Connecting Snowflake to Bicycle
Connect to Snowflake for cloud data warehousing and analytics. Bicycle reads tables from Snowflake as SIGNAL sources for metrics, events, and dashboards.
Requirements
To follow the steps in this guide, you'll need:
- Permission to create connectors in Bicycle
- Snowflake administrative access (or coordination with your Snowflake platform team) to:
- Create a dedicated service user and role
- Grant read access to the target warehouse, database, and schemas
- Configure authentication for the service user
Work with your Snowflake administrator to provision access. In most organizations, a platform or security team runs the SQL in the sections below; an analyst or engineer then completes the connection in Bicycle.
| Item | Description |
|---|---|
| Account identifier | From Snowflake account details (not the data-sharing identifier) |
| Warehouse | An existing warehouse Bicycle can use for queries, or a dedicated warehouse your team provisions |
| Database | The production or staging database Bicycle should read from |
| Schema (optional) | Limit discovery to specific schemas; omit to discover all schemas in the database |
| Authentication | Key pair (recommended) or Username + Password |
Prepare Snowflake access
Complete these steps once, regardless of which authentication method you use in Bicycle.
Create a service user and role
Create a dedicated service user for Bicycle. Do not use personal Snowflake credentials for production connections.
- Sign in to the Snowflake Web UI with an account that can create users and roles.
- Open a worksheet and run the following. Replace placeholders with values from your environment:
USE ROLE SECURITYADMIN; -- or another role your org uses to manage users
CREATE ROLE IF NOT EXISTS BICYCLE_READER;
CREATE USER IF NOT EXISTS BICYCLE_SVC_USER
DEFAULT_ROLE = BICYCLE_READER
DEFAULT_WAREHOUSE = <warehouse>
TYPE = SERVICE;
GRANT ROLE BICYCLE_READER TO USER BICYCLE_SVC_USER;
Use naming conventions your organization already follows for service accounts and roles. The examples above (BICYCLE_READER, BICYCLE_SVC_USER) are placeholders — replace them with names approved by your security team.
The service user must have:
USAGEon the warehouseUSAGEon the databaseUSAGEon the schema(s) you want to accessSELECTon the tables you want to read
Grant read-only access
Grant the Bicycle role access to the warehouse, database, and schemas Bicycle should query.
Single schema (recommended for least privilege):
GRANT USAGE ON WAREHOUSE <warehouse> TO ROLE BICYCLE_READER;
GRANT USAGE ON DATABASE <database> TO ROLE BICYCLE_READER;
GRANT USAGE ON SCHEMA <database>.<schema> TO ROLE BICYCLE_READER;
GRANT SELECT ON ALL TABLES IN SCHEMA <database>.<schema> TO ROLE BICYCLE_READER;
GRANT SELECT ON FUTURE TABLES IN SCHEMA <database>.<schema> TO ROLE BICYCLE_READER;
All schemas in a database (use only when Bicycle should discover every schema):
GRANT USAGE ON WAREHOUSE <warehouse> TO ROLE BICYCLE_READER;
GRANT USAGE ON DATABASE <database> TO ROLE BICYCLE_READER;
GRANT USAGE ON ALL SCHEMAS IN DATABASE <database> TO ROLE BICYCLE_READER;
GRANT USAGE ON FUTURE SCHEMAS IN DATABASE <database> TO ROLE BICYCLE_READER;
GRANT SELECT ON ALL TABLES IN DATABASE <database> TO ROLE BICYCLE_READER;
GRANT SELECT ON FUTURE TABLES IN DATABASE <database> TO ROLE BICYCLE_READER;
Bicycle discovers base tables only. Views and dynamic tables are not included in discovery.
Retrieve your Snowflake account identifier
- In Snowflake, click your user icon in the bottom-left corner of the page and hover over Account.
- Click View account details.

- In the Account Details dialog, locate and copy the Account identifier value (for example,
ORGNAME-ACCOUNTNAME).

Use the Account identifier value in the Bicycle connection form — not the data sharing identifier (which uses a dot instead of a hyphen).
Connect with Key pair (recommended)
Use this path for new production connections.
In Snowflake
Generate a key pair
Run these commands on a secure workstation or build agent approved by your organization:
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
For an encrypted private key, add -v2 aes-256-cbc instead of -nocrypt when running openssl pkcs8. Store the private key in your organization's secrets manager.
Assign the public key to the service user
- Open
rsa_key.puband copy the public key body (without theBEGIN/ENDheader lines). - In a Snowflake worksheet, run:
ALTER USER BICYCLE_SVC_USER SET RSA_PUBLIC_KEY='<copied_public_key>';
Keep private keys in a secrets manager and rotate them according to your organization's security policy. Redact private keys in documentation screenshots.
In Bicycle
Snowflake connection parameters can be case sensitive. Confirm warehouse, database, schema, and table names match your Snowflake environment exactly.
Step 1: Open Connectors and select Key pair
- In Bicycle, go to Connectors.
- Under Recommended, find Snowflake and click + Connect.

- Enter a connection name that identifies the environment (for example,
Snowflake Production). - Select Key pair as the Connector method, then click Next.

