Snowflake to google cloud storage - bucket security

2
votes

We are looking at this link that outlines how to stage Snowflake output to a GCS bucket (https://docs.snowflake.com/en/user-guide/data-load-gcs-config.html). In step 3 of the article, you simply provide the name of the service account to the GCS bucket and once assigned with the right permissions, the snowflake account can obtain access.

My question is, if the name of that service account were compromised, what is stopping a potential hacker from impersonating that account and running a python/java program to connect to my GCS bucket where that account is allowed?

In that article, I don't see any requirement for keys, tokens, certs or other additional controls to restrict access. On the GCP side, it is just permissions and the name of the account that controls it?

Thanks and regards

1
snowflake-cloud-data-platform

1 Answers

2
votes

This is a cool question, and first thing you should know is that your data is safe.

When you want to setup GCP/GCS so Snowflake can read files from it, Snowflake will create a service account id like [email protected]. You can use that identity to tell GCS things like "yes, it's fine to share these files of mine with [email protected]. This is secure.

Why?

The only one that holds the secrets to identify as [email protected] is your Snowflake account. It doesn't matter if this id becomes public, because no one has the "password" for it, other than your Snowflake account.