Skip to content

Secrets in Matillion agent for Snowflake

Adding secrets

Secrets are stored within a Snowflake schema, and will be available for Data Productivity Cloud pipelines to reference. We recommend you use the default secrets schema, but you can specify an alternative if you wish. Both options are described below.

Warning

If you uninstall the agent application from Snowflake, any secrets created within the default secrets schema will be deleted.

Default secrets schema

The default schema for secrets is defined as <APPLICATION_NAME>.SECRETS, as seen on the configuration screen when creating the agent application. To create a secret in this schema, execute the following commands, using the same role you used for creating the agent:

CREATE SECRET <APPLICATION_NAME>.SECRETS.<SECRET_NAME> TYPE = GENERIC_STRING SECRET_STRING = 'some-secret-string';
GRANT USAGE ON SECRET <APPLICATION_NAME>.SECRETS.<SECRET_NAME> TO APPLICATION <APPLICATION_NAME>;

Where:

  • <APPLICATION_NAME> is the name of the application set during installation. By default, this is MATILLION_DATA_PRODUCTIVITY_CLOUD.
  • <SECRET_NAME> is a unique name for the secret.
  • 'some-secret-string' is the secret value.

Alternative secrets schema

If you changed the Default Secrets Schema property when you configured the agent application, some additional configuration is required.

  1. Grant USAGE permission to the application for the following objects:

    GRANT USAGE ON DATABASE <DATABASE_NAME> TO APPLICATION <APPLICATION_NAME>;
GRANT USAGE ON SCHEMA <DATABASE_NAME>.<SCHEMA_NAME> TO APPLICATION <APPLICATION_NAME>;

    Where:

    • <DATABASE_NAME> and <SCHEMA_NAME> identify the schema you want to use for secrets.
    • <APPLICATION_NAME> is the name of the application set during installation. By default, this is MATILLION_DATA_PRODUCTIVITY_CLOUD.

  2. To allow creation of secrets, you must also grant the following:

    GRANT CREATE SECRET ON SCHEMA <DATABASE_NAME>.<SCHEMA_NAME> TO APPLICATION <APPLICATION_NAME>;

  3. To create secrets in the target schema, use the following commands:

    CREATE SECRET <DATABASE_NAME>.<SCHEMA_NAME>.<SECRET_NAME> TYPE = GENERIC_STRING SECRET_STRING = 'some-secret-string';
GRANT READ ON SECRET <DATABASE_NAME>.<SCHEMA_NAME>.<SECRET_NAME> TO APPLICATION <APPLICATION_NAME>;

    Where:

    • <SECRET_NAME> is a unique name for the secret.
    • 'some-secret-string' is the secret value.
© Copyright 2025 Matillion Ltd | Legal | Privacy Policy | Disclaimer | Modern Slavery Statement