Honeycomb Maps DocsInstall and Configure the Honeycomb Maps Snowflake Native App
Prerequisites
- Access to Snowflake Marketplace
- ACCOUNTADMIN role or equivalent privileges to install applications and grant permissions
Installation Steps
1. Install the Application from Snowflake Marketplace
- Navigate to the Snowflake Marketplace
- Search for "Honeycomb Maps"
- Click Get to begin the installation process
- Follow the prompts to complete the installation
2. Review and Grant Required Roles and External Access Integration
During installation, review the requested permissions and grant the required roles and external access integration for the application to function properly.
Then click 'Activate'. The application will take 10-20 minutes to set up and become available to use.
3. Configure Warehouse Access
To allow users to access data within Honeycomb Maps, you must grant permissions for users to use the application's warehouse:
GRANT CALLER USAGE ON WAREHOUSE HONEYCOMB_APP_WAREHOUSE TO APPLICATION HONEYCOMB_MAPS;GRANT CALLER USAGE ON WAREHOUSE HONEYCOMB_APP_WAREHOUSE TO APPLICATION HONEYCOMB_MAPS;Important: Replace
HONEYCOMB_MAPSwith the application name you specified during installation if you used a different name. The warehouse will always be named by adding_WAREHOUSEto the application name.
Important: Honeycomb Maps will not function if the permission above is not configured.
4. Configure Restricted Caller's Rights
Honeycomb Maps uses the current user's identity to query data within Snowflake. This leverages Snowflake's Restricted Caller's Rights (RCR) feature.
Before users can query data in Honeycomb Maps, you must configure RCR:
- Click on the Privileges tab in the application management interface
- Scroll down to Restricted caller's rights
- Click Add Grants and select which permissions users will be able to use with the Honeycomb Maps app
We recommend granting SELECT rights on all databases and schemas containing data users may want to visualize.
Note: RCR does not change the permissions that users already have. It allows the Honeycomb Maps app to utilize a subset of a user's existing permissions when they interact with the app. This enables users to start using Honeycomb Maps without compromising security.
Learn more about configuring RCR.
5. Grant Users Access to the Application
Configure which Snowflake roles have access to Honeycomb Maps and assign appropriate application roles:
- Click on the Access Management tab
- Click Add next to "Account Roles with Access"
- Select which Snowflake roles should have access to the Honeycomb Maps application
Application Roles
Honeycomb Maps supports the following application roles:
| Application Role | Purpose | Key Capabilities |
|---|---|---|
| HONEYCOMB_APP_ADMIN | Application administrators | View all maps, manage users, restore deleted maps, scale application |
| HONEYCOMB_APP_EDITOR | Map creators and data analysts | Create and edit maps, share maps with others |
| HONEYCOMB_APP_VIEWER | Map consumers | View shared maps only |
Note: Application roles are inclusive, meaning that a user with the
HONEYCOMB_APP_EDITORrole also has all the permissions of theHONEYCOMB_APP_VIEWER. Users should only be granted a single application role. If a user is granted multiple roles, the most privileged role will be used.
Learn more about configuring application roles.
6. Launch the Application
- Click Launch app to open the Honeycomb Maps application
- Once loaded, click + Create Map to create your first map
- Add data to your map directly from your Snowflake tables
SQL Installation Commands
As an alternative to using the Snowsight UI, you can configure the Honeycomb Maps Snowflake Native App by executing SQL statements.
Note: In the statements below,
HONEYCOMB_MAPSmay be changed to an alternative application name, such asHONEYCOMB_MAPS_UAT, if installing from a different listing or channel.
-- INSTALL THE APPLICATION
CREATE APPLICATION HONEYCOMB_MAPS FROM LISTING <listing_identifier>;
-- GRANT ROLES NECESSARY FOR THE APP TO CREATE REQUIRED RESOURCES
GRANT CREATE COMPUTE POOL, BIND SERVICE ENDPOINT, CREATE WAREHOUSE ON ACCOUNT TO APPLICATION HONEYCOMB_MAPS;
