Snowflake Managed MCP Server
Provides governed read-only access to Snowflake data via allow-listed views, and exposes Cortex AI tools for semantic search and LLM completions.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Snowflake Managed MCP Serverrun a query to find top 10 products by revenue"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Snowflake Managed MCP Server
A lean, security-first MCP server that exposes
governed Snowflake data and Cortex AI to AI agents (e.g. agents built in
Google Gemini Enterprise). See CLAUDE.md for the full
architecture and security model.
Read-only by design. No DDL/DML. Access is restricted to an allow-list of governed views and enforced again by a least-privilege Snowflake role.
Tools
Tool | What it does |
| List allow-listed governed datasets agents may query |
| Column names/types for one allow-listed dataset |
| Run a single read-only SELECT/WITH query (row-capped, timed out) |
| Semantic retrieval over an approved Cortex Search service |
| LLM completion via |
Cortex Analyst (NL→SQL) is a planned addition; it uses a REST endpoint and was left out of v0.1 to avoid shipping an untested HTTP client. The SQL-based Cortex tools above cover retrieval and completion today.
Related MCP server: Snowflake MCP Agent System
Transports
stdio — stdin/stdout for a trusted local agent process (no network auth).
sse — HTTP + Server-Sent Events, protected by bearer-token authentication (
MCP_SSE_BEARER_TOKENS). Refuses to start if no tokens are configured.
Setup
python -m venv .venv && source .venv/bin/activate
pip install -e .
cp .env.example .env # then fill in Snowflake creds, allow-list, and limitsRun
# Local trusted agent (stdio)
python -m snowflake_mcp --transport stdio
# Network agents (authenticated SSE)
python -m snowflake_mcp --transport sse
# Agents connect to http://$MCP_SSE_HOST:$MCP_SSE_PORT/sse with header:
# Authorization: Bearer <one of MCP_SSE_BEARER_TOKENS>Run with Docker (primary deployment)
The server is operated as a container service over SSE. Secrets are injected at
runtime from .env — never baked into the image.
cp .env.example .env # fill in creds, MCP_SSE_BEARER_TOKENS, and MCP_BEARER_TOKEN
docker compose up --build server # start the MCP server (SSE on 127.0.0.1:8080)
docker compose run --rm client # run the example client against itThe image runs as a non-root user and publishes only to 127.0.0.1. In
production, place the SSE port behind a gateway enforcing mTLS/OAuth.
Test
pip install pytest
pytest # all guardrail tests
pytest tests/test_security.py::test_rejects_dangerous_sql # a single testSecurity notes
Set
MCP_ALLOWED_OBJECTSto fully-qualified governed views only — an empty allow-list means the server can read nothing (safe default).Prefer Snowflake key-pair auth; password is a dev-only fallback.
The Snowflake role in
SNOWFLAKE_ROLEmust be least-privilege (read-only on governed views). MCP guardrails are defense-in-depth, not a substitute for it.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/bitlabsdevteam/SnowFlask_managed_MCP_SERVER'
If you have feedback or need assistance with the MCP directory API, please join our Discord server