Step-by-Step Guide: Connect Claude to Snowflake in 2026

by Somya Sharma | July 1, 2026

Connect Claude to SnowflakeSnowflake stores some of the most analytically rich data in any enterprise. Getting that data into Claude, where it can power natural language queries, automated analysis, and AI agent workflows, requires a clear path through authentication, network policy, and governance.

This blog covers how to connect Claude to Snowflake in 2026 using CData Connect AI, a managed MCP (Model Context Protocol) platform that handles OAuth, role-based access control (RBAC), and audit logging through a single governed endpoint.

Step 1: Prepare Snowflake for Claude integration

Before any connector is configured, the Snowflake environment needs a dedicated role scoped to the minimum permissions Claude requires. Assigning a purpose-built role prevents Claude from accessing schemas or objects outside its intended scope and makes permission reviews straightforward.

CREATE ROLE claude_role;
GRANT USAGE ON DATABASE analytics_db TO ROLE claude_role;
GRANT USAGE ON SCHEMA analytics_db.public TO ROLE claude_role;
GRANT SELECT ON ALL TABLES IN SCHEMA analytics_db.public TO ROLE claude_role;

Each GRANT adds one layer of access: USAGE on the database and schema allows navigation, while SELECT on tables allows data retrieval. Claude's connector requires only OAuth setup and an MCP server; no semantic models or agent frameworks are needed.

Snowflake's built-in RBAC framework restricts system access based on assigned roles, and row-level security policies can be layered on top for additional control. Before moving to authentication, identify the Snowflake account identifier. Underscores must be converted to hyphens for OAuth and URL compatibility.

Step 2: Set up OAuth security integration in Snowflake

OAuth (Open Authorization) is an open standard for access delegation that allows applications to connect securely without exposing credentials. Configuring an OAuth security integration in Snowflake creates the credentials Claude or Connect AI will use to authenticate.

CREATE SECURITY INTEGRATION claude_oauth
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_REDIRECT_URI = 'https://oauth.cdata.com/oauth/'
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE;

After creation, run DESCRIBE SECURITY INTEGRATION claude_oauth to retrieve the Client ID and Client Secret. Acquiring these values requires ACCOUNTADMIN or SECURITYADMIN privileges. Two common pitfalls to avoid:

  • Redirect URI mismatch: the URI in Snowflake must exactly match the callback URL configured in Connect AI, including protocol and path.

  • Account name formatting: underscores in the account identifier cause OAuth failures. Hyphens must be used throughout.

Step 3: Configure network and governance policies

Snowflake network policies control which IP ranges can establish connections. Add an Ingress Network Rule to permit traffic from Connect AI endpoints (for example, the 160.79.106.0/24 range) before testing the connection.

There is a real trade-off between tight network policies and cross-system flexibility. Connect AI brokers requests between Claude and Snowflake, meaning data leaves the Snowflake perimeter during query execution. Claude's connection to the Connect AI MCP endpoint originates from Anthropic's cloud infrastructure, so the endpoint must be reachable over the public internet. Role scoping and audit logging are the primary compliance controls in this model. Teams in regulated industries should verify these routing expectations against data residency requirements before any production workload runs.

Step 4: Configure a remote MCP server for Snowflake access

MCP is an open standard for real-time, governed access between AI agents and enterprise data systems. The right deployment path depends on whether Claude needs Snowflake-only connectivity or broader access across multiple enterprise systems.

For Snowflake-only connectivity

Snowflake now natively supports MCP, so most teams don't need to host a separate server. When registering the MCP server URL, confirm the account identifier uses hyphens rather than underscores. For setup instructions, refer to Snowflake's official documentation. This path works well for teams that only need Claude to query Snowflake and nothing else.

For connectivity to Snowflake and hundreds of other sources

A remote MCP connector is a cloud endpoint that brokers governed connections between AI tools and enterprise data sources, aggregating access policies and credentials in one place. Connect AI operates as this managed layer between Claude and Snowflake and extends the same governed access to hundreds of other enterprise systems. To add Snowflake as a data source in Connect AI:

  1. Log in to your Connect AI dashboard and click Add Connection.

  2. Choose Snowflake from the connector catalog.

  3. Enter the Snowflake account identifier (hyphens, not underscores), warehouse name, and OAuth Client ID and Client Secret from Step 2.

