Snowflake Secure Data Sharing

Consider a scenario where you need to pass the data to a team outside your Organization in a secure way. How to do you achieve it?

Traditionally Secure FTP has been the go to solution which involves you as a data provider to extract the data, encrypt it before sharing it with consumers. On the other hand, the consumers have to decrypt the data and load it into their system before start using it. This is a time consuming process and with the growing requirements and demand of the real-time data, it becomes important how securely, easily and quickly can the data be shared in a cost effective manner.

Snowflake’s Secure Data Sharing provides a solution to this revolutionizing the way we share the data to those on the outside of Organization.

1. Secure Data Sharing

Secure Data Sharing in Snowflake enables account-to-account sharing of selected database objects in your account with other. It is an extremely powerful, yet easy-to-use feature.

The Data Sharing feature is supported between Snowflake accounts. In scenarios where the consumer is a non-snowflake customer, the access can be provided through Reader accounts (on which we will discuss more in the upcoming sections of article).

All database objects shared between accounts are read-only i.e. the objects cannot be modified or deleted.

2. Overview of Providers and Consumers

2.1. Providers

A Data Provider is any Snowflake account that creates shares and makes them available to other Snowflake accounts to consume. As a data provider, you share a database with one or more Snowflake accounts.

2.2. Consumers

A Data Consumer is any account that chooses to create a database from a share made available by a data provider.

There are two different types of consumers.

1. Full Consumer Accounts
2. Reader Accounts

Full Consumer Accounts enable providers to share data with consumers who are already Snowflake customers.

• If the consumer is already a Snowflake customer, the data can be shared directly to the consumer’s existing account.
• In this case, the consumer would pay for all compute resources incurred by querying the shared databases.

Reader Accounts enable providers to share data with consumers who are not already Snowflake customers, without requiring the consumers to become Snowflake customers.

• If the consumer is not a Snowflake customer, the provider can create Reader Accounts that the consumer can use.
• In the case of Reader Accounts, all costs incurred by users in the reader account would be borne by the provider, although those costs could be tracked and invoiced back to the consumer.

3. What is a Snowflake Share?

A Secure Share is a named object in Snowflake that contains all the information required to share a database. It includes details of database objects, all the privileges that grant access to the database objects and the consumer account details with which the objects are shared.

As a provider, you package everything you want to share into a “Secure Share” which will be shared with the consumer. A Secure Share is nothing but a metadata package that will point to the data stored with the provider’s account.

4. How Does Secure Data Sharing Work in Snowflake?

Snowflake Secure Data Sharing involves data provider (your Organization) and one or more consumers (outside Organizations). Snowflake enables sharing of read-only database objects from providers to consumers using Secure Shares. 

The advantage of secure data sharing is that absolutely no data gets transferred from the provider to the consumers. Thanks to multi-cluster shared data architecture of Snowflake separating storage from compute while managing data at the metadata layer.

This means when the object is shared with the data consumer the objects still remains inside the provider’s account. So no storage cost applies to the consumers for the shared data instead, only incurs compute costs for querying the data. However, this doesn’t prevent the consumer from copying or extracting the data from the read-only database created at their end.

This allows the data provider to provide access to his live data instantly without copying or moving the data to any number of data consumers and the consumer can query the shared data without any performance bottle necks.

5. Setting up a Secure Share and Reader Account

Let us understand through a demo how data sharing works in Snowflake by sharing the objects from one account to other.

STEP-1: Create a Share

Follow below steps to create a secure share in Snowflake. Ensure that your role is set to ACCOUNTADMIN.

1. Navigate to Shares tab present in the top user console. Toggle the share type to Outbound and click Create.

2. Enter the name of the secure share. Select the database and tables that needs to be shared and click Create.

3. Now you see that Secure Share has been created successfully and the data can be previewed. Next, click the button to Add Consumers.

STEP-2: Add Consumers

1. If the consumer is an already existing Snowflake customer select Full else select Reader.
The Reader Accounts can be created by navigating to Account >> Reader Account >> Create Reader Account. If there are no Reader accounts that are already set up you can create one on the fly by selecting Create a Reader account as shown below.

2. To create a Reader account, enter the Account Name along with credentials as shown below. Then click Create Account

3. Once the reader account is created, you will receive confirmation message as below.

4. Now that the reader account is created, select the reader account from the drop down menu and click Add. 

5. A confirmation message is displayed stating that the access to share is provided to reader account along with URL to access reader account.

Alternatively you can get the URL by executing SHOW MANAGED ACCOUNTS.

STEP-3: Accessing secure share from Reader account

To access the secure share from Reader account follow below steps

1. Login to reader account using the credentials and URL generated from Provider’s account.

2. Ensure that your role is set to ACCOUNTADMIN (it will default to SYSADMIN).

3. Navigate to Warehouses tab and click on Create a new warehouse to create a new warehouse.

4. Choose the size and other properties of the warehouse as per requirement and click Finish. As discussed earlier, as a Reader account all the charges incurred by the warehouse will be borne by the Provider account.

5. Next navigate to Shares. Make sure the share type is toggled to Inbound and select Create Database From Secure Share.

6. Enter the name of the database to be created and the select the roles to which the access must be granted to on the database and click Create Database.

7. Navigate to Worksheets and all the database objects shared from Provider’s account must be available as read-only objects.

8. Disappointed that the data is read-only?
You can create copies of the read-only tables with full permissions in the reader account to modify and update the data according to your requirement.

6. Key Points on Snowflake Secure Data Sharing

• Any updates done on provider’s database are instantaneously available for consumers. Understand that the data made available for consumers is not something that is extracted through an ETL process or by any such similar pipeline.
• As discussed earlier in the article, the secure share is a metadata package which points to the provider’s database. Any updates done on provider’s database are instantaneously available for consumers.
• The following actions are not supported:
  • Creating a clone of a shared database or any schemas/tables in the database.
  • Time Travel for a shared database or any schemas/tables in the database.
  • Editing the comments for a shared database.
• Shared databases and all the objects in the database cannot be re-shared with other accounts.
• Using Resource Monitors, the provider accounts can control the usage of reader accounts by imposing limits on the number of credits that a virtual warehouse can use within a specified interval or date range.

Related Articles: