Audience: Consumer-account ACCOUNTADMIN. Follow this runbook once, after Resonate shares the listing with your Snowflake account, to install the app and enable your end users.
At a glance
| Step | What you do | Where |
|---|---|---|
| 1 | Accept the listing and install the app | Snowsight — Horizon Catalog |
| 2 | Grant the app SELECT on your input table |
Worksheet (SQL) |
| 3 | Grant your end-user role access to the app | Worksheet (SQL) |
| 4 | (Optional) Wire up a local event table | Worksheet (SQL) |
| 5 | Smoke-test with core.health_check()
|
Worksheet (SQL) |
| 6 | Hand off to the end user | Email / Slack |
Total time: approximately 10 minutes.
Prerequisites
- You have
ACCOUNTADMIN(or a role withCREATE APPLICATION,IMPORT SHARE, andGRANTprivileges). - Resonate has shared the private listing with your account. You should see an email from Snowflake or a notification in Snowsight.
- You know:
- The database, schema, and table name of the input data the end user will enrich.
- The Snowflake role your end user will use to call the app (if one does not exist yet, create it or reuse an existing analytical role).
Step 1 — Install the app from the shared listing
Option A: UI (recommended)
1. Open the Apps catalog.
In Snowsight left sidebar, hover over Catalog (under Horizon Catalog) and select Apps from the fly-out menu.
2. Locate the shared listing.
Scroll to the Recently Shared with You section. You should see the Resonate Clean Room Enrichment App card with a Get button. If you do not see it, confirm with Resonate that the listing was shared to your Snowflake account identifier.
3. Click Get.
A permissions dialog opens. Review the governance, performance, and event-sharing information the app declares, then proceed.
4. Name the app and install.
On the install dialog:
-
Application name — accept the default (
RESONATE_CLEANROOM_ENRICHMENT_APP) or change it to match your org naming convention. Make a note of the name — your end users will use it in every SQL call. -
Required events and logs sharing —
Errors and warningsandUsage logsare declared by the app. Leaving these enabled lets Resonate diagnose issues for you. No consumer data is shared; only app-internal log events. - Click Get to install. Setup completes in under a minute.
Option B: SQL
USE ROLE ACCOUNTADMIN;
CREATE APPLICATION RESONATE_CLEANROOM_ENRICHMENT_APP
FROM LISTING <listing_name_from_snowflake_share>
AUTHORIZE_TELEMETRY_EVENT_SHARING = TRUE;Replace <listing_name_from_snowflake_share> with the global name shown in the sharing notification.
The app runs entirely inside your Snowflake account. No consumer data is ever copied out.
Step 2 — Grant the app access to your input data
The app has no access to your data by default. Grant it SELECT on the input table the end user will use. Run this as ACCOUNTADMIN:
If your end user will point the app at multiple input tables, repeat the GRANT SELECT line for each table (the USAGE grants only need to be done once per database/schema).
The app only needs
SELECT. It does not needCREATE TABLEin your schema — enrichment output is written to the app own internal schema.
USE ROLE ACCOUNTADMIN;
GRANT USAGE ON DATABASE <input_db> TO APPLICATION RESONATE_CLEANROOM_ENRICHMENT_APP;
GRANT USAGE ON SCHEMA <input_db>.<input_schema> TO APPLICATION RESONATE_CLEANROOM_ENRICHMENT_APP;
GRANT SELECT ON TABLE <input_db>.<input_schema>.<input_table> TO APPLICATION RESONATE_CLEANROOM_ENRICHMENT_APP;Step 3 — Give your end user access to the app
The app exposes an application role called app_user that grants the right to call the app procedures (run_validation, run_append, health_check, etc.).
Grant this application role to your end user account role:
USE ROLE ACCOUNTADMIN;
GRANT APPLICATION ROLE RESONATE_CLEANROOM_ENRICHMENT_APP.app_user
TO ROLE <your_end_user_role>;Replace <your_end_user_role> with the Snowflake role your end user will use (e.g., DATA_ANALYST, MARKETING_OPS, etc.).
If multiple roles will use the app, run this grant once per role.
The end user also needs
USAGEon a warehouse to run enrichment. Any warehouse they already use for analytics will work — the app uses the caller warehouse for compute.
