Solicitação de integrações de acesso externo (EAIs) com especificações do aplicativo¶

This topic describes how to configure a Snowflake Native App to use app specifications to request access to an external access integration (EAI) in the consumer account. An EAI allows an app to connect to an endpoint that is external to Snowflake.

Acesso a pontos de extremidade externos a partir de um aplicativo¶

To access an external endpoint, an app must create a network rule and an EAI, which uses network rules to restrict access to specific external network locations. Network rules define the external endpoints that an app can access.

To configure an app to use an EAI, follow these steps:

To request privileges from the consumer to create an EAI, use automated granting of privileges.
Add an EAI to an app.
Usar especificações de aplicativo para solicitar permissões do consumidor para se conectar a um ponto de extremidade externo.

Nota

A single app specification applies to all of the EAIs created by the app. Providers can create multiple app specifications for an app; however, this is not required.

App specification workflow for an EAI¶

Providers configure automated granting of privileges for the app. This allows consumers to give permission to an app to create the EAI.

Nota

As especificações de aplicativo exigem que manifest_version = 2 seja definido no arquivo de manifesto.
Os provedores adicionam o privilégio CREATE EXTERNAL ACCESS INTEGRATION ao arquivo de manifesto.
Providers add SQL statements to the setup script to create the following objects:
The setup script creates the app specification and other objects when the app is installed or upgraded or at runtime.
Ao configurar o aplicativo, os consumidores aprovam as portas do host e outros serviços externos. Para mais informações sobre como os consumidores visualizam e aprovam especificações de aplicativos, consulte Aprovar conexões com recursos externos usando especificações de aplicativo.

App specification definition for an EAI¶

The app specification definition for an EAI contains the following entries:

HOST_PORTS: uma lista de portas host definidas na regra de rede que o aplicativo requer.
PRIVATE_HOST_PORTS: uma lista de portas de host que permitem se conectar a recursos fora do Snowflake de forma privada.

Nota

Esses valores devem corresponder aos valores que o aplicativo usa para criar a regra de rede.

Definição da versão do arquivo de manifesto¶

To enable automated granting of privileges for an app, set the version at the beginning of the manifest file, as shown in the following example:
manifest_version: 2
Copy

Adicionar o privilégio CREATE EXTERNAL ACCESS INTEGRATION ao arquivo de manifesto¶

The CREATE EXTERNAL ACCESS INTEGRATION privilege allows the app to create an external access integration during installation or upgrade.

To configure an app to request the CREATE EXTERNAL ACCESS INTEGRATION privilege, add the following code to the privileges section of the manifest file:

manifest_version: 2
...
privileges:
  - CREATE EXTERNAL ACCESS INTEGRATION:
      description: "Allows the app to create an EAI to connect to an external service."
...

Copy

If you set the manifest_version to 2 in the manifest file, Snowflake automatically grants the CREATE EXTERNAL ACCESS INTEGRATION privilege to the app during installation or upgrade.

Add a network rule and an EAI to the setup script¶

EAIs are the Snowflake objects that enable access to specific external network locations and contain a list of network rules that specify the external locations that an app can access.

Para criar uma regra de rede para um aplicativo, adicione o comando CREATE NETWORK RULE ao script de configuração, como mostrado no exemplo a seguir:
```
CREATE OR REPLACE NETWORK RULE setup.my_network_rule
TYPE = HOST_PORT
VALUE_LIST = ( 'example.com' )
MODE = EGRESS;
```
Copy

The HOST_PORT and VALUE_LIST properties indicate that the network rule must point to a valid domain, port, or range of ports. When an app is installed or upgraded, consumers grant permission for the app to use these domains or ports.

Create an EAI¶

To create an EAI for an app, add the CREATE EXTERNAL ACCESS INTEGRATION command to the setup script, as shown in the following example:

CREATE OR REPLACE EXTERNAL ACCESS INTEGRATION my_app_prefix_eai_rule
  ALLOWED_NETWORK_RULES = (setup.my_network_rule)
  ENABLED = TRUE;

Copy

Nota

This command creates an EAI in the consumer account. However, it is not usable until the consumer approves the app specifications that allow external access to the requested host ports.

Para obter mais informações, consulte Aprovar conexões com recursos externos usando especificações de aplicativo.

Creating a user-defined function to access the external endpoint¶

After the EAI is created, the setup script can create user-defined functions and stored procedures that use it to connect to the endpoints defined in the network rule.

The following example shows a user-defined function that uses the my_app_prefix_eai_rule EAI:

CREATE OR REPLACE FUNCTION setup.EXTERNAL_ACCESS_UDF(hostname STRING)
  RETURNS STRING
  LANGUAGE JAVA
  HANDLER='TestHostNameLookup.compute'
  EXTERNAL_ACCESS_INTEGRATIONS = (my_app_prefix_eai_rule)
  AS
  '
      import java.net.InetAddress;
      import java.net.UnknownHostException;
      class TestHostNameLookup {{
          public static String compute(String hostname) throws Exception {{
              InetAddress addr = null;
              try {
                  addr = InetAddress.getByName(hostname);
              } catch(UnknownHostException ex) {
                  return "Hostname lookup failed";
              }
              return "Hostname lookup successful";
          }
      }
';
GRANT USAGE ON FUNCTION setup.EXTERNAL_ACCESS_UDF(STRING)
  TO APPLICATION ROLE app_public;

Copy

This function sets the value of the EXTERNAL_ACCESS_INTEGRATIONS to the EAI created previously.

This function uses the InetAddress Java package to look up the hostname passed to the procedure. The hostname provided must match one of the values provided in the VALUE_LIST property of the network rules used by the EAI.

Creating an app specification for an EAI¶

The following example shows how to create an app specification for an EAI:

ALTER APPLICATION SET SPECIFICATION eai_app_spec
  TYPE = EXTERNAL_ACCESS
  LABEL = 'Connection to an external API'
  DESCRIPTION = 'Access an API that exists outside Snowflake'
  HOST_PORTS = ('example.com')

Copy

This command creates an app specification named eai_app_spec.

Aprovação da especificação do aplicativo na conta do consumidor¶

After the provider configures the app to create the network rule, EAI, and app specification, consumers can view the app specification and approve or decline it as appropriate when configuring the app. For more information, see Aprovar conexões com recursos externos usando especificações de aplicativo.