Introduction to Secure Data Sharing¶
Secure Data Sharing enables sharing selected objects (tables, secure views, and secure UDFs) in a database in your account with other Snowflake accounts.
Snowflake enables the sharing of databases through shares, which are created by data providers and “imported” by data consumers.
All database objects shared between accounts are read-only (i.e. the objects cannot be modified or deleted, including adding or modifying table data).
In this Topic:
How Does Secure Data Sharing Work?¶
With Secure Data Sharing, no actual data is copied or transferred between accounts. All sharing is accomplished through Snowflake’s unique services layer and metadata store. This is an important concept because it means that shared data does not take up any storage in a consumer account and, therefore, does not contribute to the consumer’s monthly data storage charges. The only charges to consumers are for the compute resources (i.e. virtual warehouses) used to query the shared data.
In addition, because no data is copied or exchanged, Secure Data Sharing setup is quick and easy for providers and access to the shared data is instantaneous for consumers:
The provider creates a share of a database in their account and grants access to specific objects (i.e. tables, secure views, and secure UDFs) in the database. The provider can also share data from multiple databases, as long as these databases belong to the same account. One or more accounts are then added to the share, which can include your own accounts (if you have multiple Snowflake accounts).
For more details, see What is a Share? (in this topic).
On the consumer side, a read-only database is created from the share. Access to this database is configurable using the same, standard role-based access control that Snowflake provides for all objects in the system.
Through this architecture, Snowflake enables creating a network of providers that can share data with multiple consumers (including within their own organization) and consumers that can access shared data from multiple providers:
Any full Snowflake account can both provide and consume shared data. Snowflake also supports third-party accounts, a special type of account that consumes shared data from a single provider account. For more details, see Reader Accounts (in this topic).
Overview of Data Providers and Consumers¶
A data provider is any Snowflake account that creates shares and makes them available to other Snowflake accounts to consume. As a data provider, you share a database with one or more Snowflake accounts. For each database you share, Snowflake supports using grants to provide granular access control to selected objects (schemas, tables, secure views, and secure UDFs) in the database (i.e., you grant access privileges for one or more specific objects within the database).
Snowflake does not place any hard limits on the number of shares you can create or the number of accounts you can add to a share.
A data consumer is any account that chooses to create a database from a share made available by a data provider. As a data consumer, once you add a shared database to your account, you can access and query the objects in the database just as you would any other database in your account.
Snowflake does not place any hard limits on the number of shares you can consume from data providers; however, you can only create one database per share.
For more details, see Data Consumers.
Data sharing is only supported between Snowflake accounts. As a data provider, you might wish to share data with a consumer who does not already have a Snowflake account and/or is not ready to become a licensed Snowflake customer.
To facilitate sharing data with these consumers, Snowflake supports providers creating reader accounts. Reader accounts (formerly known as “read-only accounts”) provide a quick, easy, and cost-effective way to share data without requiring the consumer to become a Snowflake customer.
Each reader account belongs to the provider account that created it. Similar to standard consumer accounts, the provider account uses shares to share databases with reader accounts; however, a reader account can only consume data from the provider account that created it:
Users in a reader account can query data that has been shared with it, but cannot perform any of the DML tasks that are allowed in a full account (data loading, insert, update, etc.).
For more details, see Managing Reader Accounts.