Step 4 — (Optional) Set up a local event table
If you want to see the app telemetry locally in your own account (for troubleshooting or auditing), configure an event table. This is optional — Resonate still receives the telemetry it needs via the provider share from Step 1.
USE ROLE ACCOUNTADMIN;
CREATE EVENT TABLE <monitoring_db>.<schema>.RESONATE_APP_EVENTS;
ALTER ACCOUNT SET EVENT_TABLE = <monitoring_db>.<schema>.RESONATE_APP_EVENTS;Run once as ACCOUNTADMIN:
After this, core.health_check() reports event_table.accessible: true, and log events from the app appear in your event table.
You can skip this step entirely if local telemetry visibility is not a requirement. The app works fine without it.
Step 5 — Smoke-test the install
Confirm everything is wired up correctly before handing off:
USE ROLE <your_end_user_role>; -- test as the end user will
USE WAREHOUSE <your_warehouse>;
CALL RESONATE_CLEANROOM_ENRICHMENT_APP.core.health_check();Expected output (abbreviated):
{
"status": "HEALTHY",
"app_version": "1.x.x",
"data_sources": {
"stitch": { "accessible": true },
"insights": { "accessible": true },
"entitlements": { "accessible": true },
"sensitive_keys": { "accessible": true },
"ip_predictions": { "accessible": true },
"key_definitions": { "accessible": true }
}
}If status is HEALTHY — you are done. Hand off to your end user.
If status is DEGRADED or UNHEALTHY — note which data_sources show accessible: false and contact Resonate support. This usually indicates an entitlement or provisioning issue on the Resonate side, not a consumer-account problem.
If the call errors with Insufficient privileges — the end-user role is missing either (a) the app_user application role grant from Step 3, or (b) USAGE on a warehouse.
Step 6 — Hand off to your end user
Send your end user the following info:
| Item | Value |
|---|---|
| App name |
RESONATE_CLEANROOM_ENRICHMENT_APP (or whatever you named it in Step 1) |
| Input table they should enrich | <input_db>.<input_schema>.<input_table> |
| Role to use | <your_end_user_role> |
| Warehouse to use | Any warehouse they have USAGE on — size per the app onboarding guide |
| User guide | Resonate Enrichment On-Demand Snowflake Clean Room |
The end user can now run:
CALL RESONATE_CLEANROOM_ENRICHMENT_APP.core.run_validation('<input_db>.<input_schema>.<input_table>');
CALL RESONATE_CLEANROOM_ENRICHMENT_APP.core.run_append('<input_db>.<input_schema>.<input_table>');Maintenance tasks (future)
Granting a new end user
GRANT APPLICATION ROLE RESONATE_CLEANROOM_ENRICHMENT_APP.app_user
TO ROLE <new_end_user_role>;Granting access to a new input table
GRANT SELECT ON TABLE <input_db>.<input_schema>.<new_table>
TO APPLICATION RESONATE_CLEANROOM_ENRICHMENT_APP;Uninstalling the app
USE ROLE ACCOUNTADMIN;
DROP APPLICATION RESONATE_CLEANROOM_ENRICHMENT_APP CASCADE;Important:
DROP APPLICATIONdeletes all enrichment output tables stored inside the app. Export any results your users still need before uninstalling.
App upgrades
App upgrades are applied automatically — no ACCOUNTADMIN action required. Your end users saved output tables are never modified by upgrades.
Quick troubleshooting
| Symptom | Fix |
|---|---|
| Listing not visible in Private Sharing | Confirm with Resonate that the listing was shared to your account identifier. |
End user sees Insufficient privileges on core.run_append
|
Re-run the GRANT SELECT ON TABLE ... TO APPLICATION ... from Step 2 for the specific table. |
| End user cannot see the app in their DB list | Re-run the GRANT APPLICATION ROLE ... TO ROLE <end_user_role> from Step 3. |
health_check returns entitlements: accessible: false
|
Your account is not yet provisioned with Resonate. Contact Resonate support — this requires a provider-side change. |
Support
Contact Resonate support with:
- Your Snowflake account identifier:
SELECT CURRENT_ACCOUNT(); - The output of
core.health_check() - The
app_versionshown in any error response
Comments
0 comments
Please sign in to leave a comment.