Snowflake Data Clean Rooms developer’s guide¶

This page provides some guidelines for users who want to create or manage clean rooms or templates in Snowflake programmatically.

Snowflake exposes stored procedures that enable you to develop applications to create or control clean rooms. These stored procedures can be run in any interface that can access the Snowflake account associated with your clean room environment, including Snowsight notebooks or worksheets as well as the Snowflake CLI. These procedures can be called in SQL or in any language supported by Snowflake interfaces.

Setting up your environment¶

Development tools¶

Here are the main developer tools for clean rooms:

Coding environment: Any coding environment that can run stored procedures in your Snowflake account will work. Most developers use worksheets in Snowsight (the browser-based tool) or the Snowflake CLI.
The clean rooms UI: Use the clean rooms UI to configure, manage, or create clean rooms. Most clean room analysts use the UI rather than code, so it can be useful to see and test the experience of your clean rooms in the UI. Additionally, there are a handful of features that are available only in the clean rooms UI.
Snowsight is useful to explore databases and other objects and search for objects.

Coding setup¶

Required role and warehouse¶

The clean rooms API requires the SAMOOHA_APP_ROLE role for full API access. Ask your clean rooms administrator to grant you full API access.

Clean rooms also supports creating roles with access to a subset of API procedures.

You must use the clean rooms API in a warehouse that SAMOOHA_APP_ROLE can use. Clean rooms provides the warehouse APP_WH with clean rooms API access.

-- Set up environment.
USE ROLE samooha_app_role;
USE WAREHOUSE app_wh;

-- Call your clean rooms API functions.
...

Copy

If you use any other warehouse, be sure to grant SAMOOHA_APP_ROLE usage on that warehouse:

GRANT USAGE ON WAREHOUSE <your warehouse> TO SAMOOHA_APP_ROLE;`

Copy

About the clean rooms API¶

Snowflake Data Clean Rooms exposes a set of stored procedures that allow a provider to create, configure, and share a clean room. These procedures are accessible by any command-line environment that supports Snowflake procedures, including notebooks, workbooks, and the Snowflake CLI. You can use the clean rooms API in any language that supports stored procedures. The documentation here shows SQL usage, but you can also use Python or any other supported language.

Procedures exist inside the following schemas:

samooha_by_snowflake_local_db.provider - Provider-specific procedures. These procedures can be called only on clean rooms that were created in the current account.
samooha_by_snowflake_local_db.consumer - Consumer-specific procedures. These procedures can be called only on clean rooms to which the current account was invited as a consumer.
samooha_by_snowflake_local_db.library - General procedures called by either the clean room creator (provider) or a clean room collaborator (consumer). (These are documented in both the provider and consumer reference pages.)

Some procedures have both provider and consumer versions. The results are appropriate to the schema: for example, provider.view_cleanrooms lists all clean rooms in the current account for which you are a provider, and consumer.view_cleanrooms lists all clean rooms in the current account for which you are a consumer.

About clean room names in API procedures¶

Many clean room API procedures take a cleanroom_name argument.

Use the clean room name if a clean room was created using the API.
Use the clean room ID if the clean room was created using the clean rooms UI.

You can see the clean room name and ID by calling describe_cleanroom.

Setting up accounts, users, and roles¶

Technically, you don’t need to use the clean rooms UI to develop clean rooms: most clean room functionality is available using stored procedures. However, a few features are available only in the UI, and some are faster to perform in the UI. And because many users use the UI exclusively, it’s important to see how your clean room behaves in the UI, especially if you create a user configuration web form for a clean room that you create. Therefore, you should ask a clean room administrator to add you as a clean room manager or higher in the appropriate clean room accounts.

At minimum we recommend having separate provider and consumer Snowflake accounts to test both sides of a clean room. Depending on your use case, you might also want to set up an additional Snowflake account in different web hosting regions to test cross-cloud behavior.

Name your test Snowflake accounts meaningfully to indicate their typical usage: for example, “Consumer account,” “Provider account,” and “Cross-cloud account.” This can help when you have multiple test accounts and need to know which one to sign in to.

Guidelines and recommendations¶

Confirm that you are using the same account in the clean rooms UI and in code¶

You often need to open a coding environment and the clean rooms UI for the same Snowflake account, for example, when creating a clean room in code, then checking its appearance in the clean rooms UI. It’s important to confirm that you’re using the same Snowflake account in each.

Snowsight does not have a shortcut to open the clean rooms UI for the same account, or the reverse, so you must be sure that both the clean rooms UI and Snowsight are open in the same account.

Clean room names vs clean room ID¶

When using the API, for procedures that need a cleanroom_name argument, determine whether to use the clean room name or the clean room ID as follows:

If the clean room was created using the API, use the clean room name.
If the clean room was created in the web app, use the clean room ID. You can see both the clean room name and ID by calling provider.view_cleanrooms or provider.describe_cleanroom.

Update your clean room whenever you make changes¶

To change any clean room settings, including templates, permissions, or policies, call provider.create_or_update_cleanroom_listing to enable the changes. In some cases, changes might be visible before calling this procedure, but the changes won’t properly apply until after you call provider.create_or_update_cleanroom_listing.

