Set up external access for Snowflake Notebooks¶
By default, Snowflake restricts network traffic requests from external endpoints. In order to access external endpoints, you need to create an external network access integration. This topic describes how you can set up external network access for your notebook.
In most cases, APIs require an API key. To allow external access, use SQL to associate a secret (such as the API key) with your notebook. To manually associate a secret with a notebook, use ALTER NOTEBOOK … SET SECRETS:
ALTER NOTEBOOK <name>
SET SECRETS = ('<secret_variable_name>' = <secret_name>);
To retrieve a secret after associating it with a notebook, see Python API for Secret Access.
Enable existing external access integrations (EAI)¶
Note
This must be executed using the ACCOUNTADMIN role.
Sign in to Snowsight.
Select Projects » Notebooks.
To access the external access configuration, select the on the top right of your notebook.
Select Notebook settings and select the External access pane.
You will see a list of external access integrations that is available to you. You can select the toggles next to each integration to enable or disable them.
Provision external access integration¶
External access integrations, alongside their underlying network rules, need to be created and provisioned by an organization administrator.
Create external access integration¶
There are two steps in creating an external access integration for notebooks.
Create a network rule to define a set of IP addresses or domains using the CREATE NETWORK RULE command.
Create an external access integration to specify the allowed list of network rules using the CREATE EXTERNAL ACCESS INTEGRATION command.
The following examples show how to set up external access for common data science and machine learning sites.
Create an external access integration for PyPI:
CREATE OR REPLACE NETWORK RULE pypi_network_rule
MODE = EGRESS
TYPE = HOST_PORT
VALUE_LIST = ('pypi.org', 'pypi.python.org', 'pythonhosted.org', 'files.pythonhosted.org');
CREATE OR REPLACE EXTERNAL ACCESS INTEGRATION pypi_access_integration
ALLOWED_NETWORK_RULES = (pypi_network_rule)
ENABLED = true;
Create an external access integration for HuggingFace:
CREATE OR REPLACE NETWORK RULE hf_network_rule
MODE = EGRESS
TYPE = HOST_PORT
VALUE_LIST = ('huggingface.co', 'cdn-lfs.huggingface.co');
CREATE OR REPLACE EXTERNAL ACCESS INTEGRATION hf_access_integration
ALLOWED_NETWORK_RULES = (hf_network_rule)
ENABLED = true;
Allow all network access with one external access integration:
CREATE OR REPLACE NETWORK RULE allow_all_rule
MODE= 'EGRESS'
TYPE = 'HOST_PORT'
VALUE_LIST = ('0.0.0.0:443','0.0.0.0:80');
CREATE OR REPLACE EXTERNAL ACCESS INTEGRATION allow_all_integration
ALLOWED_NETWORK_RULES = (allow_all_rule)
ENABLED = true;
Provision external access integration¶
After you create the EAIs, you must grant the USAGE privilege on the integration to an account role.
You can grant the USAGE privilege on the integrations with the following commands:
GRANT USAGE ON INTEGRATION pypi_access_integration TO ROLE my_notebook_role;
GRANT USAGE ON INTEGRATION hf_access_integration TO ROLE my_notebook_role;
GRANT USAGE ON INTEGRATION allow_all_integration TO ROLE my_notebook_role;
Note
It is important to grant the USAGE privilege on the integration to the role that creates the notebooks. USAGE granted to the PUBLIC role will not work.
For detailed syntax, see external network access.
Enable integrations¶
After you create and provision EAIs, make sure to restart the notebook session. Now, you should see the access integrations you created in the external access pane. To enable the new integrations, see Enable existing external access integrations (EAI).
Additional resources¶
For detailed syntax, see external network access.
For additional examples of EAIs, see External network access examples or Setting up External Access for Snowflake Notebooks on Github.