Who can use this feature?
- Available with Data Direct.
- Requires an admin or architect role to configure.
Data Direct functionality will soon become a part of Fullstory Anywhere. To learn more about upcoming changes to Fullstory's product offerings, please visit this page.
Snowflake announced in December 2024 that they intend to block single-factor password authentication by November 2025. Beginning in April 2025, Snowflake intends to enforce Multi-factor Authentication (MFA).
The documentation below has been updated to remove support for single-factor password authentication.
Action Required: If you are currently using single-factor password authentication with Snowflake, you need to do the following:
- Create a key-pair and assign the public key to the Snowflake user that you already set up for password authentication in Fullstory. Instructions for creating key-pairs and assigning public keys to Snowflake users can be found here. Note: you must generate an unencrypted private key. Fullstory will encrypt the key using Google's key management service.
- In Fullstory, go to Settings > Destinations and then click the "Manage" button for the Snowflake destination. Navigate to the Key-Pair Authentication panel and enter the private key you created in step 1. Save your changes.
Snowflake is a cloud-based data storage and analytics service that can be used as a data warehouse. Fullstory's Snowflake integration allows you to send your structured event data directly to Snowflake.
Enabling the integration (Snowflake)
Terraform Infrastructure as Code (IaC)
Fullstory provides a terraform module to help simplify the setup of the necessary permissions. See the module docs for more information.
Manual Configuration
Note: To experience all of the benefits of this integration, a paid version of Snowflake is required.
Key-Pair Authentication
Fullstory uses key-pair authentication to connect Fullstory to your Snowflake account. If you are an existing Destinations customer and have set up the integration with user-based authentication, you can visit your Settings to update the authentication to key-pair without any gap in service.
To generate a key for authentication to Snowflake, you can follow their documentation here.
Note: When saving the key in Fullstory, you must save the unencrypted version. Fullstory will encrypt the key at rest using Google's key management service
Setup
Once you've set the parameters, run the script below in your Snowflake Worksheet to create all of the required objects and grant the necessary privileges to the role/user that Fullstory will use to perform the data sync.
set warehouse_name = 'compute_wh';
set database_name = 'fullstory';
set role_name = 'fullstory_loader';
set user_name = 'fullstory_user';
set storage_integration = 'fullstory_gcs';
use role useradmin;
create role if not exists identifier($role_name);
create user if not exists identifier($user_name)
rsa_public_key = 'PUBLIC KEY'; // don't include public key delimiters
grant role identifier($role_name) to user identifier($user_name);
use role sysadmin;
create database if not exists identifier($database_name);
grant all on database identifier($database_name) to role identifier($role_name);
grant usage on warehouse identifier($warehouse_name) to role identifier($role_name);
use role accountadmin;
create storage integration identifier($storage_integration)
type = external_stage
storage_provider = 'GCS'
enabled = true
storage_allowed_locations = ('gcs://fullstoryapp-warehouse-sync-bundles/');
grant usage on integration identifier($storage_integration) to role identifier($role_name);
Note: Fullstory takes advantage of Snowflake's Storage integration feature to optimize how we load data into your warehouse. This does not require your Snowflake instance to be hosted in Google Cloud, nor does it require that you have a Google Cloud account. Click here to read more about storage integration. The values set for `storage_provider` and `storage_allowed_locations` in the script above should not be edited. If your region is eu1, you need to replace thestorage_allowed_locationsin the above script withgcs://fullstoryapp-eu1-warehouse-sync-bundles/.
Setting a network policy (optional)
The CIDR block for the IP addresses that Fullstory uses to connect to the provided snowflake instance are:
- NA: 8.35.195.0/29
- EU: 34.89.210.80/29
To create the network policy and apply it to the Fullstory snowflake user, run the following:
CREATE NETWORK POLICY FULLSTORY_POLICY ALLOWED_IP_LIST = ('8.35.195.0/29');
ALTER USER FULLSTORY_USER SET NETWORK_POLICY = FULLSTORY_POLICY;
Fullstory does not currently support two-factor authentication.
Enabling the integration (Fullstory)
To start syncing, follow the steps below:
- Navigate to Settings > Integrations > Destinations.
- Find the Snowflake integration and click Install.
- As shown in the screenshot below, in the menu that appears, add in your Snowflake Account ID, Warehouse, the Database you created, Username and Password, and the Storage Integration for the new Fullstory user. The ID to use for Account ID should be the appropriate one for your region and provider. See the FAQ below if you are unsure what this value is, or are having issues saving the credentials.
Note: Please ensure all credentials are correctly entered. If any are incorrectly entered, the integration sync will fail. - When you are ready, click Save at the bottom.
- After saving, you will see data start flowing into your warehouse within an hour.
FAQ
How can I find the Snowflake Account value to configure with Fullstory?
Fullstory uses the gosnowflake driver to connect to your Snowflake account. This driver requires the account locator to connect. You can find this value by running the following command and cross referencing the values with this table.
SELECT CURRENT_ACCOUNT(), CURRENT_REGION();
Can you set up more than one destination in your account?
Yes. Repeat setup steps for different destinations as needed.
Is a GCS Storage Integration mandatory?
Yes. This integration enables Snowflake to read staged files from Fullstory's cloud using a service account. We utilize the associated service account to set the Access Control List (ACL) for the files in GCS. You can choose the integration name by updating the storage_integration variable in the setup script shown above.