Interoperability between clean rooms created in code or the UI¶

When you create a clean room in the API, some features are not modifiable in the clean rooms UI. For example, you cannot add additional templates, even stock Snowflake templates, in code for a UI-created clean room. You also cannot change the differential privacy settings.

Description of clean room objects¶

Snowflake Data Clean Rooms creates many local databases upon installation. Here are some of the more useful objects:

SAMOOHA_CLEANROOM_cleanroom_id

Contains information specific to each clean room created in this account. Includes the following items:

Admin: Cryptographic keys, privacy budget, request logs, requests for provider analyses, and more.
Shared_schema: Join policy, LAF status, linked tables, versions.
Templates: List of activation templates, custom templates, and template chains in this clean room.

SAMOOHA_CLEANROOM_REQUESTS_cleanroom_id

Contains request history, such as multi-provider requests, template requests, query requests.

SAMOOHA_BY_SNOWFLAKE_LOCAL_DB:

Provider.procedures: Definitions of all the provider API procedures
Consumer.procedures: Definitions of all the consumer API procedures.
Library.procedures: Definitions of all the API procedures for both providers and consumers.
Public.consumer_activation_summary: Consumer activation results.
Public.provider_activation_summary: Provider activation results.

SAMOOHA_BY_SNOWFLAKE.TEMPLATES.TEMPLATES:

Holds the list and definition of all the stock Snowflake templates available to clean rooms in this account.

(Consumer) Can’t set join policies or perform other basic actions on a joined clean room¶

Confirm that you installed your clean room with the proper role (SAMOOHA_APP_ROLE). If you didn’t use SAMOOHA_APP_ROLE when installing the clean room, you’ll encounter many problems, typically permission errors. If this is the case, even consumer.uninstall_cleanroom will fail and you must take extra steps to uninstall then reinstall the clean room with the correct role.

-- Who owns the clean room?
SHOW SHARES LIKE 'SAMOOHA_CLEANROOM_REQUESTS_<cleanroom_name>';

-- If the owner role is not SAMOOHA_APP_ROLE, you must drop the share, then
-- uninstall the clean room.
DROP SHARE SAMOOHA_CLEANROOM_REQUESTS_<cleanroom_name>;
CALL samooha_by_snowflake_local_db.consumer.uninstall_cleanroom($cleanroom_name);
USE ROLE samooha_app_role;
CALL samooha_by_snowflake_local_db.consumer.install_cleanroom($cleanroom_name, '<provider_locator>');

Copy

General unexpected results¶

Be sure to call the proper consumer or provider version of your procedure. Many procedures have both provider and consumer versions.

Can’t find a clean room that you created¶

If you created a clean room in one account but can’t see it in the collaborator’s account, here are some possible reasons:

The clean room was created in a different cloud hosting region and you haven’t enabled cross-cloud auto-fulfillment.
You didn’t publish your clean room by calling provider.create_or_update_cleanroom_listing.
You are calling consumer.view_cleanrooms() instead of provider.view_cleanrooms() (or the reverse).
You didn’t share the clean room, you shared the clean room with the wrong account, or you opened the wrong collaborator account in the Snowsight/Clean rooms UI/CLI. Confirm that the account where you expect to see your clean room is the one that you shared the clean room with, and that you’re signed in to that shared account.
There is a small delay between publishing a clean room and when it becomes visible to the collaborator.

Unknown function¶

If you call a procedure and get an error something like this: .. code-block:: sqlexample

Unknown user-defined function SAMOOHA_BY_SNOWFLAKE_LOCAL_DB.CONSUMER.<procedure name>

You either don’t have the SAMOOHA_APP_ROLE or you’ve mistyped the name of the function.

It can also mean that you have been granted a limited-access run role, and the function you are calling isn’t allowed by your role. You can test this by trying to run one of the procedures permitted to consumer.grant_run_on_cleanrooms_to_role. If the procedure succeeds, you might be using a limited role. If it fails, you likely don’t have permission to run the clean rooms API in this account.

To see if you have SAMOOHA_APP_ROLE, run the following command:

SELECT IS_ROLE_IN_SESSION( 'SAMOOHA_APP_ROLE' );

Copy

If you get the following error:

Database <cleanroom name> does not exist or not authorized. in RUN_ANALYSIS_STRING

Copy

You were granted a temporary run role that has been revoked. Ask a clean rooms administrator for a new run role or full SAMOOHA_APP_ROLE access.

Check your query history¶

You can see your query history for queries run in the UI or in code. These histories are stored and checked separately.

UI query history¶

The clean rooms UI shows a list of all previous queries and results for this account in the Analyses & Queries page. These results are only for queries run in the UI.

API query history¶

To see the account history of queries run using the API, do the following:

Sign in to Snowsight.
Select Monitoring » Query History.
Use the filters to find the query associated with the analysis, and then copy the query ID.
Open a worksheet and execute a query that retrieves the results based on the query ID of the query. For example, if the query ID is ABC123, then execute the following:
```
SELECT * FROM TABLE(result_scan(ABC123));
```
Copy
If the warehouse gets suspended in between running the API analysis and using this query to retrieve results, you might not be able to get the results.

Extended examples¶

To help you understand how to use various features of the Developer APIs, you can refer to the examples in the Use cases section of the clean rooms documentation.