Integrationen für den externen Zugriff (EAIs) mit App-Spezifikationen anfordern¶

This topic describes how to configure a Snowflake Native App to use app specifications to request access to an external access integration (EAI) in the consumer account. An EAI allows an app to connect to an endpoint that is external to Snowflake.

Zugriff auf externe Endpunkte von einer App aus¶

To access an external endpoint, an app must create a network rule and an EAI, which uses network rules to restrict access to specific external network locations. Network rules define the external endpoints that an app can access.

To configure an app to use an EAI, follow these steps:

To request privileges from the consumer to create an EAI, use automated granting of privileges.
Add an EAI to an app.
Verwenden Sie Anwendungsspezifikationen, um beim Verbraucher die Berechtigung anzufordern, eine Verbindung zu einem externen Endpunkt herzustellen.

Bemerkung

A single app specification applies to all of the EAIs created by the app. Providers can create multiple app specifications for an app; however, this is not required.

App specification workflow for an EAI¶

Providers configure automated granting of privileges for the app. This allows consumers to give permission to an app to create the EAI.

Bemerkung

App-Spezifikationen erfordern, dass manifest_version = 2 in der Manifest-Datei festgelegt wird.
Anbietende fügen die Berechtigung CREATE EXTERNAL ACCESS INTEGRATION zur Manifest-Datei hinzu.
Providers add SQL statements to the setup script to create the following objects:
The setup script creates the app specification and other objects when the app is installed or upgraded or at runtime.
Bei der Konfiguration der App genehmigen Verbraucher die Host-Ports und andere externe Services. Weitere Informationen darüber, wie Verbrauchende App-Spezifikationen anzeigen und genehmigen, finden Sie unter Verbindungen zu externen Ressourcen mit App-Spezifikationen genehmigen.

App specification definition for an EAI¶

The app specification definition for an EAI contains the following entries:

HOST_PORTS: Eine Liste der in der Netzwerkregel definierten Host-Ports, die die App benötigt.
PRIVATE_HOST_PORTS: Eine Liste von privaten Host-Ports, die private Konnektivität zu Ressourcen außerhalb von Snowflake ermöglichen.

Bemerkung

Diese Werte müssen mit den Werten übereinstimmen, die die App für das Erstellen der Netzwerkregel verwendet.

Die Version der Manifest-Datei festlegen¶

To enable automated granting of privileges for an app, set the version at the beginning of the manifest file, as shown in the following example:
manifest_version: 2
Copy

Die Berechtigung CREATE EXTERNAL ACCESS INTEGRATION zur Manifest-Datei hinzufügen¶

The CREATE EXTERNAL ACCESS INTEGRATION privilege allows the app to create an external access integration during installation or upgrade.

To configure an app to request the CREATE EXTERNAL ACCESS INTEGRATION privilege, add the following code to the privileges section of the manifest file:

manifest_version: 2
...
privileges:
  - CREATE EXTERNAL ACCESS INTEGRATION:
      description: "Allows the app to create an EAI to connect to an external service."
...

Copy

If you set the manifest_version to 2 in the manifest file, Snowflake automatically grants the CREATE EXTERNAL ACCESS INTEGRATION privilege to the app during installation or upgrade.

Add a network rule and an EAI to the setup script¶

EAIs are the Snowflake objects that enable access to specific external network locations and contain a list of network rules that specify the external locations that an app can access.

Um eine Netzwerkregel für eine App zu erstellen, fügen Sie dem Setup-Skript den Befehl CREATE NETWORK RULE hinzu, wie im folgenden Beispiel gezeigt:
```
CREATE OR REPLACE NETWORK RULE setup.my_network_rule
TYPE = HOST_PORT
VALUE_LIST = ( 'example.com' )
MODE = EGRESS;
```
Copy

The HOST_PORT and VALUE_LIST properties indicate that the network rule must point to a valid domain, port, or range of ports. When an app is installed or upgraded, consumers grant permission for the app to use these domains or ports.

Create an EAI¶

To create an EAI for an app, add the CREATE EXTERNAL ACCESS INTEGRATION command to the setup script, as shown in the following example:

CREATE OR REPLACE EXTERNAL ACCESS INTEGRATION my_app_prefix_eai_rule
  ALLOWED_NETWORK_RULES = (setup.my_network_rule)
  ENABLED = TRUE;

Copy

Bemerkung

This command creates an EAI in the consumer account. However, it is not usable until the consumer approves the app specifications that allow external access to the requested host ports.

Weitere Informationen dazu finden Sie unter Verbindungen zu externen Ressourcen mit App-Spezifikationen genehmigen.

Creating a user-defined function to access the external endpoint¶

After the EAI is created, the setup script can create user-defined functions and stored procedures that use it to connect to the endpoints defined in the network rule.

The following example shows a user-defined function that uses the my_app_prefix_eai_rule EAI:

CREATE OR REPLACE FUNCTION setup.EXTERNAL_ACCESS_UDF(hostname STRING)
  RETURNS STRING
  LANGUAGE JAVA
  HANDLER='TestHostNameLookup.compute'
  EXTERNAL_ACCESS_INTEGRATIONS = (my_app_prefix_eai_rule)
  AS
  '
      import java.net.InetAddress;
      import java.net.UnknownHostException;
      class TestHostNameLookup {{
          public static String compute(String hostname) throws Exception {{
              InetAddress addr = null;
              try {
                  addr = InetAddress.getByName(hostname);
              } catch(UnknownHostException ex) {
                  return "Hostname lookup failed";
              }
              return "Hostname lookup successful";
          }
      }
';
GRANT USAGE ON FUNCTION setup.EXTERNAL_ACCESS_UDF(STRING)
  TO APPLICATION ROLE app_public;

Copy

This function sets the value of the EXTERNAL_ACCESS_INTEGRATIONS to the EAI created previously.

This function uses the InetAddress Java package to look up the hostname passed to the procedure. The hostname provided must match one of the values provided in the VALUE_LIST property of the network rules used by the EAI.

Creating an app specification for an EAI¶

The following example shows how to create an app specification for an EAI:

ALTER APPLICATION SET SPECIFICATION eai_app_spec
  TYPE = EXTERNAL_ACCESS
  LABEL = 'Connection to an external API'
  DESCRIPTION = 'Access an API that exists outside Snowflake'
  HOST_PORTS = ('example.com')

Copy

This command creates an app specification named eai_app_spec.

App-Spezifikation im Konto des Verbrauchenden genehmigen¶

After the provider configures the app to create the network rule, EAI, and app specification, consumers can view the app specification and approve or decline it as appropriate when configuring the app. For more information, see Verbindungen zu externen Ressourcen mit App-Spezifikationen genehmigen.