade." with the help of Cortex Code.
This article walks through every one of those 11 tasks with production-ready SQL, architectural reasoning, and real-world best practices. By the end, you'll have a properly hardened, governed, and cost-controlled Snowflake environment.
Prerequisites:
- A Snowflake account (any edition — Business Critical recommended for production)
- Access to the ACCOUNTADMIN and ORGADMIN roles
- Okta tenant (or another SAML/SCIM-compatible IdP)
Repository Structure:
snowflake-onboarding/
├── README.md
├── LICENSE
├── gitignore.txt → Rename to .gitignore
│
├── 01-platform-foundation-setup/ (Tasks 1–3)
│ ├── 01_platform_foundation.sql → Org, infra DB, naming conventions
│ ├── 02_platform_security.sql → SCIM, SSO, break-glass, network, MFA
│ └── 03_platform_cost_management.sql → Budgets, resource monitors, cost tags
│
├── 02-account-creation/ (Tasks 4–6)
│ ├── 01_account_provisioning.sql → Create accounts, replication
│ ├── 02_account_security.sql → SCIM, admins, SSO, auth policies
│ └── 03_account_cost_management.sql → Budget, monitors, cost allocation
│
└── 03-data-product-setup/ (Tasks 7–11)
├── 01_data_product_planning.sql → Zones, schemas, warehouses
├── 02_core_roles_databases.sql → Roles, databases, access roles
├── 03_warehouse_access.sql → Warehouses, hierarchy
├── 04_consumer_access.sql → Read roles, grants
└── 05_cost_management.sql → Resource monitors, alertssnowflake-onboarding/
├── README.md
├── LICENSE
├── gitignore.txt → Rename to .gitignore
│
├── 01-platform-foundation-setup/ (Tasks 1–3)
│ ├── 01_platform_foundation.sql → Org, infra DB, naming conventions
│ ├── 02_platform_security.sql → SCIM, SSO, break-glass, network, MFA
│ └── 03_platform_cost_management.sql → Budgets, resource monitors, cost tags
│
├── 02-account-creation/ (Tasks 4–6)
│ ├── 01_account_provisioning.sql → Create accounts, replication
│ ├── 02_account_security.sql → SCIM, admins, SSO, auth policies
│ └── 03_account_cost_management.sql → Budget, monitors, cost allocation
│
└── 03-data-product-setup/ (Tasks 7–11)
├── 01_data_product_planning.sql → Zones, schemas, warehouses
├── 02_core_roles_databases.sql → Roles, databases, access roles
├── 03_warehouse_access.sql → Warehouses, hierarchy
├── 04_consumer_access.sql → Read roles, grants
└── 05_cost_management.sql → Resource monitors, alertsPhase 1: Platform Foundation Setup
Task 1: Platform Foundation — Organization, Infrastructure & Naming Conventions
📁 Full SQL: 01-platform-foundation-setup/01_platform_foundation.sql
The first step establishes your organizational structure, creates the infrastructure database, and defines naming conventions that scale.
What this script does:
- Configures the organization name (
CONTOSO) for URL patterns - Creates DEV, QA, and STAGING accounts (multi-account strategy)
- Provisions the
INFRA_PLATFORMdatabase with MONITORING, UTILITIES, METADATA, and AUDIT schemas - Creates domain databases following
DOMAIN_LAYERnaming:FINANCE_RAW,FINANCE_CURATED,FINANCE_ANALYTICS - Enables cross-account database replication
Naming Convention Reference:
| Object Type | Naming Pattern | Example |
| --------------------------- | ------------------------------ | ------------------------------------------------------------------------------- |
| Database | `<DOMAIN>_<LAYER>` | `FINANCE_RAW`, `FINANCE_CURATED`, `SALES_ANALYTICS` |
