❄️ Latest: Snowflake customers — Learn how to connect Snowflake to everything! ❄️

follow or visit us on
Learning

Call a private API

Glenn Gillen
Glenn Gillen
VP of Product, GTM
LearningCall a private API

Wouldn't it be nice to be able call a private API that's only available inside your private network, with a simple Snowflake procedure call? Wouldn't it be even better if it was not necessary to manage IP allow lists, open firewall ports, or setup services like PrivateLink? Would you believe me if I told you that it would take you less than 15 minutes to setup?

Introducing the Snowflake Call Private API Connector!

Snowflake 💙 APIs

Many services offer a HTTP API in addition to a web interface. This makes data retrieval from the command-line very easy, using a simple curl command.

Snowflake is The Data Cloud and the place to support workloads such as data warehouses, data lakes, data science / ML / AI, and even cybersecurity. This centralization brings a huge amount of convenience through breaking down data silos and allowing teams to make smart data-informed decisions.

You might wonder though how it can be possible to tap into HTTP services from Snowflake applications, if those services are hosted in private networks. You might also wonder if it is possible to join the results of a remote call with one of your database tables as if the remote data was available as a local table.

In this post I'm going to show you how to securely access a private API, hosted in a private network, in just a few minutes. We will:

  • Install and configure the Call private API connector.
  • Make a stored procedure call to retrieve data as if it was a table select.
  • Make a stored procedure call to post data to the API.

Snowflake call private API

Install and configure the Call private API Connector

We are now going to create a set of stored procedures and a portal to access your private API.

Get the app

The Call private API Connector by Ockam is available in the Snowflake Marketplace - FIXME.

Select a warehouse

The first screen you're presented with will ask you to select the warehouse to utilize to activate the app and can choose to change the application name.

Grant account privileges

Click the Grant button to the right of this screen. The app will then be automatically granted permissions to create a warehouse and create a compute pool.

Activate app

Once the permissions grants complete, an Activate button will appear. Click it and the activation process will begin.

Launch app

After the app activates you'll see a page that summarizes the privileges that the application now has. There's nothing we need to review or update on these screens yet, so proceed by clicking the Launch app button.

Get the appSelect a warehouseGrant account privilegesActivate appLaunch app

Configuration

We are now going to configure the application. We first need to:

  • Create an Ockam project and issue an enrollment ticket
  • Configure the user name and password which will be used to access the server.

Configuring the application

Configure connection details

Click "Get started" to open the Snowflake setup screen.

Take the contents of the file snowflake.ticket that we just created and paste it into "Provide the above Enrollment Ticket" form field in the "Configure app" setup screen in Snowflake.

Configure API access

In this screen we need to select an authorization method. For this tutorial you can select Digest and continue. The other options available to use are:

  • None No credentials are required to access the private API.
  • Basic The private API is accessible with a user name and password.
  • Digest The private API is accessible with a user name and password, but they are not transmitted in clear text.
  • Bearer token The private API is accessible with a token passed with an Authorization header.
  • API Key The private API is accessible with an API Key passed with a specific extension header (for example X-api-key).

Grant privileges

To be able to authenticate with Ockam Orchestrator and then discover the route to our outlet, the Snowflake app needs to allow outbound connections to your Ockam project.

Toggle the Grant access to your credentials button, enter user for the user name and password for the user password.

Toggle the Grant access to your Ockam Project button and approve the connection by pressing Connect.

Start the application

Press "Next" and wait for the application to start. Once started, you should be able to see the server logs.

You can also notice a tab containing the logs for an Ockam node. That Ockam node is a portal inlet:

  • Which accesses a relay named api in the Ockam project.
  • Declares that only services with the attribute api can be connected to the inlet.
Create Snowflake ticketConfigure the stage accessGrant egressStart server

Setup an Ockam outlet on the API side

Testing the connection

Next steps

In summary, we are now able to securely access a private API, using Snowflake stored procedures, without exposing any port to the internet.

If you'd like to explore some other capabilities of Ockam I'd recommend:

Previous Article

How to build in security as a SaaS feature

Next Article

Authenticate & authorize every access decision

Edit on Github

Build Trust

Learn

Get Started

Ockam Command

Programming Libraries

Cryptographic & Messaging Protocols

Documentation

Blog

Use Cases

Snowflake Connector

Database Protection

Kafka Encryption

SaaS Platforms

Zero-trust Streaming Data

Company

Open Roles

Our Mission & Values

The Team

Team Handbook

Compliance & Audit Reports

Orchestrator Status

Style Guide

Privacy Notice

Terms of Service

Contact

Discussion

Build Trust Community Discord

Support

LinkedIn

Twitter

Newsletter - The Razor

© 2024 Ockam.io All Rights Reserved