Snowflake Secure Data Sharing (SaaS)
Note: Kumo recommends the Direct Connection method for long term/production use.
For more about Secure Data Sharing, please see Snowflake's official documentation.
Before initiating the sharing process with Kumo, please ensure the following:
1. Provider Sharing is Enabled
- Log into your Snowflake account.
- Navigate to Account > Policies.
- Ensure Provider Sharing is set to
Enabled
. If not, activate it.
2. Identify Your Snowflake Account's Region
Data sharing is most straightforward when provider and consumer accounts are in the same Snowflake region. If they are in different regions, the data provider needs to use Snowflake's "Data Replication" to replicate the data to the region where the consumer account resides before sharing. Kumo does not recommend Data Replication. Kumo has accounts in most of the global regions.
Access the Snowflake web interface—your account's region will be displayed in the top right corner, next to the account name (e.g., us-west-2
). Remember to share with Kumo’s account in the corresponding region because secure share is only allowed with accounts in the same cloud and region.
Identify Your Snowflake Account Edition
The "Secure Data Sharing" feature is available in all editions of Snowflake, including Standard, Enterprise, Business Critical, and Virtual Private Snowflake (VPS). Thus, an account using the Standard edition can share data with an account using the Enterprise edition and vice versa. An account on the BUSINESS CRITICAL edition is restricted from sharing data with an account on a lower edition.
Role Permissions
The role used to create the share must have the necessary permissions on the objects being shared.
You will not incur any additional storage costs for the shared data. When querying your shared data, Kumo incurs the computational costs.
Creating a Snowflake Secure Share for Kumo
You can use Snowflake Secure Shares to share data with Kumo. This allows you to share the following Database objects (see https://docs.snowflake.com/en/user-guide/data-sharing-intro for more details):
- Tables
- External tables
- Secure views
- Secure materialized views
1. Establishing the Share
Create a share: Use the CREATE SHARE
command to create an empty share. For example:
CREATE SHARE KUMO_SHARE;
Use the GRANT <privilege> … TO SHARE
command to add a database to the share and then selectively grant access to specific database objects (schemas, tables and secure views) to the share. For example:
GRANT USAGE ON DATABASE my_database TO SHARE kumo_share;
GRANT SELECT ON TABLE my_database.my_table TO SHARE kumo_share;
GRANT USAGE on schema my_database.myschema TO SHARE kumo_share;
GRANT SELECT on table my_database.myschema.shared_table TO SHARE kumo_share;
Notes:
- Only users with the
CREATE SHARE
privilege can create a secure share. Only theACCOUNTADMIN
has this privilege by default and must be granted to the role creating the secure share for Kumo. See the Snowflake documentation for more details. - Only Secure views can be shared using Snowflake Secure shares.
Do not use SELECT(*) when creating Snowflake views, as this can break if your source tables change. Whenever possible, you should connect your raw tables to Kumo and avoid Snowflake Views.
2. Sharing with Kumo
Add KUMO account (select east or west locator based on where your account is located) access to the share. Use the ALTER SHARE
command to add one or more accounts access to the share. For example:
ALTER SHARE KUMO_SHARE_TEST ADD ACCOUNTS=<OrgName>.<Account Name>;
Refer to the region your Snowflake account is in and use the appropriate Kumo account from this table below:
Cloud | Region | Locator | Org Name | Account Name | Edition |
---|---|---|---|---|---|
AWS | US West (Oregon) | YRB86739 | LFWGWBP | ZXA66432 | Business Critical |
AWS | US West (Oregon) | YRB86739 | LFWGWBP | KUMOUSWEST | Enterprise |
AWS | US East (N.Virginia) | IUB99615 | LFWGWBP | KUMO_US_EAST1 | Enterprise |
AWS | US East (Ohio) | RR45566 | LFWGWBP | KUMO_US_EAST_OHIO | Enterprise |
AWS | US East (N.Virginia) | CZB55260 | LFWGWBP | KUMOUSEAST1BC | Business Critical |
Once the region matches, share the established share with the respective Kumo Snowflake account.
Security Considerations
The following are key security considerations for understanding Kumo's access mechanism to Snowflake instances.
-
Database Creation on Kumo's End
Kumo will generate a new database from the share received. It will serve as the central space for EDA and PoV operations.
-
Defining Access Roles
A unique ROLE will be crafted within Kumo's database to guarantee secured data access.
-
Allocating Exclusive Access
Access is provided only to Kumo's designated Point of Contact, safeguarding your data.
Monitoring Access and Activities
- Queryable Audit Trails: Use
SHARE_USAGE
,QUERY_HISTORY
, andLOGIN_HISTORY
views within Snowflake to review Kumo's interactions. - Role-Based Access Control: Monitor the unique ROLE for Kumo to ensure compliant data access.
- Data Manipulation Monitoring: Use Snowflake's query history to document any changes made by Kumo.
- Scheduled Audits: Regularly check logs, role permissions, and shares to guarantee data safety and accuracy.
Note: contact your Kumo representative if you would like to export your predictions back into your Snowflake instance.
Updated 8 days ago