-- CREATE NETWORK RULE AND EXTERNAL ACCESS INTEGRATION FOR MAPBOX TILES
CREATE OR REPLACE NETWORK RULE MAP_TILES_NETWORK_RULE
MODE = EGRESS
TYPE = HOST_PORT
VALUE_LIST = ('api.mapbox.com');
CREATE EXTERNAL ACCESS INTEGRATION ALLOW_MAP_TILES_EAI
ALLOWED_NETWORK_RULES = (MAP_TILES_NETWORK_RULE)
ENABLED = true;
-- CONFIGURE THE EXTERNAL ACCESS INTEGRATION SO HONEYCOMB MAPS CAN FETCH BASEMAP TILES
CALL HONEYCOMB_MAPS.CONFIG.REGISTER_SINGLE_REFERENCE(
'ALLOW_HONEYCOMB_MAPBOX_TILES_EXTERNAL_ACCESS_INTEGRATION',
'ADD',
SYSTEM$REFERENCE('EXTERNAL ACCESS INTEGRATION', 'ALLOW_MAP_TILES_EAI', 'persistent', 'usage')
);
-- NOTIFY THE APPLICATION THAT PERMISSIONS HAVE BEEN GRANTED
CALL HONEYCOMB_MAPS.CONFIG.GRANT_CALLBACK([]);
-- ALLOW USERS TO UTILIZE THE APP WAREHOUSE
GRANT CALLER USAGE ON WAREHOUSE HONEYCOMB_APP_WAREHOUSE TO APPLICATION HONEYCOMB_MAPS;
-- GRANT RCR PERMISSIONS TO THE APPLICATION
-- Replace TEST_DATA with your database name
GRANT CALLER USAGE ON DATABASE "TEST_DATA" TO APPLICATION "HONEYCOMB_MAPS";
GRANT INHERITED CALLER USAGE ON ALL SCHEMAS IN DATABASE "TEST_DATA" TO APPLICATION "HONEYCOMB_MAPS";
GRANT INHERITED CALLER SELECT ON ALL TABLES IN DATABASE "TEST_DATA" TO APPLICATION "HONEYCOMB_MAPS";
-- GRANT APPLICATION ROLES TO SNOWFLAKE ROLES
-- Replace placeholders with your actual Snowflake role names
GRANT APPLICATION ROLE HONEYCOMB_APP_ADMIN TO ROLE <your_snowflake_admin_role>;
GRANT APPLICATION ROLE HONEYCOMB_APP_EDITOR TO ROLE <your_snowflake_editor_role>;
GRANT APPLICATION ROLE HONEYCOMB_APP_VIEWER TO ROLE <your_snowflake_viewer_role>;
-- VIEW THE URL OF THE USER INTERFACE
SHOW ENDPOINTS IN SERVICE HONEYCOMB_MAPS.CONFIG.HONEYCOMB_SERVICE;-- INSTALL THE APPLICATION
CREATE APPLICATION HONEYCOMB_MAPS FROM LISTING <listing_identifier>;
-- GRANT ROLES NECESSARY FOR THE APP TO CREATE REQUIRED RESOURCES
GRANT CREATE COMPUTE POOL, BIND SERVICE ENDPOINT, CREATE WAREHOUSE ON ACCOUNT TO APPLICATION HONEYCOMB_MAPS;
-- CREATE NETWORK RULE AND EXTERNAL ACCESS INTEGRATION FOR MAPBOX TILES
CREATE OR REPLACE NETWORK RULE MAP_TILES_NETWORK_RULE
MODE = EGRESS
TYPE = HOST_PORT
VALUE_LIST = ('api.mapbox.com');
CREATE EXTERNAL ACCESS INTEGRATION ALLOW_MAP_TILES_EAI
ALLOWED_NETWORK_RULES = (MAP_TILES_NETWORK_RULE)
ENABLED = true;
-- CONFIGURE THE EXTERNAL ACCESS INTEGRATION SO HONEYCOMB MAPS CAN FETCH BASEMAP TILES
CALL HONEYCOMB_MAPS.CONFIG.REGISTER_SINGLE_REFERENCE(
'ALLOW_HONEYCOMB_MAPBOX_TILES_EXTERNAL_ACCESS_INTEGRATION',
'ADD',
SYSTEM$REFERENCE('EXTERNAL ACCESS INTEGRATION', 'ALLOW_MAP_TILES_EAI', 'persistent', 'usage')
);
-- NOTIFY THE APPLICATION THAT PERMISSIONS HAVE BEEN GRANTED
CALL HONEYCOMB_MAPS.CONFIG.GRANT_CALLBACK([]);
-- ALLOW USERS TO UTILIZE THE APP WAREHOUSE
GRANT CALLER USAGE ON WAREHOUSE HONEYCOMB_APP_WAREHOUSE TO APPLICATION HONEYCOMB_MAPS;
-- GRANT RCR PERMISSIONS TO THE APPLICATION
-- Replace TEST_DATA with your database name
GRANT CALLER USAGE ON DATABASE "TEST_DATA" TO APPLICATION "HONEYCOMB_MAPS";
GRANT INHERITED CALLER USAGE ON ALL SCHEMAS IN DATABASE "TEST_DATA" TO APPLICATION "HONEYCOMB_MAPS";
GRANT INHERITED CALLER SELECT ON ALL TABLES IN DATABASE "TEST_DATA" TO APPLICATION "HONEYCOMB_MAPS";
-- GRANT APPLICATION ROLES TO SNOWFLAKE ROLES
-- Replace placeholders with your actual Snowflake role names
GRANT APPLICATION ROLE HONEYCOMB_APP_ADMIN TO ROLE <your_snowflake_admin_role>;
GRANT APPLICATION ROLE HONEYCOMB_APP_EDITOR TO ROLE <your_snowflake_editor_role>;
GRANT APPLICATION ROLE HONEYCOMB_APP_VIEWER TO ROLE <your_snowflake_viewer_role>;
-- VIEW THE URL OF THE USER INTERFACE
SHOW ENDPOINTS IN SERVICE HONEYCOMB_MAPS.CONFIG.HONEYCOMB_SERVICE;Next Steps
- Configure additional RCR permissions for other databases and schemas as needed - see Accessing Snowflake Tables with Restricted Caller's Rights
- Set up featured maps to highlight key content for users - see Administrative Functions
- Review the administrative functions documentation to learn about managing maps and users - see Administrative Functions
- Learn about map sharing and permissions - see Map Ownership and Sharing