Securing an External Function

This topic describes platform-independent details related to securing external functions.

In this Topic:

Access Control

External Functions

External functions, like any user-defined functions (UDFs), follow access control rules:

  • External functions have an owner.

  • The owner must grant callers (other than the owner) appropriate privilege(s) on the function.

However, external functions have some additional privilege requirement(s):

  • Because an external function requires an API integration, the author of the external function must be granted USAGE privilege on the API integration.

For more information about UDFs and access control, see Access Control Privileges.

API Integrations

An API integration is a database object. To create an API integration, you need ACCOUNTADMIN privileges or a Snowflake role with the CREATE INTEGRATION privilege. Account administrators can grant and revoke ownership and usage privileges on each API integration.

Secure the Proxy Service

After you’ve verified that you can call the external function, you typically should add security restrictions on the proxy service and then verify that you can still call the function.

  1. Unless your external function is intended to be publicly accessible, you should limit who can call your external function. For details, see Secure Your Proxy Service Endpoint.

  2. After adding security restrictions, call your function again to make sure that you can still call it.

To help secure access to the proxy service from inside Snowflake, the API integration owner specifies a whitelist of endpoints that the API integration object can access. Don’t forget to review the whitelist to make sure that it is as narrow as practical.

Secure the Remote Service

If you created your own remote service, don’t forget to secure that.

The details depend upon the implementation of the remote service and are outside the scope of this document.

In most cases, the remote service should use HTTPS, not HTTP.

Additional Security Information

  • Communications between Snowflake and the proxy server are encrypted using HTTPS.

Platform-Specific Security Information

AWS