Introduction to Secure Data Sharing

.

Related Topics

Secure Data Sharing enables sharing selected objects (tables, secure views, and secure UDFs) in a database in your account with other Snowflake accounts.

Snowflake enables the sharing of databases through shares, which are created by data providers and “imported” by data consumers.

Important

All database objects shared between accounts are read-only (i.e. the objects cannot be modified or deleted, including adding or modifying table data).

In this Topic:

How Does Secure Data Sharing Work?

With Secure Data Sharing, no actual data is copied or transferred between accounts. All sharing is accomplished through Snowflake’s unique services layer and metadata store. This is an important concept because it means that shared data does not take up any storage in a consumer account and, therefore, does not contribute to the consumer’s monthly data storage charges. The only charges to consumers are for the compute resources (i.e. virtual warehouses) used to query the shared data.

In addition, because no data is copied or exchanged, Secure Data Sharing setup is quick and easy for providers and access to the shared data is instantaneous for consumers:

  • The provider creates a share of a database in their account and grants access to specific objects (i.e. tables, secure views, and secure UDFs) in the database. The provider can also share data from multiple databases, as long as these databases belong to the same account. One or more accounts are then added to the share, which can include your own accounts (if you have multiple Snowflake accounts).

    For more details, see What is a Share? (in this topic).

  • On the consumer side, a read-only database is created from the share. Access to this database is configurable using the same, standard role-based access control that Snowflake provides for all objects in the system.

Through this architecture, Snowflake enables creating a network of providers that can share data with multiple consumers (including within their own organization) and consumers that can access shared data from multiple providers:

Overview of provider accounts sharing data with consumer accounts

Note

Any full Snowflake account can both provide and consume shared data. Snowflake also supports third-party accounts, a special type of account that consumes shared data from a single provider account. For more details, see Reader Accounts (in this topic).

What is a Share?

Shares are named Snowflake objects that encapsulate all of the information required to share a database. Each share consists of:

  • The privileges that grant access to the database(s) and the schema containing the objects to share.

  • The privileges that grant access to the specific objects (tables, secure views, and secure UDFs).

  • The consumer accounts with which the database and its objects are shared.

Once a database is created (in a consumer account) from a share, all the shared objects are accessible to users in the consumer account:

Relationship between databases, database objects, shares, and accounts

Shares are secure, configurable, and controlled 100% by the provider account:

  • New objects added to a share become immediately available to all consumers, providing real-time access to shared data.

  • Access to a share (or any of the objects in a share) can be revoked at any time.

Overview of Data Providers and Consumers

Providers

A data provider is any Snowflake account that creates shares and makes them available to other Snowflake accounts to consume. As a data provider, you share a database with one or more Snowflake accounts. For each database you share, Snowflake supports using grants to provide granular access control to selected objects (schemas, tables, secure views, and secure UDFs) in the database (i.e., you grant access privileges for one or more specific objects within the database).

Snowflake does not place any hard limits on the number of shares you can create or the number of accounts you can add to a share.

For a quick guide to sharing data as a provider, see Getting Started with Secure Data Sharing. For more detailed information, see Working with Shares.

Consumers

A data consumer is any account that chooses to create a database from a share made available by a data provider. As a data consumer, once you add a shared database to your account, you can access and query the objects in the database just as you would any other database in your account.

Snowflake does not place any hard limits on the number of shares you can consume from data providers; however, you can only create one database per share.

For more details, see Data Consumers.

Third-Party Accounts

Reader Accounts

Data sharing is only supported between Snowflake accounts. As a data provider, you might wish to share data with a consumer who does not already have a Snowflake account and/or is not ready to become a licensed Snowflake customer.

To facilitate sharing data with these consumers, Snowflake supports providers creating reader accounts. Reader accounts (formerly known as “read-only accounts”) provide a quick, easy, and cost-effective way to share data without requiring the consumer to become a Snowflake customer.

Each reader account belongs to the provider account that created it. Similar to standard consumer accounts, the provider account uses shares to share databases with reader accounts; however, a reader account can only consume data from the provider account that created it:

Overview of data sharing reader accounts

Users in a reader account can query data that has been shared with it, but cannot perform any of the DML tasks that are allowed in a full account (data loading, insert, update, etc.).

For more details, see Managing Reader Accounts.