| Schema | `<PURPOSE>` | `INGESTION`, `STAGING`, `DIMENSIONS`, `FACTS`, `MARTS`, `REPORTING`, `SECURITY` |
| Table | `<ENTITY>` | `TRANSACTIONS`, `CUSTOMERS`, `GL_ENTRIES`, `ORDERS` |
| View | `V_<ENTITY>` | `V_MONTHLY_REVENUE`, `V_ACTIVE_CUSTOMERS` |
| Materialized View | `MV_<ENTITY>` | `MV_DAILY_SALES` |
| Dynamic Table | `DT_<ENTITY>` | `DT_CUSTOMER_360` |
| Warehouse | `<DOMAIN>_<SIZE>_<PURPOSE>_WH` | `FINANCE_M_ETL_WH`, `SALES_L_BI_WH` |
| Role | `<DOMAIN>_<ACCESS_LEVEL>` | `FINANCE_READER`, `FINANCE_ADMIN`, `HR_ENGINEER` |
| Database Role | `<DATABASE>_<ACCESS_LEVEL>` | `FINANCE_RAW_READER` |
| User | `<FIRSTNAME>_<LASTNAME>` | `SATISH_KUMAR` |
| Stage | `<DOMAIN>_<SOURCE>_STG` | `FINANCE_SAP_STG`, `SALES_S3_STG` |
| File Format | `<FORMAT>_FF` | `CSV_FF`, `PARQUET_FF`, `JSON_FF` |
| Pipe | `<DOMAIN>_<ENTITY>_PIPE` | `FINANCE_TRANSACTIONS_PIPE` |
| Stream | `<ENTITY>_STREAM` | `CUSTOMERS_STREAM` |
| Task | `<DOMAIN>_<ACTION>_TASK` | `FINANCE_LOAD_DAILY_TASK` |
| Procedure | `SP_<ACTION>` | `SP_LOAD_CUSTOMERS` |
| Function (UDF) | `FN_<ACTION>` | `FN_CALCULATE_TAX` |
| Sequence | `SEQ_<ENTITY>` | `SEQ_ORDER_ID` |
| Masking Policy | `MP_<COLUMN>` | `MP_SSN` |
| Row Access Policy | `RAP_<ENTITY>` | `RAP_EMPLOYEE` |
| Tag | `TAG_<NAME>` | `TAG_PII`, `TAG_SENSITIVE` |
| Network Rule | `NR_<PURPOSE>` | `NR_CORPORATE_IPS` |
| Secret | `SECRET_<NAME>` | `SECRET_SALESFORCE` |
| External Access Integration | `EAI_<SERVICE>` | `EAI_OPENAI` |
| API Integration | `API_<SERVICE>` | `API_SALESFORCE` |
| Storage Integration | `SI_<CLOUD_PROVIDER>` | `SI_AWS`, `SI_AZURE` |
| Notification Integration | `NI_<SERVICE>` | `NI_EMAIL`, `NI_SNS` |
| Compute Pool | `CP_<PURPOSE>` | `CP_ML_WORKLOAD` |
| Service | `SVC_<APPLICATION>` | `SVC_FRAUD_DETECTION` |
| Notebook | `NB_<PROJECT>` | `NB_SALES_FORECAST` |
| Git Repository | `GIT_<PROJECT>` | `GIT_DATA_PLATFORM` |
| Image Repository | `IMG_<PROJECT>` | `IMG_ML_MODELS` |
| Snapshot Set | `SS_<DATABASE>` | `SS_FINANCE_RAW` |
| Data Metric Function | `DMF_<METRIC>` | `DMF_NULL_CHECK` || Object Type | Naming Pattern | Example |
| --------------------------- | ------------------------------ | ------------------------------------------------------------------------------- |
| Database | `<DOMAIN>_<LAYER>` | `FINANCE_RAW`, `FINANCE_CURATED`, `SALES_ANALYTICS` |
| Schema | `<PURPOSE>` | `INGESTION`, `STAGING`, `DIMENSIONS`, `FACTS`, `MARTS`, `REPORTING`, `SECURITY` |
| Table | `<ENTITY>` | `TRANSACTIONS`, `CUSTOMERS`, `GL_ENTRIES`, `ORDERS` |
| View | `V_<ENTITY>` | `V_MONTHLY_REVENUE`, `V_ACTIVE_CUSTOMERS` |
| Materialized View | `MV_<ENTITY>` | `MV_DAILY_SALES` |
| Dynamic Table | `DT_<ENTITY>` | `DT_CUSTOMER_360` |
| Warehouse | `<DOMAIN>_<SIZE>_<PURPOSE>_WH` | `FINANCE_M_ETL_WH`, `SALES_L_BI_WH` |
| Role | `<DOMAIN>_<ACCESS_LEVEL>` | `FINANCE_READER`, `FINANCE_ADMIN`, `HR_ENGINEER` |
| Database Role | `<DATABASE>_<ACCESS_LEVEL>` | `FINANCE_RAW_READER` |
| User | `<FIRSTNAME>_<LASTNAME>` | `SATISH_KUMAR` |
| Stage | `<DOMAIN>_<SOURCE>_STG` | `FINANCE_SAP_STG`, `SALES_S3_STG` |
| File Format | `<FORMAT>_FF` | `CSV_FF`, `PARQUET_FF`, `JSON_FF` |
| Pipe | `<DOMAIN>_<ENTITY>_PIPE` | `FINANCE_TRANSACTIONS_PIPE` |
| Stream | `<ENTITY>_STREAM` | `CUSTOMERS_STREAM` |
| Task | `<DOMAIN>_<ACTION>_TASK` | `FINANCE_LOAD_DAILY_TASK` |
| Procedure | `SP_<ACTION>` | `SP_LOAD_CUSTOMERS` |
| Function (UDF) | `FN_<ACTION>` | `FN_CALCULATE_TAX` |
