With Secure Data Sharing, no actual data gets copy or transfer between accounts. All sharing is accomplished through metastore service. This is an important concept because it means that shared data does not take up any storage in a consumer account, only charges to consumers are for the compute resources (i.e. virtual warehouses) use to query the shared data.
General Data Sharing Considerations and Usage:
- Cross region data sharing supports for Snowflake accounts host on AWS, Google Cloud Platform, or Microsoft Azure.
- Moreover, A share can include data from multiple databases.
- Data providers only need to create one copy of the dataset per region; and not a copy per consumer.
- For Instance,Data can be share READ ONLY across accounts, and can not be clone accounts?
- In addition, Data security and privacy reasons, only secure views are supported in shares at this time.
- New and modify rows in tables in a share are available immediately to all consumers.
- New object created in a database in a share is not automatically available to consumers. To make the object available to consumers, you must use the GRANT <privilege> … TO SHARE.
- READER ACCOUNTS and FULL ACCOUNT are two types of data consumer accounts available in snowflake.
- Shared databases are read-only. Users in a consumer account can view/query data, but cannot insert or update data, or create any objects in the database.
- Creating a clone of a share database or any schemas/tables in the database does not support.
- You can not share already shared object with another database.
Steps involved in creating the Share:
Step 1: Create a Share
Step 2: Add Objects to the Share by Granting Privileges.
Use GRANT <privilege> … TO SHARE to grant the following object privileges to the share:
USAGE privilege on the database you wish to share.
USAGE privilege on each database schema containing the objects you wish to share.
SELECT privilege for sharing specific objects
Step3 : Grant the REFERENCE_USAGE privilege on each additional database
Use the REFERENCE_USAGE privilege when sharing a secure view that references objects belonging to multiple databases, as follows:
- The REFERENCE_USAGE privilege must be grant individually to each database.
Step 4: Add One or More Accounts to the Share
Use ALTER SHARE to add one or more accounts to the share. To review the accounts added to the share, you can use SHOW GRANTS.
Requirement: In source account, Customer ,Invoice and Billing data is available in three separate Databases. We need to share the few relative attributes from all these DB tables to one of the Consumer Account. The information share to the Consumer Account should be read only and not authorize to view the complete details from the tables as these entities contain the sensitive information which cannot be expose to outsiders.
To implement the scenario, we will create a database in Provider account ,containing the secure view which will be holding the required attributes from these tables and instead of sharing the tables individually will share the secure view to the Consumer account.
Create a Shared DB:
A provider who organized data into different databases based on the characteristics of data and business needs wants to share a secure view in one database that joins data in that database with objects (e.g. schema, table, view) from other databases.
Login to the Consumer Account:
Consumer Account can query the View and able to see the Data.
Similarly we want this view to be shared with the Account outside the Snowflake, We will do it via READER Account. To get more details , Please click here.