  4. Select the authentication method. Connect AI supports OAuth, OKTA, Azure AD, and private key

  5. Save the connection and confirm the status shows active.

Dimension

Native Snowflake MCP

CData Connect AI (remote MCP)

Auditability

Snowflake query history only

Centralized audit logs across all agent interactions

Cross-system control

Snowflake-scoped only

Governs access across hundreds of enterprise systems

Authentication options

OAuth, key pair

OAuth, OKTA, Azure AD, private key

Multi-AI support

MCP-compatible tools

Native support for Claude, Copilot, ChatGPT, and Gemini

Step 5: Connect Claude to Snowflake via CData Connect AI

With the Snowflake connection configured in Connect AI, the final step is linking Claude to that managed endpoint.

  1. In Claude, navigate to Customize > Connectors and click "+".

  2. Locate CData Connect AI in the connector list and select Add.

  3. Complete the OAuth authentication flow using the Connect AI credentials.

  4. Select the Snowflake connection configured in Step 5.

  5. Confirm the connection status and verify that Claude shows an active Snowflake data source.

Upon successful connection, Claude gains access to Connect AI's MCP toolset, enabling governed queries against the configured Snowflake schemas. For a detailed UI walkthrough, refer to the CData knowledge base guide: Connect Snowflake to Claude through Connect AI.

Step 6: Validate connection and enforce security controls

Testing the connection confirms the configuration is correct before any production workloads run. Start with a read-only query targeting a low-sensitivity table and confirm that:

  • The query completes without authentication or permission errors.

  • Only the schemas granted to claude_role are visible.

  • Snowflake query history logs the session under the claude_role identity.

After confirming basic connectivity, review role permissions to verify nothing beyond the intended scope is accessible. Apply row-level security policies where sensitive fields are present. Document all operational and consent policies for data routed through Anthropic's or CData's infrastructure.

Common issues

What to check

OAuth/redirect URI issues

Verify the URI format is identical in Snowflake and Connect AI, including protocol and path

Scope mismatches

Confirm granted scopes match exactly what Claude requires — nothing more

Data visibility beyond needs

Run SHOW GRANTS TO ROLE claude_role and verify only intended schemas are accessible

Token permission reviews

Confirm OAUTH_ISSUE_REFRESH_TOKENS is TRUE and token rotation is active in Connect AI

Step 7: Troubleshoot common issues

Most integration failures trace back to a small set of root causes:

  • OAuth or redirect URI failures: verify the URI format is identical in Snowflake and Connect AI, and that the account name uses hyphens throughout.

  • Insufficient privileges errors: run SHOW GRANTS TO ROLE claude_role to confirm each required privilege is present. Missing USAGE on the database or schema is the most common cause.

  • Network or firewall issues: verify the Connect AI IP range is added to the Snowflake network policy. Firewall blocks surface as connection timeouts rather than authentication errors.

  • Token expiry: confirm OAUTH_ISSUE_REFRESH_TOKENS is set to TRUE in the security integration and that Connect AI token rotation is active.

Step 8: Apply governance and role management best practices

Least-privilege access keeps claude_role scoped to only what the use case requires and review grants periodically as schema changes occur. An audit trail is a chronological record that provides documentary evidence of the sequence of activities. Snowflake's built-in query history, combined with Connect AI's centralized audit logs, creates a complete record of every SQL statement Claude executes. Review role grants regularly and enable Snowflake's built-in logging to track every AI-driven query. Claude's connector can reach into multiple enterprise systems concurrently, so cross-system access should be explicitly documented.

Frequently asked questions

What prerequisites do I need to connect Claude to Snowflake?

To connect Claude to Snowflake, Snowflake admin rights are needed to create roles and security integrations, access to a Claude-compatible MCP connector, and network permissions to allow communication between all components.

How do I secure OAuth credentials and manage access scopes?

Store OAuth credentials securely in the integration platform, use the minimum permissions required, and verify role scopes in Snowflake to limit Claude's data access.

Can Claude query multiple Snowflake schemas or databases in one session?

Yes, Claude can access multiple schemas or databases if the granted roles include the necessary privileges for those objects within Snowflake.

How can I audit Claude's queries on Snowflake for compliance?

Enable Snowflake's query logging and audit trails to track every SQL statement run by Claude, allowing for full oversight and compliance review.

What should I do if OAuth redirect URIs cause connection failures?

Check that the redirect URI format is correct, ensure account name formatting uses hyphens instead of underscores, and validate that all network policies permit traffic from Claude or CData endpoints.

Connect Claude to Snowflake with CData Connect AI

CData Connect AI provides a governed MCP platform with native Snowflake support, built-in RBAC, audit trails, and compatibility with Claude and other leading AI platforms.

Start a free trial to put Claude to work on live Snowflake data.

Your enterprise data, finally AI-ready.

Connect AI gives your AI assistants and agents live, governed access to hundreds of enterprise systems — so they can reason over your actual business data, not just what they were trained on.

Get the trial