| Sequence | `SEQ_<ENTITY>` | `SEQ_ORDER_ID` |
| Masking Policy | `MP_<COLUMN>` | `MP_SSN` |
| Row Access Policy | `RAP_<ENTITY>` | `RAP_EMPLOYEE` |
| Tag | `TAG_<NAME>` | `TAG_PII`, `TAG_SENSITIVE` |
| Network Rule | `NR_<PURPOSE>` | `NR_CORPORATE_IPS` |
| Secret | `SECRET_<NAME>` | `SECRET_SALESFORCE` |
| External Access Integration | `EAI_<SERVICE>` | `EAI_OPENAI` |
| API Integration | `API_<SERVICE>` | `API_SALESFORCE` |
| Storage Integration | `SI_<CLOUD_PROVIDER>` | `SI_AWS`, `SI_AZURE` |
| Notification Integration | `NI_<SERVICE>` | `NI_EMAIL`, `NI_SNS` |
| Compute Pool | `CP_<PURPOSE>` | `CP_ML_WORKLOAD` |
| Service | `SVC_<APPLICATION>` | `SVC_FRAUD_DETECTION` |
| Notebook | `NB_<PROJECT>` | `NB_SALES_FORECAST` |
| Git Repository | `GIT_<PROJECT>` | `GIT_DATA_PLATFORM` |
| Image Repository | `IMG_<PROJECT>` | `IMG_ML_MODELS` |
| Snapshot Set | `SS_<DATABASE>` | `SS_FINANCE_RAW` |
| Data Metric Function | `DMF_<METRIC>` | `DMF_NULL_CHECK` |Task 2: Platform Security & Identity Management
📁 Full SQL: 01-platform-foundation-setup/02_platform_security.sql
This is the most critical task — configuring SCIM, SSO, break-glass access, network policies, authentication policies, and MFA enforcement.
What this script does (7 steps):
- SCIM Integration — Creates
OKTA_PROVISIONERrole, configures SCIM security integration, restricts access to Okta IP ranges - Account Administrators — Provisions 2 admin users with ACCOUNTADMIN, SECURITYADMIN, SYSADMIN, and ORGADMIN
- SAML SSO — Configures Okta SAML2 integration with SP-initiated login
- Break-Glass Access — Creates emergency admin with password + TOTP (no SSO dependency), unrestricted network
- Network Policies — Corporate IP allowlist at account level
- Authentication Policies — SSO-only for humans, key-pair for service accounts
- MFA Enforcement — Account-wide Duo MFA requirement
Critical:_ The break-glass password must be stored in a vault_ separate from Okta_. If Okta is down, this is your only way in._
Task 3: Platform Cost Management
📁 Full SQL: 01-platform-foundation-setup/03_platform_cost_management.sql
Three layers of cost control: budgets for visibility, resource monitors for enforcement, and tags for attribution.
What this script does:
- Spending Budget — Activates account budget at 10,000 credits/month with email alerts at 50/75/90/100%
- Per-Warehouse Resource Monitors — 500 credits/month per warehouse (COMPUTE_WH, FINANCE_S_ETL_WH, SNOWFLAKE_LEARNING_WH)
- Cost Allocation Tags — Creates
GOVERNANCE.TAGS.TEAM(6 allowed values) andGOVERNANCE.TAGS.COST_CENTER - Tag Application — Tags warehouses for chargeback and attribution
- Verification Query — SQL to report credit usage by tag value
Phase 2: Account Creation
Task 4: Account Provisioning
📁 Full SQL: 02-account-creation/01_account_provisioning.sql
Create additional Snowflake accounts for workload isolation (e.g., Data Science/AI).
What this script does:
- Creates
PROD_DATASCIENCEaccount (Business Critical, AWS US East 1) - Enables replication and failover for
INFRASTRUCTUREdatabase to the new account - Creates a database replica in the new account
- Sets up hourly automated replication refresh via a Snowflake Task
Task 5: Account Security & Identity
📁 Full SQL: 02-account-creation/02_account_security.sql
Applies the same security stack (SCIM, SSO, break-glass, network rules, auth policies, MFA) to the new account.
