Setting up the Openflow Connector for Veeva Vault

Note

This connector is subject to the Snowflake Connector Terms.

This topic describes the steps to set up the Openflow Connector for Veeva Vault.

Prerequisites

  1. Review About the Openflow Connector for Veeva Vault.

  2. Set up your runtime deployment.

  3. If you are using Openflow - Snowflake Deployments, ensure that you have reviewed configuring required domains and have granted access to the domains required by the connector.

  4. You have access to the Openflow admin role or a similar role you use to manage Openflow.

  5. If you are creating a Snowflake service user to manage the connector, you have created key pair authentication. For more information, see key-pair authentication.

Required endpoints

The following endpoint is required for the connector to function:

  • <your_vault_hostname>:443 (for example, myvault.veevavault.com:443)

If you are using Openflow - BYOC Deployments, configure your cloud network egress to allow TLS 443 access to this endpoint. If you are using Openflow - Snowflake Deployments, you must create a network rule and an external access integration (EAI). See Create a network rule (Openflow Snowflake Deployments only) for details.

Set up Veeva Vault

The connector uses the Veeva Vault Direct Data API to retrieve data. Before you can use the connector, your Veeva Vault administrator must complete the following tasks.

Enable Direct Data

Direct Data must be enabled on your Veeva Vault instance. This is a Vault-level feature that allows external systems to retrieve data exports via the Direct Data API.

To verify that Direct Data is enabled, your Vault administrator can check Admin » Settings » General Settings » Direct Data in the Veeva Vault UI.

For more information, see the Veeva Direct Data documentation (https://developer.veevavault.com/directdata/).

Create a service account

Create a dedicated Veeva Vault user account for the connector. This account must have:

  • API access enabled.

  • Sufficient permissions to access the Direct Data API endpoints.

  • A security profile that allows the account to read the data objects you want to replicate.

Record the username and password for this service account. You will need these values when configuring the connector.

Note

Snowflake recommends using a dedicated service account rather than a personal user account. This ensures that the connector continues to function if a personal account is disabled or its password is changed.

Set up your Snowflake account

As an Openflow administrator, perform the following tasks to set up your Snowflake account.

Create a Snowflake service user (Openflow BYOC only)

Note

This step is only required if you are deploying the connector in Openflow - BYOC Deployments. It is not needed for Openflow - Snowflake Deployments.

  1. Create a service user:

    USE ROLE USERADMIN;
CREATE USER <openflow_service_user>
  TYPE=SERVICE
  COMMENT='Service user for the Veeva Vault connector';

  2. Store the private key for that user in a file to supply to the connector’s configuration. For more information, see key-pair authentication.

    ALTER USER <openflow_service_user> SET RSA_PUBLIC_KEY = '<pubkey>';

Create database, schema, and warehouse

  1. Create the destination database:

    USE ROLE ACCOUNTADMIN;
CREATE DATABASE IF NOT EXISTS <veeva_database>;

  2. Create the destination schema:

    CREATE SCHEMA IF NOT EXISTS <veeva_database>.<veeva_schema>;

  3. Create a role for the connector and grant the required privileges:

    CREATE ROLE IF NOT EXISTS <veeva_connector_role>;

GRANT USAGE ON DATABASE <veeva_database> TO ROLE <veeva_connector_role>;
GRANT USAGE ON SCHEMA <veeva_database>.<veeva_schema> TO ROLE <veeva_connector_role>;
GRANT CREATE TABLE ON SCHEMA <veeva_database>.<veeva_schema> TO ROLE <veeva_connector_role>;

  4. Create a warehouse (or use an existing one) and grant usage privileges:

    CREATE WAREHOUSE IF NOT EXISTS <veeva_warehouse>
  WITH
    WAREHOUSE_SIZE = 'SMALL'
    AUTO_SUSPEND = 300
    AUTO_RESUME = TRUE;

GRANT USAGE, OPERATE ON WAREHOUSE <veeva_warehouse> TO ROLE <veeva_connector_role>;

  5. If using Openflow - BYOC Deployments, assign the role to the service user:

    GRANT ROLE <veeva_connector_role> TO USER <openflow_service_user>;
ALTER USER <openflow_service_user> SET DEFAULT_ROLE = <veeva_connector_role>;

Create a network rule (Openflow Snowflake Deployments only)

Caution

If your runtime executes in Openflow - BYOC Deployments, you do not need to create an External Access Integration (EAI). Instead, configure your cloud network egress to allow TLS 443 access to your Veeva Vault hostname.

To allow the connector to call the Veeva Vault API from a Snowflake-hosted runtime, create a network rule and an external access integration (EAI), and then grant the Snowflake role usage privileges on the EAI.

  1. Create a network rule:

    USE ROLE ACCOUNTADMIN;

CREATE OR REPLACE NETWORK RULE openflow_<runtime_name>_veeva_network_rule
  TYPE = HOST_PORT
  MODE = EGRESS
  VALUE_LIST = ('<your_vault_hostname>:443');

  2. Create an External Access Integration:

    CREATE OR REPLACE EXTERNAL ACCESS INTEGRATION openflow_<runtime_name>_veeva_eai
  ALLOWED_NETWORK_RULES = (openflow_<runtime_name>_veeva_network_rule)
  ENABLED = TRUE;

  3. Grant your Snowflake role USAGE on the integration:

    GRANT USAGE ON INTEGRATION openflow_<runtime_name>_veeva_eai
  TO ROLE openflow_runtime_role_<runtime_name>;

Install the connector

To install the connector, do the following as a data engineer:

  1. Navigate to the Openflow overview page. In the Featured connectors section, select View more connectors.

  2. On the Openflow connectors page, find the connector and select Add to runtime.

  3. In the Select runtime dialog, select your runtime from the Available runtimes drop-down list and click Add.

    Note

    Before you install the connector, ensure that you have created a database and schema in Snowflake for the connector to store ingested data.

