Skip to content

Snowflake Run Tags

Snowdag supports Snowflake-specific Dagster run tags for SPCS run workers. Set these tags on the Dagster run when a job needs external access integrations or Snowflake secrets.

External Access Integrations

Use the snowflake/external_access_integrations tag to attach one or more Snowflake external access integrations to the run-worker job service.

The value can be a comma-separated string:

OPENAI_EAI,SLACK_EAI

Or a JSON string array:

["OPENAI_EAI", "SLACK_EAI"]

Each value must be an unquoted Snowflake identifier. Snowdag renders the values into the EXTERNAL_ACCESS_INTEGRATIONS clause of EXECUTE JOB SERVICE.

The installed application must have USAGE on every integration used by the run:

GRANT USAGE ON INTEGRATION OPENAI_EAI TO APPLICATION snowdag_app;

Secrets

Use the snowflake/secrets tag to mount Snowflake secrets into the run-worker container as environment variables. The value must be a JSON string array:

[
  {
    "snowflakeSecret": "SNOWDAG_CONSUMER_DB.EAI_PROBE.API_TOKEN",
    "secretKeyRef": "secret_string",
    "envVarName": "MY_API_KEY"
  }
]

Fields:

  • snowflakeSecret: Snowflake secret name. It can be unqualified or a dotted identifier path such as DATABASE.SCHEMA.SECRET_NAME.
  • secretKeyRef: key exposed by the Snowflake secret, such as secret_string or password.
  • envVarName: environment variable name made available inside the run worker.

The installed application needs USAGE on the secret schema and READ on each secret:

GRANT USAGE ON DATABASE SNOWDAG_CONSUMER_DB TO APPLICATION snowdag_app;
GRANT USAGE ON SCHEMA SNOWDAG_CONSUMER_DB.EAI_PROBE TO APPLICATION snowdag_app;
GRANT READ ON SECRET SNOWDAG_CONSUMER_DB.EAI_PROBE.API_TOKEN
  TO APPLICATION snowdag_app;

Secret injection is independent from external access integrations. If a run sets both tags, Snowflake validates whether the selected integration allows the selected secrets.

Example Dagster Launch Tags

When launching a run through Dagster GraphQL or any Dagster API that accepts execution metadata, pass the tags as strings:

[
  {
    "key": "snowflake/external_access_integrations",
    "value": "OPENAI_EAI"
  },
  {
    "key": "snowflake/secrets",
    "value": "[{\"snowflakeSecret\":\"SNOWDAG_CONSUMER_DB.EAI_PROBE.API_TOKEN\",\"secretKeyRef\":\"secret_string\",\"envVarName\":\"MY_API_KEY\"}]"
  }
]

Snowdag validates the tag values before creating the run-worker job service. Invalid identifiers, invalid JSON, duplicate environment variable names, or missing required fields fail the run launch.