What this script does (7 steps):
- SCIM — Okta provisioning with
OKTA_PROVISIONERrole - Administrators — Single admin user with ACCOUNTADMIN
- SAML SSO — Okta SAML2 integration (same pattern as platform)
- Break-Glass — 2 emergency users, IP-restricted, password + TOTP MFA
- Network Policy — Corporate IP allowlist (commented-out activation for safety)
- Auth Policies — SSO-only for humans, password-only for services
- MFA — Account-wide enforcement with enrollment audit query
Task 6: Account Cost Management
📁 Full SQL: 02-account-creation/03_account_cost_management.sql
What this script does:
- Activates account budget at 10,000 credits/month
- Creates account-level resource monitor at 8,000 credits (early warning buffer below budget limit)
- Creates
ADMIN.TAGS.COST_CENTERtag with 6 department values
Phase 3: Data Product Setup
Task 7: Data Product Planning
📁 Full SQL: 03-data-product-setup/01_data_product_planning.sql
Plan and provision a complete data product with database-per-zone isolation.
What this script does:
- Creates 4 zone databases:
CUSTOMER_ANALYTICS_RAW,_CURATED,_CONSUMPTION,_SANDBOX - RAW zone schemas by source system (Salesforce, Stripe, SAP) and data category
- CURATED zone schemas: CONFORMED, BUSINESS_ENTITIES, HISTORY
- CONSUMPTION zone schemas by business function and data product, plus SHARED schema
- SANDBOX zone for data science and exploration
- 4 workload-isolated warehouses: Loading, Transform, Reporting, Data Science
- External data share for marketplace publishing
Warehouse Plan:
| Warehouse | Size | Scaling | Workload |
| ------------------------------- | ------- | ---------- | --------------------------------------------------- |
| CUSTOMER_ANALYTICS_LOADING_WH | X-Small | Fixed (1) | Data ingestion, COPY INTO, Snowpipe, ELT loading |
| CUSTOMER_ANALYTICS_TRANSFORM_WH | X-Small | Fixed (1) | dbt models, stored procedures, data transformations |
| CUSTOMER_ANALYTICS_REPORTING_WH | X-Small | Auto (1–3) | BI dashboards, reporting, ad hoc analytics |
| CUSTOMER_ANALYTICS_DS_WH | Small | Auto (1–3) | Data science, Snowpark, ML workloads || Warehouse | Size | Scaling | Workload |
| ------------------------------- | ------- | ---------- | --------------------------------------------------- |
| CUSTOMER_ANALYTICS_LOADING_WH | X-Small | Fixed (1) | Data ingestion, COPY INTO, Snowpipe, ELT loading |
| CUSTOMER_ANALYTICS_TRANSFORM_WH | X-Small | Fixed (1) | dbt models, stored procedures, data transformations |
| CUSTOMER_ANALYTICS_REPORTING_WH | X-Small | Auto (1–3) | BI dashboards, reporting, ad hoc analytics |
| CUSTOMER_ANALYTICS_DS_WH | Small | Auto (1–3) | Data science, Snowpark, ML workloads |Task 8: Core Roles & Database Setup
📁 Full SQL: 03-data-product-setup/02_core_roles_databases.sql
Create a role hierarchy with per-zone READ/WRITE access roles.
