Use Credential-Less Stages to Secure Your Cloud Storage Without Sharing Secrets

Author: Saurin Shah

How to Use Snowflake, Snowflake News

Many organizations connect their cloud storage with Snowflake using external stages. They use external stages to copy data into Snowflake from their cloud storage and to run queries on data in external files. To create these external stage objects, organizations have had to provide their credentials to authenticate with the cloud storage and also provide the URL.

However, many organizations have strict security and governance requirements and do not want to share the credentials for their cloud storage. In some cases, organizations also want to restrict the cloud storage locations that can be connected to Snowflake. External stages didn’t fully address these requirements in the past.

Credential-less stages address these concerns by separating responsibilities between the IT department’s Snowflake administrator and business unit users. Storage integrations, a new object type, allow a Snowflake administrator to create a trust policy between Snowflake and the cloud provider. When Snowflake connects to the organization’s cloud storage, the cloud provider authenticates and authorizes access through this trust policy. Using a given storage integration, the administrator can also restrict which cloud storage locations Snowflake can use, enabling the administrator to enforce organizational policies for data egress and ingress.

The administrator can provide storage integration usage privileges to lower-privileged roles, such as business users, who can in turn create external stages that reference the storage integration to access data. The administrator and stage creator do not pass any credentials to Snowflake at any time.

Below, you can see a diagram of the process of using storage integrations and credential-less stages.

 

  1. An administrator creates a storage integration. For example,
create storage integration sfc_demo_storage_int
type = external_stage
storage_provider = S3
enabled = true
storage_aws_role_arn = 'aws role arn'
storage_allowed_locations = ('s3://sfc-demo-data/click-stream-data/website');

     2. The administrator creates a trust policy between the cloud provider and Snowflake.

The administrator runs describe on the storage integration object, and uses the Snowflake IAM user to create trust policy.

describe storage integration sfc_demo_storage_int;

    3. The administrator grants storage integration usage privileges to roles used by business users.

grant usage on storage integration sfc_demo_storage_int to role business_analyst;

    4. Business users create external stages using the storage integration.

create stage sshah_stage URL = 
's3://sfc-demo-data/click-stream-data/website/' storage_integration = 
sfc_demo_storage_int;

Snowflake supports storage integrations for Amazon Simple Storage Service (S3), Azure Blob Storage, and Google Cloud Storage. Administrators can also create storage integrations for cross-cloud use cases. For example, they can create a storage integration for Azure Blob Storage on a Snowflake account running in AWS.

Storage integrations and credential-less external stages put into the administrator’s hands the power of connecting to storage in a secure and manageable way. This functionality is now generally available in Snowflake. Learn more about Snowflake Credential-less stages in the Snowflake Community.