Security overview for Streamlit in Snowflake¶
This topic provides a security overview for system administrators managing Streamlit in Snowflake in their Snowflake accounts. Understanding the security model and implementing proper controls ensures that developers can build secure applications while administrators maintain governance over sensitive data and resources.
Security model¶
Streamlit in Snowflake follows Snowflake’s comprehensive security model, which includes authentication, role-based access control, network policies, and data governance features. Apps are first-class Snowflake objects that integrate with existing security infrastructure.
Owner’s rights execution¶
By default, Streamlit apps run with owner’s rights, similar to stored procedures. This has the following consequences:
Apps execute queries using the privileges of the app owner, not the viewer.
The app owner’s role determines what data and operations the app can access.
Viewers can interact with the app without needing direct access to underlying tables or views.
This model eliminates the need for service account tokens and integrates seamlessly with Snowflake’s authentication and access control features. For more information, see Understanding owner’s rights and Streamlit in Snowflake apps.
Content Security Policy¶
All Streamlit apps run within a Content Security Policy (CSP) that restricts which resources can be loaded. This policy provides defense-in-depth protection against cross-site scripting (XSS) and other code injection attacks. The CSP is not configurable at this time.
The CSP blocks the following external resources:
Loading code (scripts, styles, fonts) from external domains
Embedding apps in iframes from external domains
The CSP allows the following external resources:
Images and media from HTTPS sources: Apps can load images and media files from any HTTPS URL, including external image hosting services and APIs that return images. This doesn’t require an external access integration.
Data URIs and blob URLs: Apps can use embedded data (data URIs) and dynamically generated content (blob URLs) for images and media. This supports features like displaying charts, diagrams, or user-uploaded content.
Mapbox and Carto resources: A limited subset of resources from Mapbox and Carto are permitted to support mapping visualizations.
Note
For warehouse runtimes which use conda to manage dependencies, you must accept the Anaconda terms to use Mapbox. For more information, see Using third-party packages from Anaconda.
Loading images or media from external domains is supported in Streamlit in Snowflake, but not in Snowflake Native App Framework.
The CSP also blocks front-end calls that are generally considered unsafe, such as
eval().
This restrictive policy means that most third-party JavaScript libraries and custom components that rely on external scripts won’t work in Streamlit apps. For more information about CSP limitations, see Limitations when loading external resources in Streamlit in Snowflake.
Essential security setup¶
The following security configurations are essential for a secure and well-functioning Streamlit in Snowflake environment.
Network access configuration¶
Configure network access to ensure that apps can communicate with Snowflake.
For all deployments:
Add
*.snowflake.appto your network allowlist to enable communication between Streamlit apps and Snowflake.Ensure WebSockets are not blocked in your network configuration.
For more information, see You can’t load the Streamlit app.
For private connectivity:
If your organization requires private connectivity, configure AWS PrivateLink, Azure Private Link, or Google Cloud Private Service Connect for both Snowflake access and Streamlit app access. For more information, see Private connectivity for Streamlit in Snowflake.
Role-based access control¶
Establish a role hierarchy for managing Streamlit apps.
Recommended role structure:
Creator roles: Roles with CREATE STREAMLIT privileges on schemas where apps will be deployed.
Viewer roles: Roles with USAGE privileges on apps for end users.
The following example shows how to create a role hierarchy for Streamlit apps:
-- Create dedicated roles for Streamlit
CREATE ROLE streamlit_developer;
CREATE ROLE streamlit_viewer;
-- Grant hierarchy
GRANT ROLE streamlit_viewer TO ROLE streamlit_developer;
-- Grant privileges for app creation
GRANT USAGE ON DATABASE streamlit_db TO ROLE streamlit_developer;
GRANT USAGE ON SCHEMA streamlit_db.apps TO ROLE streamlit_developer;
GRANT CREATE STREAMLIT ON SCHEMA streamlit_db.apps TO ROLE streamlit_developer;
GRANT USAGE ON COMPUTE_POOL streamlit_compute_pool TO ROLE streamlit_developer;
GRANT USAGE ON INTEGRATION python_package_index TO ROLE streamlit_developer;
-- Grant privileges for app viewing
GRANT USAGE ON WAREHOUSE streamlit_wh TO ROLE streamlit_viewer;
GRANT USAGE ON DATABASE streamlit_db TO ROLE streamlit_viewer;
GRANT USAGE ON SCHEMA streamlit_db.apps TO ROLE streamlit_viewer;
GRANT USAGE ON STREAMLIT streamlit_db.apps.my_app TO ROLE streamlit_viewer;
The app developer also needs USAGE on streamlit_wh, but this is inherited from the
viewer role. For more information about required privileges, see Privileges required to create and use a Streamlit app.
Secrets management¶
Configure proper secrets management for apps that access external services or sensitive credentials:
Enable secrets access for apps by granting appropriate privileges:
-- Grant privileges on secrets to app owner role GRANT READ ON SECRET my_secret TO ROLE streamlit_developer; GRANT USAGE ON INTEGRATION my_external_access_integration TO ROLE streamlit_developer;
For container runtime apps, create SQL functions to wrap secret access rather than embedding secrets in app code.