What this script does:
- Creates core roles:
SALES_ADMIN,SALES_ENGINEER,SALES_ANALYST - Builds hierarchy: SYSADMIN → ADMIN → ENGINEER → ANALYST
- Creates zone databases:
SALES_RAW,SALES_CURATED,SALES_CONSUMPTION - Creates per-zone access roles:
SALES_RAW_READ,SALES_RAW_WRITE, etc. - Configures future grants for automatic access to new objects
- Analysts get consumption-zone read access only
Role Hierarchy Diagram:
SYSADMIN
└── SALES_ADMIN
└── SALES_ENGINEER
├── SALES_RAW_WRITE → SALES_RAW_READ
├── SALES_CURATED_WRITE → SALES_CURATED_READ
└── SALES_CONSUMPTION_WRITE → SALES_CONSUMPTION_READ
└── SALES_ANALYST
└── SALES_CONSUMPTION_READSYSADMIN
└── SALES_ADMIN
└── SALES_ENGINEER
├── SALES_RAW_WRITE → SALES_RAW_READ
├── SALES_CURATED_WRITE → SALES_CURATED_READ
└── SALES_CONSUMPTION_WRITE → SALES_CONSUMPTION_READ
└── SALES_ANALYST
└── SALES_CONSUMPTION_READTask 9: Warehouse & Access Configuration
📁 Full SQL: 03-data-product-setup/03_warehouse_access.sql
What this script does:
- Creates 3 warehouses:
ETL_WH(Large),ANALYTICS_WH(Medium),DEV_WH(X-Small) - Creates per-warehouse access roles:
ETL_WH_USAGE,ANALYTICS_WH_USAGE,DEV_WH_USAGE - Grants USAGE on each warehouse to its access role
- Transfers ownership to SYSADMIN
- Wires access roles into the hierarchy under SYSADMIN
| Warehouse | Size | Auto-Suspend | Workload |
| ------------ | ------- | ------------ | ----------------------------------------- |
| ETL_WH | Large | 60s | Data loading and transformation |
| ANALYTICS_WH | Medium | 60s | Interactive analytics and reporting |
| DEV_WH | X-Small | 60s | Development, testing, and experimentation || Warehouse | Size | Auto-Suspend | Workload |
| ------------ | ------- | ------------ | ----------------------------------------- |
| ETL_WH | Large | 60s | Data loading and transformation |
| ANALYTICS_WH | Medium | 60s | Interactive analytics and reporting |
| DEV_WH | X-Small | 60s | Development, testing, and experimentation |Task 10: Consumer Access
📁 Full SQL: 03-data-product-setup/04_consumer_access.sql
Create custom read roles for external data product consumers with future grants.
What this script does:
- Creates
ANALYTICS_READERrole for external consumers - Grants the role to SYSADMIN (hierarchy management)
- Grants warehouse USAGE for query execution
- Grants read access across 3 databases: ANALYTICS, DATA_PRODUCTS, SHARED_DATA
- Uses
FUTUREgrants on schemas, tables, and views for zero-maintenance access
Key Insight:
FUTUREgrants ensure new objects are automatically accessible without additional GRANT statements.
Task 11: Data Product Cost Management
📁 Full SQL: 03-data-product-setup/05_cost_management.sql
What this script does:
- Creates
WAREHOUSE_MONITORresource monitor (500 credits/month, notify at 50/75/90/100%) - Assigns monitor to 4 warehouses: ANALYTICS_WH, ETL_WH, COMPUTE_WH, DATA_PRODUCT_WH
- Creates email notification integration for 4 recipients
- Creates automated alert that checks thresholds hourly via
SYSTEM$SEND_EMAIL - Activates the alert with
ALTER ALERT ... RESUME
Placeholder Reference
Before executing any scripts, replace all <PLACEHOLDER> values. Here's the complete list:
| Placeholder | File | Description | How to Get It |
| ------------------------------------------- | ----------------------------- | ---------------------------------- | ---------------------------------------------------------------- |
| `<CHANGE_ME>` | `01_platform_foundation.sql` | Account admin passwords | Generate a strong password using a password manager |
| `<admin_email>` | `01_platform_foundation.sql` | Administrator email | Use your platform/team administrator email |
| `<OKTA_ENTITY_ID>` | `02_platform_security.sql` | Okta Entity ID | Okta → Applications → Sign On → Issuer (Entity ID) |
| `<YOUR_ORG>` | `02_platform_security.sql` | Okta organization/subdomain | Example: `contoso` from `contoso.okta.com` |
| `<APP_ID>` | `02_platform_security.sql` | Okta Application ID | Okta → Applications → Embed Link or App Details |
| `<BASE64_ENCODED_CERTIFICATE>` | `02_platform_security.sql` | X.509 signing certificate | Okta → Applications → Sign On → SAML Signing Certificates |