Step 2: Enter connection details
On the Add details step, fill in the Snowflake connection fields and key-pair credentials.
Snowflake connection fields
| Field | Required | Description |
|---|---|---|
| Account | Yes | Your Snowflake account identifier |
| Warehouse | Yes | The warehouse Bicycle uses for queries |
| Database | Yes | The database to connect to |
| Schema | No | If omitted, Bicycle discovers all schemas in the database |
| Table Pattern | No | Optional regex to filter tables during discovery |

Key pair credentials
| Field | Required | Description |
|---|---|---|
| Username | Yes | The service user from above (for example, BICYCLE_SVC_USER) |
| Private Key (PEM format) | Yes | The private key from rsa_key.p8 |
| Passphrase | No | Required only if the private key is encrypted |

Step 3: Test the connection
Click Test connection. When the test succeeds, you will see Ready to add this connection:

Step 4: Add the connection
Click Add connection. When the connection is created successfully, you will see a confirmation with the connection name, ID, and method (Key pair). Click Close to return to the Connectors page.

Connect with Username + Password
Use this path only if your organization's Snowflake policy still allows password-based service accounts.
Snowflake is phasing out single-factor password authentication, with full enforcement expected by November 2026. Use key-pair authentication for new production connections.
In Snowflake
Set a password on the service user
Set a password when you create the service user, or run:
ALTER USER BICYCLE_SVC_USER SET PASSWORD = '<secure_password>';
Store the password in your organization's secrets manager.
In Bicycle
Step 1: Open Connectors and select Username + Password
- In Bicycle, go to Connectors.
- Under Recommended, find Snowflake and click + Connect.

- Enter a connection name that identifies the environment (for example,
Snowflake Production). - Select Username + Password as the Connector method, then click Next.

Step 2: Enter connection details
On the Add details step, fill in the Snowflake connection fields and password credentials.
Snowflake connection fields
| Field | Required | Description |
|---|---|---|
| Account | Yes | Your Snowflake account identifier |
| Warehouse | Yes | The warehouse Bicycle uses for queries |
| Database | Yes | The database to connect to |
| Schema | No | If omitted, Bicycle discovers all schemas in the database |
| Table Pattern | No | Optional regex to filter tables during discovery |

Username and password credentials
| Field | Required | Description |
|---|---|---|
| Username | Yes | The service user from above (for example, BICYCLE_SVC_USER) |
| Password | Yes | The password set in Snowflake |

Step 3: Test the connection
Click Test connection. When the test succeeds, you will see Ready to add this connection:

Step 4: Add the connection
Click Add connection. When the connection is created successfully, you will see a confirmation with the connection name, ID, and method (Username + Password). Click Close to return to the Connectors page.

Troubleshooting
If Test connection fails or no tables appear after connecting, check the following.
Key pair authentication
| Error or symptom | Likely cause | Fix |
|---|---|---|
Failed to parse private key: ... password empty | The private key is encrypted (-----BEGIN ENCRYPTED PRIVATE KEY-----) but Passphrase is empty in Bicycle | Enter the passphrase used when generating the key, or regenerate an unencrypted key with -nocrypt and update the public key in Snowflake |
JWT token is invalid | The public key is not assigned to the user, or Username in Bicycle does not match the Snowflake user that has the key | Run ALTER USER <service_user> SET RSA_PUBLIC_KEY='...' in Snowflake and confirm the Username field matches that user exactly |
| Connection succeeds but no tables are discovered | Missing SELECT grants, wrong database or schema, or Table Pattern filters out all tables | Verify grant SQL ran successfully; confirm Database, Schema, and Table Pattern match your Snowflake objects |
Username + Password authentication
| Error or symptom | Likely cause | Fix |
|---|---|---|
Incorrect username or password | Wrong credentials, or password not set on the service user | Confirm Username matches the Snowflake service user and run ALTER USER <service_user> SET PASSWORD = '...' if needed |
| Connection succeeds but no tables are discovered | Same as key pair — grants or scope misconfiguration | Verify warehouse, database, and schema grants; check Table Pattern if set |
Account and connection settings
| Error or symptom | Likely cause | Fix |
|---|---|---|
| Cannot connect / invalid account | Account uses the wrong identifier format | Copy Account identifier from Snowflake account details (hyphen format, e.g. ORGNAME-ACCOUNTNAME). Do not use the data sharing identifier (dot format) or the legacy account locator |
| Object not found or authorization errors | Warehouse, database, schema, or role names do not match Snowflake | Snowflake object names can be case sensitive. Enter names exactly as they appear in Snowflake, including uppercase warehouse and database names if your account uses them |
| Tables missing after connect | Bicycle discovers base tables only | Views, dynamic tables, and external tables are not included in discovery. Query base tables in Snowflake to confirm they exist in the configured database and schema |
If issues persist, ask your Snowflake administrator to confirm the service user can run SELECT on the target tables when connected with the same warehouse, database, and role configured in Bicycle.
Capabilities
| Capability | Description |
|---|---|
| SIGNAL | Read data from Snowflake tables with incremental sync via a cursor field |
What's next?
Now that Snowflake is connected, you can:
- Discover and ingest tables from the configured database and schema
- Use the connection as a SIGNAL source for metrics, events, and dashboards
- Configure streams with a cursor field for incremental sync