For more information, see Manage secrets and configure your Streamlit app.
Context functions and row-level security¶
If your apps use context functions (such as CURRENT_USER()) or access tables with row access policies,
grant the global READ SESSION privilege to app owner roles:
USE ROLE ACCOUNTADMIN;
GRANT READ SESSION ON ACCOUNT TO ROLE streamlit_developer;
Note
Apps using CURRENT_ROLE() in row access policies will always return the app owner’s role, not
the viewer’s role, because apps run with owner’s rights by default.
For more information and examples, see Row access policies in Streamlit in Snowflake.
Container runtimes only: Package repository security¶
Configure one or more package indexes for container runtimes.
Container runtimes can install packages from external repositories like PyPI. You can control package sources using curated package indexes, like JFrog Artifactory, or you can use the default package index, PyPI. Regardless of which package index you use, you must create an external access integration (EAI) to allow your apps to install dependencies.
Using a curated package index provides the following benefits:
This helps prevent supply chain attacks and ensures packages come from trusted sources.
It allows you to control which packages and versions are available to your apps.
It provides audit trails for package installations.
For more information, see Managing dependencies for container runtimes.
Warehouse runtimes only: External offerings terms¶
Warehouse runtimes use conda to manage your app’s dependencies. If you want to use Mapbox in your apps, you must you must acknowledge the External Offerings Terms.
For information about using this package, see Using third-party packages from Anaconda.
Available security features¶
The following security features are available to enhance app security and governance.
External access integrations¶
Control which external networks and services your apps can access:
Create network rules to define allowed endpoints.
Create external access integrations that reference network rules and authentication secrets.
Assign external access integrations to Streamlit apps.
This prevents apps from making unauthorized outbound connections and provides audit trails for external access.
For more information, see External network access in Streamlit in Snowflake.
Git integration¶
Integrate Streamlit apps with Git repositories for version control and change tracking:
Grant appropriate privileges on Git repository objects (READ, WRITE, or OWNERSHIP).
Use Git integration to maintain audit trails of code changes.
Implement code review processes before deploying changes to production apps.
For more information, see Sync Streamlit in Snowflake apps with a Git repository.
Private connectivity¶
For organizations with strict network security requirements, configure private connectivity to ensure all Streamlit traffic remains within your private network. Streamlit in Snowflake supports the following private connectivity options:
Private connectivity eliminates exposure to the public internet and provides additional network isolation.
For more information, see Private connectivity for Streamlit in Snowflake.
Logging and tracing¶
For warehouse runtimes, enable logging and tracing to monitor app behavior and troubleshoot issues:
Create an event table and associate it with your account.
Set appropriate log and trace levels for databases containing Streamlit apps.
Review logs regularly for security events, errors, and unusual behavior.
Logging and tracing aren’t supported for container runtimes yet.
For more information, see Logging and tracing for Streamlit in Snowflake.
Best practices for administrators¶
The following best practices help maintain a secure Streamlit environment.
Use dedicated roles and schemas:
Create separate schemas for development, testing, and production apps.
Use different roles for each environment to prevent accidental changes to production apps.
Grant production app ownership to service roles rather than individual user accounts.
Implement least privilege access:
Grant only the minimum required privileges to each role.
Regularly review and audit role memberships and privileges.
Avoid granting ACCOUNTADMIN or other powerful roles to app owner roles unless absolutely necessary.
Manage app lifecycle:
Establish processes for app approval and deployment.
Require code reviews before promoting apps to production.
Document which apps access sensitive data and require additional scrutiny.
Regularly review and remove unused or deprecated apps.
Monitor resource usage:
Set appropriate warehouse sizes for app workloads.
Monitor compute costs and set up alerts for unusual usage patterns.
For container runtimes, configure compute pools with appropriate MIN_NODES and MAX_NODES settings.
Use separate warehouses for different app environments to isolate costs and resources.
For more information about resource management, see Managing costs for Streamlit in Snowflake and Runtime environments for Streamlit apps.
Use secure app development practices:
Never embed credentials or API keys directly in app code.
Use Snowflake secrets for storing sensitive information.
Validate and sanitize user inputs to prevent SQL injection.
Limit the data exposed through apps to only what viewers need to see.
Test apps thoroughly before sharing with wider audiences.
For more information about owner’s rights security considerations, see Owner’s rights and app security.
Perform regular security audits:
Review which roles have CREATE STREAMLIT privileges.
Audit which apps access which data sources.
Review external access integrations and network rules.
Check for apps owned by former employees or inactive accounts.
Review Git repository access and commit history.
Use the following queries to audit your Streamlit apps:
-- List all Streamlit apps and their owners
SHOW STREAMLITS;
-- Check privileges on a specific app
SHOW GRANTS ON STREAMLIT streamlit_db.apps.my_app;
-- List all roles with CREATE STREAMLIT privileges
SHOW GRANTS OF CREATE STREAMLIT;