Setup
Connect a Warehouse
A data source is your warehouse connection. Lighthouse supports Snowflake, BigQuery, Postgres, and SQL Server. All connections are read-only and require a successful test before saving.
Snowflake
Before connecting, create a read-only Snowflake user with USAGE on the warehouse, database, and schema you want to monitor, and SELECT on all tables within the schema.
| Field | Required | Description |
|---|---|---|
| accountIdentifier | Yes | Your Snowflake account ID, e.g. xy12345.us-east-1 |
| username | Yes | Read-only Snowflake user |
| password | Yes | Password for the user (stored encrypted) |
| warehouse | Yes | Snowflake virtual warehouse to use for queries |
| database | Yes | Database containing the tables to monitor |
| schema | Yes | Schema within the database |
| role | No | Snowflake role to apply — defaults to the user's default role if omitted |
CURRENT_WAREHOUSE(), CURRENT_DATABASE(), and CURRENT_SCHEMA() and verifies that the session values match the fields you entered. If your user's default warehouse, database, or schema differs from what you typed, the test will fail. Align the config fields with the user's actual session defaults, or specify a role that sets them correctly.BigQuery
BigQuery uses a service account JSON key for authentication. Create a service account in Google Cloud and grant it these three IAM roles: BigQuery Data Viewer (project level), BigQuery Job User (project level), and BigQuery Metadata Viewer on the specific dataset (dataset level, not just project level).
| Field | Required | Description |
|---|---|---|
| projectId | Yes | GCP project ID where queries are billed and run |
| schemaProjectId | No | GCP project where the dataset lives, if different from projectId |
| dataSetName | Yes | BigQuery dataset name (just the name, not the full path) |
| serviceAccountKey | Yes | Full service account JSON key — paste the entire JSON object |
SELECT 1 and fetching dataset metadata. If the dataset test fails, verify the service account has the BigQuery Metadata Viewer permission on the specific dataset, not just project-level access.Postgres
Standard PostgreSQL connection. Create a read-only user with CONNECT on the database and SELECT on all tables in the target schema.
| Field | Required | Description |
|---|---|---|
| host | Yes | Hostname or IP of your Postgres server |
| port | Yes | Port number — default is 5432 |
| username | Yes | Database user (read-only recommended) |
| password | Yes | Password for the user (stored encrypted) |
| database | Yes | Database name |
| schema | Yes | Schema name, e.g. public |
| useSsl | No | Enable SSL (option visible in UI; not yet enforced in connection — contact support if SSL is required) |
SQL Server (MSSQL)
SQL Server uses standard SQL authentication — the same host/port/user/password pattern as Postgres. Create a read-only login with CONNECT on the database and SELECT on the tables in the target schema.
| Field | Required | Description |
|---|---|---|
| host | Yes | Hostname or IP of your SQL Server instance |
| port | Yes | Port number — default is 1433 |
| username | Yes | SQL Server login (read-only recommended) |
| password | Yes | Password for the login (stored encrypted) |
| database | Yes | Database name |
| schema | Yes | Schema name, e.g. dbo |
Redshift
Redshift support is on the roadmap. The tile appears in the UI but the connection is not yet functional.
Testing the connection
Every time you create or edit a data source, you must click Test Connection before saving. Lighthouse runs a live test against your warehouse and blocks the save if the test fails.
The test is also re-run server-side on submit — so even if you pass the browser test, the server validates again before creating the data source record.
Editing a data source
You can update credentials or connection settings at any time from /data-sources. The connection test runs again on save. If you pause or delete a data source, any associated datasets and metrics will also pause.
Security
All credentials are stored encrypted at rest. Lighthouse does not store raw row data from your warehouse — only schema metadata (table names, column names, types) and the aggregate results used to calculate your metrics.
For more on our security posture and compliance status, see the Trust Center.
Troubleshooting
If your connection test fails, see Troubleshooting for common credential and network errors by warehouse type.