Set up external access for Snowflake Notebooks¶
When working with notebooks, you might need to call external services, which often require sensitive credentials such as API keys. To keep sensitive information secure, you can use secrets managed within Snowflake instead of hardcoding credentials in your notebook.
External access integrations (EAIs) are configured using network rules and can optionally use Snowflake secrets for authentication.
By default, Snowflake restricts network traffic from external endpoints. To access external endpoints, follow these steps:
Create a network rule.
Create an external network access integration that uses the rule.
Create a secret for authentication (if needed). Generic string secrets also require an EAI.
Associate the secret with the EAI.
Associate the EAI and secret with the notebook.
Note
EAIs and network rules must be created by an organization administrator. For required privileges, see Access control requirements.
Configure a notebook with external access and secrets¶
This end-to-end example shows how to configure a notebook to access the OpenAI API using a generic string secret.
-- Step 1: Create a secret
CREATE SECRET openai_key
TYPE = GENERIC_STRING
SECRET_STRING = '<your-api-key>';
-- Step 2: Create a network rule
CREATE OR REPLACE NETWORK RULE openai_rule
MODE = EGRESS
TYPE = HOST_PORT
VALUE_LIST = ('api.openai.com');
-- Step 3: Create an external access integration that uses the network rule and secret
CREATE OR REPLACE EXTERNAL ACCESS INTEGRATION openai_integration
ALLOWED_NETWORK_RULES = (openai_rule)
ALLOWED_AUTHENTICATION_SECRETS = (openai_key)
ENABLED = true;
-- Step 4: Associate the integration and secret with the notebook
ALTER NOTEBOOK my_notebook
SET EXTERNAL_ACCESS_INTEGRATIONS = (openai_integration),
SECRETS = ('openai_key' = openai_key);
Note
Secrets must be associated with both the external access integration (EAI) and the notebook. If a secret is associated with only one, it will not be accessible from notebook code.
Access the secret inside a notebook¶
After associating the secret with the notebook, to access its value in notebook code, use the
st.secretsobject:
import streamlit as st
api_key = st.secrets['openai_key']
Additional EAI examples¶
These examples show how to set up external access for common data science and machine learning sites:
EAI for PyPI¶
CREATE OR REPLACE NETWORK RULE pypi_network_rule
MODE = EGRESS
TYPE = HOST_PORT
VALUE_LIST = ('pypi.org', 'pypi.python.org', 'pythonhosted.org', 'files.pythonhosted.org');
CREATE OR REPLACE EXTERNAL ACCESS INTEGRATION pypi_access_integration
ALLOWED_NETWORK_RULES = (pypi_network_rule)
ENABLED = true;
EAI for Hugging Face¶
CREATE OR REPLACE NETWORK RULE hf_network_rule
MODE = EGRESS
TYPE = HOST_PORT
VALUE_LIST = ('huggingface.co', 'cdn-lfs.huggingface.co');
CREATE OR REPLACE EXTERNAL ACCESS INTEGRATION hf_access_integration
ALLOWED_NETWORK_RULES = (hf_network_rule)
ENABLED = true;
Grant USAGE privileges to use external access integrations¶
After you create the EAIs, grant the USAGE privilege on the integration to roles that will use them:
GRANT USAGE ON INTEGRATION openai_integration TO ROLE my_notebook_role;
The role used to create the notebook must have USAGE on the EAI. Granting USAGE to the PUBLIC role will not work.
Enable external access integrations in Snowsight¶
After you create and provision EAIs, restart the notebook session in order to see the access integrations you created in the External Access pane.
To enable integrations using Snowsight:
Select Projects » Notebooks.
Open your notebook.
Select the
icon on the top right of your notebook.Select Notebook settings, and then select the External access pane.
Toggle on the EAIs you want to enable for the notebook.
Additional authentication examples¶
OAuth access token¶
CREATE OR REPLACE SECRET oauth_token
TYPE = OAUTH2
API_AUTHENTICATION = google_translate_oauth
OAUTH_REFRESH_TOKEN = 'my-refresh-token';
# Using the secret as part of an EAI
ALTER NOTEBOOK google_translate_test
SET EXTERNAL_ACCESS_INTEGRATIONS=(google_translate_integration)
SECRETS = ('cred' = oauth_token);
Generic string¶
-- SQL: Create the secret
CREATE SECRET sf_openai_key
TYPE = GENERIC_STRING
SECRET_STRING = '<string_literal>';
-- SQL: Associate the secret and EAI with the notebook
ALTER NOTEBOOK openai_test
SET EXTERNAL_ACCESS_INTEGRATIONS = (openai_access_int),
SECRETS = ('openai_key' = sf_openai_key);
For generic string secrets, access them by dictionary or attribute style:
# Dictionary style
username = st.secrets["cred"]["username"]
password = st.secrets["cred"]["password"]
# Attribute style
import streamlit as st
username = st.secrets.cred.username
password = st.secrets.cred.password
Additional resources¶
For detailed syntax, see External network access overview.
For details on using CREATE SECRET, see Creating a secret to represent credentials.
For additional examples of EAIs, see External network access examples or Setting up External Access for Snowflake Notebooks on Github.