| `<ACCOUNT_IDENTIFIER>` | `02_platform_security.sql` | Snowflake account identifier | Example: `zec52956.us-east-1` |
| `<STRONG_RANDOM_PASSWORD_MIN_32_CHARS>` | `02_platform_security.sql` | Break-glass account password | Generate a 32+ character password and store it in a secure vault |
| `<SET_STRONG_PASSWORD>` | `01_account_provisioning.sql` | New account administrator password | Generate a strong password using a password manager |
| `<your_org_name>` | `01_account_provisioning.sql` | Snowflake organization name | Example: `CONTOSO` |
| `<source_account_name>` | `01_account_provisioning.sql` | Source account for replication | Example: `CONTOSO_PROD` |
| `<OKTA_ISSUER_URL>` | `02_account_security.sql` | Okta Issuer URL | Example: `http://www.okta.com/exk...` |
| `<OKTA_SSO_URL>` | `02_account_security.sql` | Okta SSO URL | Example: `https://contoso.okta.com/app/...` |
| `<BREAK_GLASS_IP_1>` / `<BREAK_GLASS_IP_2>` | `02_account_security.sql` | Emergency access IP addresses | Trusted administrator workstation public IPs |
| `<CORPORATE_CIDR_1>` / `<CORPORATE_CIDR_2>` | `02_account_security.sql` | Corporate network CIDR ranges | Obtain from your network/security team |
| `<VPN_GATEWAY_IP>` | `02_account_security.sql` | VPN gateway public IP | Obtain from your infrastruct || Placeholder | File | Description | How to Get It |
| ------------------------------------------- | ----------------------------- | ---------------------------------- | ---------------------------------------------------------------- |
| `<CHANGE_ME>` | `01_platform_foundation.sql` | Account admin passwords | Generate a strong password using a password manager |
| `<admin_email>` | `01_platform_foundation.sql` | Administrator email | Use your platform/team administrator email |
| `<OKTA_ENTITY_ID>` | `02_platform_security.sql` | Okta Entity ID | Okta → Applications → Sign On → Issuer (Entity ID) |
| `<YOUR_ORG>` | `02_platform_security.sql` | Okta organization/subdomain | Example: `contoso` from `contoso.okta.com` |
| `<APP_ID>` | `02_platform_security.sql` | Okta Application ID | Okta → Applications → Embed Link or App Details |
| `<BASE64_ENCODED_CERTIFICATE>` | `02_platform_security.sql` | X.509 signing certificate | Okta → Applications → Sign On → SAML Signing Certificates |
| `<ACCOUNT_IDENTIFIER>` | `02_platform_security.sql` | Snowflake account identifier | Example: `zec52956.us-east-1` |
| `<STRONG_RANDOM_PASSWORD_MIN_32_CHARS>` | `02_platform_security.sql` | Break-glass account password | Generate a 32+ character password and store it in a secure vault |
| `<SET_STRONG_PASSWORD>` | `01_account_provisioning.sql` | New account administrator password | Generate a strong password using a password manager |
| `<your_org_name>` | `01_account_provisioning.sql` | Snowflake organization name | Example: `CONTOSO` |
| `<source_account_name>` | `01_account_provisioning.sql` | Source account for replication | Example: `CONTOSO_PROD` |
| `<OKTA_ISSUER_URL>` | `02_account_security.sql` | Okta Issuer URL | Example: `http://www.okta.com/exk...` |
| `<OKTA_SSO_URL>` | `02_account_security.sql` | Okta SSO URL | Example: `https://contoso.okta.com/app/...` |
| `<BREAK_GLASS_IP_1>` / `<BREAK_GLASS_IP_2>` | `02_account_security.sql` | Emergency access IP addresses | Trusted administrator workstation public IPs |
| `<CORPORATE_CIDR_1>` / `<CORPORATE_CIDR_2>` | `02_account_security.sql` | Corporate network CIDR ranges | Obtain from your network/security team |
| `<VPN_GATEWAY_IP>` | `02_account_security.sql` | VPN gateway public IP | Obtain from your infrastruct |Architecture Summary
┌─────────────────────────────────────────────────────────────────────┐
│ ORGANIZATION: CONTOSO │
├──────────────┬──────────────┬──────────────┬────────────────────────┤
│ CONTOSO_DEV │ CONTOSO_QA │ CONTOSO_STG │ CONTOSO_PROD │
│ (Enterprise)│ (Enterprise)│ (Enterprise)│ (Business Critical) │
└──────────────┴──────────────┴──────────────┴────────────────────────┘
│
┌──────────────────────────────────────────┤
▼ ▼
┌───────────────┐ ┌────────────────────┐
│ INFRA_PLATFORM│ │ FINANCE_RAW │