  4. Authenticate to the deployment with your Snowflake account credentials and select Allow when prompted to allow the runtime application to access your Snowflake account. The connector installation process takes a few minutes to complete.

  5. Authenticate to the runtime with your Snowflake account credentials.

The Openflow canvas appears with the connector process group added to it.

Configure the connector

To configure the connector, perform the following steps:

  1. Right-click on the added connector process group and select Parameters.

  2. Populate the required parameter values as described in the sections below.

Veeva Vault parameters

Parameter

Description

Veeva Vault Base URL

Base URL for the Veeva Vault environment. Must be a valid URL including the protocol.

Example: https://myvault.veevavault.com

Veeva Vault Username

Service account username for Veeva Vault authentication.

Veeva Vault Password

Service account password for Veeva Vault authentication. This value is stored securely as a sensitive parameter.

Veeva API Version

Veeva Vault REST API version path segment. The default value matches the version the connector was built against.

Default: v25.3

Veeva Ingestion Mode

Determines how Veeva Direct Data files are consumed. Allowed values:

  • SNAPSHOT_AND_INCREMENTAL (default): Load the latest full archive first, then continue with incremental archives.

  • SNAPSHOT: Poll for the latest full archive only.

  • INCREMENTAL: Poll for incremental archives only.

Veeva Incremental Start Time

Optional starting timestamp for incremental polling. Only applicable when the ingestion mode is INCREMENTAL. If not set, incremental polling starts from the current time. Expected format: yyyy-MM-dd'T'HH:mmZ.

Example: 2025-01-15T08:30Z

Veeva Incremental Sync Frequency

How often the connector polls for new Direct Data archives.

Default: 15 minutes

Veeva Include Audit Logs

Whether to also ingest Veeva Direct Data audit log archives.

Default: true

Snowflake destination parameters

Parameter

Description

Snowflake Authentication Strategy

Authentication strategy for the connector to connect to Snowflake.

  • SNOWFLAKE_MANAGED (default): Uses the Snowflake-managed token associated with the specified Snowflake runtime role. This is the recommended strategy for both Openflow - Snowflake Deployments and Openflow - BYOC Deployments.

  • KEY_PAIR: Uses a user-provided RSA key pair. Available only on Openflow - BYOC Deployments, for cross-account scenarios where the connector writes to a Snowflake account different from the one hosting the Openflow runtime.

Snowflake Account

Snowflake account identifier, formatted as <organization>-<account>. Required when the authentication strategy is KEY_PAIR.

Example: MYORG-MYACCOUNT

Snowflake Username

The Snowflake user for authentication. Required when the authentication strategy is KEY_PAIR.

Snowflake Private Key

PEM-encoded private key content for Snowflake key pair authentication. Required when the authentication strategy is KEY_PAIR. This value is stored securely as a sensitive parameter.

You can also upload the private key file by selecting the Reference asset checkbox, uploading the file as an asset, and selecting the asset as the value for the parameter.

Snowflake Private Key Password

Password to decrypt the Snowflake private key, if the key is encrypted. Only applicable when the authentication strategy is KEY_PAIR.

Snowflake Role

The Snowflake role used for table creation, data ingestion, and access verification. When using SNOWFLAKE_MANAGED, this is the Snowflake role for Openflow runtimes. When using KEY_PAIR, this is the role assigned to the specified Snowflake user.

Snowflake Database

Name of the destination database in Snowflake. The database must already exist before starting the connector.

Snowflake Schema

Name of the destination schema in Snowflake. The schema must already exist before starting the connector.

Snowflake Warehouse

The Snowflake warehouse used for table management operations such as CREATE TABLE and MERGE.

Snowflake Table Prefix

Optional prefix applied to all destination table names in Snowflake. Use this to namespace tables when multiple connectors write to the same schema.

Snowflake Delete Strategy

How to apply Veeva delete extracts in Snowflake.

  • Hard Delete (default): Permanently remove rows from the table.

  • Soft Delete: Set __SNOWFLAKE_DELETED to TRUE and __SNOWFLAKE_DELETED_AT to the current timestamp. The columns are added automatically if they do not exist.

Schema evolution parameters

Parameter

Description

Column Removal Strategy

Defines the strategy when a column should be removed from the destination table based on the latest received schema.

  • Drop Column (default): Drop the column from the Snowflake table.

  • Rename Column: Rename the column in the Snowflake table by appending the suffix defined in the Removed Column Name Suffix parameter.

  • Ignore Column: Leave the column as-is in the Snowflake table.

Removed Column Name Suffix

Suffix appended to the column name when the Column Removal Strategy is set to Rename Column.

Default: __deleted

Run the flow

  1. Right-click on an empty area of the canvas and select Enable all Controller Services.

  2. Right-click on the connector process group and select Start.

The connector starts polling Veeva Vault for Direct Data archives and loading data into Snowflake.

Next steps