Part II: How to Effectively Share Snowflake Data with Non-Snowflake Users
Have you ever been asked to share information with a client or customer, while having to support various cloud platforms? Can this be done efficiently, and most importantly, effectively? In our previous publication around how to effectively share data, Strive walked through a step by step guide in how to utilize the Snowflake Secure Data Share. But what if you’re not a Snowflake customer? Don’t worry… we’ve got you covered.
Did you know that within Snowflake, you can setup a data share with other Snowflake customers, as well as with non-Snowflake customers? If you are looking to create a share with other Snowflake customers, then you’re in luck! We’ll outline the simple steps it takes to not only share with Snowflake Customers, but also dive into solutions needed to span across non-Snowflake customers, and additionally across various cloud platforms.
First: Ground Rules and Limitations
Let’s discuss some ground rules and limitations while creating a share within Snowflake for non-Snowflake customers.
- When sharing a database or any other object, the share is read only. This means the consumers cannot update, delete, or create new objects in the share.
- Time travel and cloning are not supported on shared databases, nor any other schema/tables within the shared database.
- Re-sharing a share is not permitted by consumers for security reasons.
Let’s look at an example
Let’s say you were asked to share sales information to various internal and external data consumers with the following requirements:
- Data needs to be secure to all target consumers, regardless of data or cloud platform.
- Each consumer should only see the data to which they have access.
- Data should be up-to-date and accurate.
Here is an excellent opportunity to leverage a Reader Account within Snowflake. What is a Reader Account? A Reader Account allows you, as a Data Provider, to share data with non-Snowflake consumers. It’s not entirely free lunch as, unlike a direct share where the consumers pay for the compute on the data share, Reader Accounts are owned by the Data Producer, and the Producer’s account pays for the compute used.
A common question asked is, “Do consumers who use the Reader Account have access to other objects that are not shared?” The answer is no. Think of a Reader Account as a sub account that only has permissions to objects that have been shared AND, as the name insinuates, Readers Accounts cannot make changes to any shared objects.
Now, let’s setup a Reader Account:
Step 1: Create Reader Account
- The reader account used in the command (reader_sales) is not the name you use to actually access the account. The account name is also known as a locator, and is generated by Snowflake during account creation (QR18951 in this example)
- The reader account created will leverage the exact same Snowflake Edition as the provider has and is provisioned in the same region as the provider, as well.
- There is an initial limit of 20 reader accounts that a given provider can create. If you need more than that, just simply reach out to Snowflake Support.
Step 2: Login and Setup
Login using the credentials that were setup for the Reader Account in the earlier step. If additional security is needed to set up within a share, Data Provider would be selected. You can also select Data Consumer in order to view personal shares.
Let’s now setup our users
In this example, this will consist of all our sales users.
Step 3: Setup Users
As an Account Admin, within your Reader Account, you can setup users that will have access to the shares and should then grant assigned roles as well. Keep in mind, the Reader Account has SYSADMIN, PUBLIC, and SECURITYADMIN, and any other roles can be created.
Step 4: Create Warehouse
In the command below, a new warehouse is being created called sales_reader_wh as an XSmall.
Step 5: Create a Database based on the Share
Now that we have users created, and our warehouse set up, we must create a database based on the share from the provider account. Let’s say the provider account that granted the share and Reader Account is j44789 and the share is called ‘sales_share’.
Step 6: Setup all Access Privilege
Once our database is created from the share, we should grant access needed for the different roles. You must make sure to do a couple of things to allow the data to be queried:
- Grant usage on the data warehouse (sales_reader_wh)
- Grant imported privileges on the database created based on the share.
Outside of this, privileges can be added or removed as needed.
See how quick and simple that was?
Snowflake allows us to simply create managed Reader Accounts. From there, login to the Reader Account, create users, warehouses, databases from shares, grant privileges, etc. With just a few command statements, a Reader Account can be accessed by the users and the Account Admin of the Reader Account can grant access as needed to certain roles. Additionally, it’s highly recommended to setup resource monitors in order to limit credits used on your account. The Account Admin can create monitors which can limit the number of credits used by Reader Accounts, or even suspend a warehouse once a percentage of credits is used.
Using Snowflake, this can all be done in a matter of minutes and allows ease of access to sales data for both internal and external vendors. Leveraging such a powerful tool, we can now setup data shares to both consumers and Reader Accounts, as well. Strive is proud to partner with Snowflake to help organizations unlock true business value and help businesses get, and share, the data they need.
Interested in sharing secure data with without Snowflake?
Strive Consulting is a business and technology consulting firm, and proud partner of Snowflake, having direct experience with Snowflake Data Share. Our team of experts can work hand-in-hand with you to determine if leveraging the Secure Data Share is right for your organization. Check out Strive’s additional Snowflake thought leadership here.
Snowflake delivers the Data Cloud – a global network where thousands of organizations mobilize data with near-unlimited scale, concurrency, and performance. Inside the Data Cloud, organizations unite their siloed data, easily discover and securely share governed data, and execute diverse analytic workloads. Join the Data Cloud. Snowflake.com.