Direct Snowflake Connection Support
Connect your Snowflake account directly to Bobsled AI using secure OIDC authentication, bypassing Sledhouse infrastructure entirely. This gives you full control over data residency while enabling AI-powered analytics on your existing Snowflake investment—no data copying or ETL required.
What's New
- OIDC Authentication: Secure, keyless authentication using GCP service accounts with automatic credential rotation—no long-lived passwords or keys to manage
- Zero Data Movement: Query your Snowflake data in place; results stream directly to the user without intermediate storage
- Per-Workspace Isolation: Each Bobsled workspace gets its own Snowflake database and role, enforcing least-privilege access patterns
- Streamlined Setup: A guided 3-step wizard in the UI walks you through running the setup script, testing connectivity, and selecting tables
- Your Warehouse, Your Costs: Queries run on your Snowflake compute, giving you full visibility and control over resource usage
New API Endpoints
Test Connection
POST /api/v1/accounts/{accountId}/data-sources/{id}/test-connection
Validates that Bobsled can authenticate and query the configured Snowflake account. Returns detailed diagnostics on failure.
{
"ok": true,
"data": {
"connected": true,
"latencyMs": 245,
"snowflakeVersion": "8.12.1",
"warehouse": "BOBSLED_AI_WH",
"database": "BOBSLED_WS_ABC123"
}
}Error response example:
{
"ok": false,
"error": {
"code": "SNOWFLAKE_AUTH_FAILED",
"message": "OIDC authentication failed. Verify the service account has been granted access.",
"details": {
"snowflakeError": "JWT token is invalid or expired"
}
}
}List Available Tables
GET /api/v1/accounts/{accountId}/data-sources/{id}/available-tables
Returns all tables and views the configured role can access, for selection during workspace setup.
{
"ok": true,
"data": {
"tables": [
{
"database": "ANALYTICS",
"schema": "PUBLIC",
"name": "ORDERS",
"type": "TABLE",
"rowCount": 1250000
},
{
"database": "ANALYTICS",
"schema": "PUBLIC",
"name": "DAILY_REVENUE",
"type": "VIEW",
"rowCount": null
}
]
}
}Data Source Configuration
When creating a Snowflake data source via the API:
{
"name": "Production Snowflake",
"type": "snowflake",
"connectionConfig": {
"type": "snowflake",
"accountIdentifier": "xy12345.us-east-1",
"warehouseName": "BOBSLED_AI_WH"
}
}| Field | Required | Description |
|---|---|---|
accountIdentifier | Yes | Your Snowflake account identifier (e.g., xy12345.us-east-1) |
warehouseName | Yes | Virtual warehouse for Bobsled queries |
Setup Requirements
Before connecting, run the provided setup script in your Snowflake account as ACCOUNTADMIN:
-- The setup script (available in Bobsled UI) will:
-- 1. Create a security integration for GCP OIDC
-- 2. Create a BOBSLED_AI role with minimal permissions
-- 3. Create a user mapped to the Bobsled service account
-- 4. Grant USAGE on the specified warehouseThe script outputs the exact service account email to authorize. No secrets are exchanged—authentication uses short-lived JWT tokens issued by GCP.
Architecture
┌─────────────┐ OIDC JWT ┌─────────────────┐
│ Bobsled AI │ ───────────────── │ Snowflake │
│ (GCP) │ │ (Your Account) │
└─────────────┘ └─────────────────┘
│ │
│ Query request │
└────────────────────────────────────┘
│
▼
Results streamed
directly to userSecurity Model
- No stored credentials: Authentication uses GCP's Workload Identity Federation
- Automatic rotation: JWT tokens are short-lived and rotated automatically
- Role-based access: Bobsled only accesses tables explicitly granted to the
BOBSLED_AIrole - Audit trail: All queries appear in your Snowflake query history with the Bobsled service account as the user