Connecting your warehouse

Before you start

Every connection is read-only and metadata-only. The grants below are the minimum for catalog visibility; the exact SQL we run with them is published at /security/queries. If you do not administer the warehouse yourself, each connect form has a copyable script to forward to whoever does.

Google BigQuery

You need a service account key, or just a Google account if your workspace admin enabled Sign in with Google.

1. In Google Cloud Console: IAM & Admin, then Service Accounts, then Create service account.

2. Grant it two roles on the project: BigQuery Metadata Viewer and BigQuery Job User.

3. Open the account, go to Keys, Add key, Create new key, choose JSON, and download it.

4. Drop the JSON file into the connect form. We validate it client-side (a common mistake is downloading an OAuth client file instead of a service-account key; the form names the exact fix) and pre-fill the project. We then list your datasets and you pick.

If it fails: a permission error means one of the two roles is missing on the project. A not-found error usually means the wrong project id.

Snowflake

Recommended auth is key-pair: it needs no network policy and survives Snowflake's retirement of single-factor passwords. A programmatic access token (PAT) also works but requires a network policy that allowlists our egress IP.

1. Have an admin run the reader-role script below (also in the connect form). Heads-up for your security review: the two SNOWFLAKE database-role grants require ACCOUNTADMIN and give read-only visibility into account-wide governance views (ACCOUNT_USAGE), which is what powers the masking and policy checks. Everything granted is read-only and revocable.

2. For key-pair: generate an RSA key, register the public key on the user, and paste the private key (PEM) into the form. Encrypted PKCS#8 keys work; provide the passphrase. Pasted keys are normalized automatically, so whitespace mangling from copy-paste is fine.

3. For the account field, paste your Snowsight URL; we extract the account identifier, including the legacy region format.

If it fails: "Network policy is required" means you used a PAT without a network policy; switch to key-pair. "Invalid private key" usually means a partial paste; include the BEGIN and END lines.

-- Run as ACCOUNTADMIN (the SNOWFLAKE database-role grants below require it).
-- Replace <db>, <warehouse>, and the key before running.
CREATE ROLE IF NOT EXISTS MORTARIQ_READER;
GRANT USAGE ON WAREHOUSE <warehouse> TO ROLE MORTARIQ_READER;
GRANT USAGE ON DATABASE <db> TO ROLE MORTARIQ_READER;
GRANT USAGE ON ALL SCHEMAS IN DATABASE <db> TO ROLE MORTARIQ_READER;
GRANT USAGE ON FUTURE SCHEMAS IN DATABASE <db> TO ROLE MORTARIQ_READER;
-- Read-only metadata visibility. GOVERNANCE_VIEWER opens account-wide
-- governance views (ACCOUNT_USAGE) -- read-only, but flag it to security.
GRANT DATABASE ROLE SNOWFLAKE.OBJECT_VIEWER TO ROLE MORTARIQ_READER;
GRANT DATABASE ROLE SNOWFLAKE.GOVERNANCE_VIEWER TO ROLE MORTARIQ_READER;
-- Key-pair auth (recommended): create the user with a public key, no password.
CREATE USER MORTARIQ_SVC
  DEFAULT_ROLE=MORTARIQ_READER DEFAULT_WAREHOUSE=<warehouse>;
ALTER USER MORTARIQ_SVC SET RSA_PUBLIC_KEY='<paste public key body>';
GRANT ROLE MORTARIQ_READER TO USER MORTARIQ_SVC;

Databricks

You need your workspace URL, a SQL warehouse, and a personal access token.

1. Generate the token under User Settings, Developer, Access tokens. It must start with dapi; if your dialog offers scopes, include SQL (the BI Tools preset works).

2. Have an admin run the grants below. BROWSE gives metadata visibility with no data access.

3. In the connect form, enter the workspace URL and token, click the warehouse picker to list your SQL warehouses, and pick one. We then list catalogs and schemas.

If it fails: a 401 on every request means the token is not a dapi personal access token; regenerate it. The lineage requirement reports not assessable unless an account admin has enabled the system.access schema; that is optional and only unlocks one extra signal.