│ ├─MONITORING │ │ ├─INGESTION │
│ ├─UTILITIES │ │ └─STAGING │
│ ├─METADATA │ ├────────────────────┤
│ └─AUDIT │ │ FINANCE_CURATED │
└───────────────┘ │ ├─DIMENSIONS │
│ └─FACTS │
┌───────────────┐ ├────────────────────┤
│ GOVERNANCE │ │ FINANCE_ANALYTICS │
│ └─TAGS │ │ ├─REPORTS │
│ ├─TEAM │ │ └─MODELS │
│ └─COST_CTR │ └────────────────────┘
└───────────────┘┌─────────────────────────────────────────────────────────────────────┐
│ ORGANIZATION: CONTOSO │
├──────────────┬──────────────┬──────────────┬────────────────────────┤
│ CONTOSO_DEV │ CONTOSO_QA │ CONTOSO_STG │ CONTOSO_PROD │
│ (Enterprise)│ (Enterprise)│ (Enterprise)│ (Business Critical) │
└──────────────┴──────────────┴──────────────┴────────────────────────┘
│
┌──────────────────────────────────────────┤
▼ ▼
┌───────────────┐ ┌────────────────────┐
│ INFRA_PLATFORM│ │ FINANCE_RAW │
│ ├─MONITORING │ │ ├─INGESTION │
│ ├─UTILITIES │ │ └─STAGING │
│ ├─METADATA │ ├────────────────────┤
│ └─AUDIT │ │ FINANCE_CURATED │
└───────────────┘ │ ├─DIMENSIONS │
│ └─FACTS │
┌───────────────┐ ├────────────────────┤
│ GOVERNANCE │ │ FINANCE_ANALYTICS │
│ └─TAGS │ │ ├─REPORTS │
│ ├─TEAM │ │ └─MODELS │
│ └─COST_CTR │ └────────────────────┘
└───────────────┘Security Architecture
┌─────────────────────────────────────────────────────────────┐
│ AUTHENTICATION LAYER │
├─────────────────┬─────────────────────┬─────────────────────┤
│ Human Users │ Service Accounts │ Break-Glass Admin │
│ SSO (SAML) │ Key-pair Only │ Password + TOTP │
│ + Duo MFA │ No MFA │ No SSO dependency │
├─────────────────┴─────────────────────┴─────────────────────┤
│ NETWORK LAYER │
│ Account Policy: Corporate CIDRs only │
│ Break-glass override: Unrestricted (MFA-protected) │
│ SCIM: Okta IPs only │
├──────────────────────────────────────────────────────────────┤
│ AUTHORIZATION LAYER │
│ ACCOUNTADMIN → SYSADMIN → Domain Roles → Access Roles │
│ SECURITYADMIN manages users/roles │
│ ORGADMIN manages org-level operations │
└──────────────────────────────────────────────────────────────┘┌─────────────────────────────────────────────────────────────┐
│ AUTHENTICATION LAYER │
├─────────────────┬─────────────────────┬─────────────────────┤
│ Human Users │ Service Accounts │ Break-Glass Admin │
│ SSO (SAML) │ Key-pair Only │ Password + TOTP │
│ + Duo MFA │ No MFA │ No SSO dependency │
├─────────────────┴─────────────────────┴─────────────────────┤
│ NETWORK LAYER │
│ Account Policy: Corporate CIDRs only │
│ Break-glass override: Unrestricted (MFA-protected) │
│ SCIM: Okta IPs only │
├──────────────────────────────────────────────────────────────┤
│ AUTHORIZATION LAYER │
│ ACCOUNTADMIN → SYSADMIN → Domain Roles → Access Roles │
│ SECURITYADMIN manages users/roles │
│ ORGADMIN manages org-level operations │
└──────────────────────────────────────────────────────────────┘Cost Control Architecture
┌─────────────────────────────────────────────────────────┐
│ LAYER 1: ACCOUNT BUDGET │
│ 10,000 credits/month — alerts at 50/75/90/100% │
├─────────────────────────────────────────────────────────┤
│ LAYER 2: ACCOUNT RESOURCE MONITOR │
│ 8,000 credits/month — early warning buffer │
├─────────────────────────────────────────────────────────┤
│ LAYER 3: PER-WAREHOUSE MONITORS │
│ 500 credits/warehouse — granular control │
├─────────────────────────────────────────────────────────┤
│ LAYER 4: COST ALLOCATION TAGS │
│ TEAM + COST_CENTER — chargeback & attribution │
└─────────────────────────────────────────────────────────┘┌─────────────────────────────────────────────────────────┐
│ LAYER 1: ACCOUNT BUDGET │
│ 10,000 credits/month — alerts at 50/75/90/100% │
├─────────────────────────────────────────────────────────┤
│ LAYER 2: ACCOUNT RESOURCE MONITOR │
│ 8,000 credits/month — early warning buffer │
├─────────────────────────────────────────────────────────┤
│ LAYER 3: PER-WAREHOUSE MONITORS │
│ 500 credits/warehouse — granular control │
├─────────────────────────────────────────────────────────┤
│ LAYER 4: COST ALLOCATION TAGS │
│ TEAM + COST_CENTER — chargeback & attribution │
└─────────────────────────────────────────────────────────┘Production Readiness Checklist
