Securing an External Function¶
This topic describes platform-independent details related to securing external functions.
In this Topic:
External functions, like any user-defined functions (UDFs), follow access control rules:
External functions have an owner.
The owner must grant callers (other than the owner) appropriate privilege(s) on the function.
However, external functions have some additional privilege requirement(s):
Because an external function requires an API integration, the author of the external function must be granted USAGE privilege on the API integration.
For more information about UDFs and access control, see Access Control Privileges.
An API integration is a database object. To create an API integration, you need ACCOUNTADMIN privileges or a Snowflake role with the CREATE INTEGRATION privilege. Account administrators can grant and revoke ownership and usage privileges on each API integration.
Secure the Proxy Service¶
After you’ve verified that you can call the external function, you typically should add security restrictions on the proxy service and then verify that you can still call the function.
Unless your external function is intended to be publicly accessible, you should limit who can call your external function. For details, see Secure Your Proxy Service Endpoint.
After adding security restrictions, call your function again to make sure that you can still call it.
To help secure access to the proxy service from inside Snowflake, the API integration owner specifies a whitelist of endpoints that the API integration object can access. Don’t forget to review the whitelist to make sure that it is as narrow as practical.
Secure the Remote Service¶
If you created your own remote service, don’t forget to secure that.
The details depend upon the implementation of the remote service and are outside the scope of this document.
In most cases, the remote service should use HTTPS, not HTTP.
Additional Security Information¶
Communications between Snowflake and the proxy server are encrypted using HTTPS.
Platform-Specific Security Information¶
For AWS, all Snowflake HTTP requests (going to the API Gateway) are signed using AWS sigv4 authentication. For more information about AWS sigv4 authentication, see:
Restrict access to your API Gateway endpoints by adding a resource policy. For more information, see Secure Your AWS API Gateway Proxy Service Endpoint.