-- Run as a metastore or catalog admin. BROWSE = metadata only, no data SELECT.
GRANT USE CATALOG ON CATALOG <catalog> TO `<token-identity>`;
GRANT USE SCHEMA  ON SCHEMA  <catalog>.<schema> TO `<token-identity>`;
GRANT BROWSE      ON CATALOG <catalog> TO `<token-identity>`;

PostgreSQL

Works for self-hosted Postgres and every managed flavor: Amazon RDS and Aurora, Cloud SQL, Azure Database for PostgreSQL, Neon, Supabase, Railway, Heroku.

Supabase note: connect with the Session pooler connection string (Database settings, Connection string, Session pooler). The direct db.<ref>.supabase.co hostname is IPv6 only, which most cloud platforms cannot reach; the pooler host has IPv4 and the username gains a .<project-ref> suffix.

1. Have an admin create a read-only role with the script below. SELECT is required for catalog visibility (Postgres only shows metadata for objects a role can access); we still never read rows.

2. Paste your postgres:// connection string into the form and the fields fill themselves, or enter host, port, database, user, and password manually. TLS is on by default, which managed providers require.

If the database is not reachable from the internet: allowlist MortarIQ's egress IP, or run the assessment inside your network with the CLI agent.

CREATE ROLE mortariq_reader LOGIN PASSWORD '<strong-password>';
GRANT CONNECT ON DATABASE <db> TO mortariq_reader;
GRANT USAGE ON SCHEMA <schema> TO mortariq_reader;
GRANT SELECT ON ALL TABLES IN SCHEMA <schema> TO mortariq_reader;

Amazon Redshift

Works for provisioned clusters and Redshift Serverless.

1. Have an admin create a read-only user with the script below. As with Postgres, SELECT grants catalog visibility (Redshift's SVV system views only show objects the user can access); we never read rows.

2. Make the endpoint reachable: for Serverless, open the workgroup, go to Network and security, and turn on Publicly accessible; then add an inbound rule for TCP 5439 to the workgroup's security group. If the cluster must stay private, use the CLI agent inside your VPC instead.

3. Copy the endpoint from the console (it looks like workgroup.account.region.redshift-serverless.amazonaws.com:5439/dev) and paste the whole thing into the form; host, port, and database fill automatically. JDBC URLs also work.

If it fails: a connection timeout means the endpoint is not publicly accessible or the security-group rule is missing. The masking and row-level security checks report not assessable if the user cannot read the SVV policy views; that is the honest degrade, not an error.

CREATE USER mortariq_reader PASSWORD '<strong-password>';
GRANT USAGE ON SCHEMA <schema> TO mortariq_reader;
GRANT SELECT ON ALL TABLES IN SCHEMA <schema> TO mortariq_reader;

Microsoft Fabric

You need a Fabric Warehouse or Lakehouse and an Entra ID service principal. Both are assessed through the SQL analytics endpoint with the same setup; for a Lakehouse, use its database name and note that newly created Delta tables appear in the endpoint after Fabric's metadata sync, usually within a few minutes.

1. In the Microsoft Entra admin center: App registrations, New registration (no redirect URI needed). Copy the Application (client) ID and the Directory (tenant) ID.

2. In the app: Certificates & secrets, New client secret. Copy the secret value immediately; it is shown only once.

3. In the Fabric admin portal: Tenant settings, Developer settings, enable "Service principals can use Fabric APIs". Allow up to 15 minutes for this to propagate.

4. In your Fabric workspace: Manage access, add the app with the Viewer role (read-only).

5. Optional, for the row-level security signal: in the warehouse SQL editor run GRANT VIEW DEFINITION TO [<app-name>]; without it that one check reports not assessable rather than guessing.

6. Copy the SQL connection string from the warehouse settings into the form, with the warehouse name, tenant ID, client ID, and client secret.

If it fails: AADSTS errors mean the tenant ID, client ID, or secret is wrong, or the tenant setting from step 3 has not propagated yet; wait 15 minutes and retry.

Firewalled or private networks

If your warehouse cannot accept connections from the internet, run the assessment where the warehouse lives with the CLI agent: credentials and the connection never leave your network, and you can optionally upload only the computed results to your dashboard. See the CLI guide.