0
0
Data Exfiltration : As we know we can create the external stages via exposing AWS credentials in create STAGE command. This way we can access the S3 buckets on AWS cloud. But recently me and my colleague Mehani got stuck during stage creation and getting below error.
SQL compilation error: Creation of stages with direct credentials, including accessing public stages, has been forbidden
However, It was surprise to us that the same command was working fine few days back and as of sudden it starts reporting error. We have gone through the various snowflake blogs and found the article related to the data-exfiltration. Because data can be export to an external stage or an external location, there is a data exfiltration risk. There can be certain chances where an employee may export data from Snowflake to an external storage location which is unapprove by an organization.
Therefore, Using credential-less stages, an account admin can create storage integrations and constrain external stages to be use only on a list of allowed cloud storage locations.
Parameters:
Snowflake Admin enforce the customers to use new pattern i.e. storage integrations in order to create the new stages or existing stages as well. In conclusion, Below are the parameters set at Account level to enforce the constraints.
REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_CREATION
REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_OPERATION
PREVENT_UNLOAD_TO_INLINE_URL
Verify the below parameter values. The values changed to TRUE. However, Initially default is FALSE:
REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_CREATION: Control whether new stages must use storage integrations.
REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_OPERATION: Control whether existing stages without storage integrations may be use.
PREVENT_UNLOAD_TO_INLINE_URL : Unloading data from Snowflake tables to any internal stage, including user stages, table stages, or named internal stages is prevents.
So when we try to create the stage without storage integration we get the below error:
Even we can not access the existing stages which are present without Storage Integration.
So once you revert back to the original value i.e. FALSE we can able to successfully create and use the existing stages without Storage integration constraints. For Instance,
ALTER ACCOUNT vg73771 SET
REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_CREATION = true;
ALTER ACCOUNT vg73771 SET
REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_OPERATION = true;
ALTER ACCOUNT vg73771 SET
PREVENT_UNLOAD_TO_INLINE_URL = true;