| Category | What's Configured | Status |
| --------------------------- | ----------------------------------------------------------------- | ------ |
| Organization | Multi-account strategy (Dev, QA, Staging, Prod) | ✅ |
| Infrastructure | `INFRA_PLATFORM` database with four schemas | ✅ |
| Naming Standards | `DOMAIN_LAYER` naming convention enforced | ✅ |
| Identity Management | Okta SCIM provisioning and SAML SSO | ✅ |
| Emergency Access | Break-glass administrator account (password + TOTP, no SSO) | ✅ |
| Network Security | Corporate IP allowlist configured at account level | ✅ |
| Authentication | SSO for human users; key-pair authentication for service accounts | ✅ |
| Multi-Factor Authentication | Account-wide MFA (Duo) enforcement | ✅ |
| Budget Management | 10,000 credits/month with email notifications | ✅ |
| Resource Monitors | Account-level and warehouse-level resource monitors | ✅ |
| Cost Governance | `TEAM` and `COST_CENTER` tags in `GOVERNANCE.TAGS` | ✅ |
| Data Platform | Four-zone architecture with dedicated access roles | ✅ |
| RBAC | Hierarchical roles: `ADMIN` → `ENGINEER` → `ANALYST` | ✅ |
| Warehouses | Workload-isolated virtual warehouses with role-based access | ✅ |
| Consumer Access | `ANALYTICS_READER` role with future grants | ✅ |
| Alerts | Email notifications for resource threshold breaches | ✅ |
| Replication | Cross-account database replication enabled | ✅ || Category | What's Configured | Status |
| --------------------------- | ----------------------------------------------------------------- | ------ |
| Organization | Multi-account strategy (Dev, QA, Staging, Prod) | ✅ |
| Infrastructure | `INFRA_PLATFORM` database with four schemas | ✅ |
| Naming Standards | `DOMAIN_LAYER` naming convention enforced | ✅ |
| Identity Management | Okta SCIM provisioning and SAML SSO | ✅ |
| Emergency Access | Break-glass administrator account (password + TOTP, no SSO) | ✅ |
| Network Security | Corporate IP allowlist configured at account level | ✅ |
| Authentication | SSO for human users; key-pair authentication for service accounts | ✅ |
| Multi-Factor Authentication | Account-wide MFA (Duo) enforcement | ✅ |
| Budget Management | 10,000 credits/month with email notifications | ✅ |
| Resource Monitors | Account-level and warehouse-level resource monitors | ✅ |
| Cost Governance | `TEAM` and `COST_CENTER` tags in `GOVERNANCE.TAGS` | ✅ |
| Data Platform | Four-zone architecture with dedicated access roles | ✅ |
| RBAC | Hierarchical roles: `ADMIN` → `ENGINEER` → `ANALYST` | ✅ |
| Warehouses | Workload-isolated virtual warehouses with role-based access | ✅ |
| Consumer Access | `ANALYTICS_READER` role with future grants | ✅ |
| Alerts | Email notifications for resource threshold breaches | ✅ |
| Replication | Cross-account database replication enabled | ✅ |Recommended Next Steps
- Enable Snowflake Trust Center — continuous security scanning
- Set up data masking policies — protect PII and sensitive columns
- Configure Snowpipe or connectors — automate data ingestion
- Deploy dbt or Snowflake Tasks — orchestrate transformations
- Integrate Cortex AI — semantic views, agents, and AI functions
- Set up data quality monitoring — DMFs for freshness, completeness, and accuracy
- Configure lineage tracking — understand data flow and impact
Get the Code
All SQL scripts are available on GitHub is generated by Cortex Code:
git clone https://github.com/skrz2014/snowflake-onboarding.git
cd snowflake-onboardinggit clone https://github.com/skrz2014/snowflake-onboarding.git
cd snowflake-onboardingReplace placeholders, then execute in order:
01-platform-foundation-setup/(as ORGADMIN/ACCOUNTADMIN)02-account-creation/(as ORGADMIN)03-data-product-setup/(as SYSADMIN/SECURITYADMIN)
Video Demo:
This guide reflects Snowflake best practices as of 2025. Consult the Snowflake documentation for the latest feature updates and recommendations.
👏 Give it a clap if it added value 🔗 Share it with your team
➕ Follow for more
📘 Medium: Satish Kumar
🔗 LinkedIn: satishkumar-snowflake
See you in the next one! 👋