IP address restriction for Snowflake service accounts 

Data security is key. Your institution can give or restrict access to Snowflake service accounts to specific IP addresses. This reduces the risk of unauthorized access to sensitive data.

You can allow and restrict a specific IP address or a range of IP addresses.

With a restricted IP address, users won’t be able to access a Snowflake service account or change a Snowflake service account password.

In this help page you can find the following topics: 

What is a Snowflake service account?

There are two ways to sign in to Snowflake. 

  • Sign in with username and password: these are called Illuminate service accounts and are useful for M2M (machine to machine) connections. IP address restrictions apply only to service accounts. Currently, there's just 1 service account available in Illuminate called SVC_BLACKBOARD_DATA.
Sign in to Snowflake screen with user name and password fields highlighted
  • Sign in with SSO: Snowflake will take your Illuminate credentials to log in. To configure an IP restriction, you need to sign in via SSO and have the BBDATA_USER_ROLE role. IP address restriction doesn’t apply for users who sign in with SSO.
Snowflake sign in screen with Sign in using SSO highlighted

Configure an IP address restriction

To configure an IP address restriction: 

  • Sign in to Illuminate as a user with the developer role. 
  • Open the side panel and select the Developer option. 
  • Select Launch Snowflake.
Developer homepage, with Launch Snowflake in the bottom left
  • Select Sign in using SSO.
    • Note that to configure an IP restriction, you need to sign in via SSO. If you access Snowflake with a service account, IP restrictions can’t be applied. 
    • Your Snowflake user needs to have a BBDATA_USER_ROLE.
Snowflake sign in screen with Sign in using SSO highlighted
  • Open the side panel in Snowflake and select Worksheets
  • Select Create a new worksheet
  • You can choose between SQL and Python worksheets. In this example, we selected SQL Worksheet.
Example SQL worksheet in Snowflake
  • You can use this query as a base. This example query allows a specific IP address (1.1.1.1) and restricts a range of IP addresses (from 192.168.1.0 to 192.168.1.255), for a service account called SVC_BLACKBOARD_DATA.

USE ROLE BBDATA_USER_ROLE;

ALTER NETWORK POLICY NP_SVC_BLACKBOARD_DATA SET ALLOWED_IP_LIST = ('1.1.1.1');

ALTER NETWORK POLICY NP_SVC_BLACKBOARD_DATA SET BLOCKED_IP_LIST = ('192.168.1.0/24');

Worksheets tab in Snowflake

Command explanation 

  • USER ROLE. The role that holds the permission to alter the IP restriction network policy. 
    • BBDATA_USER_ROLE is the only role that can alter IP address restrictions. 
  • ALTER NETWORK POLICY. The command that updates a preexisting network policy. This policy was previously created by the Illuminate team to facilitate IP address restriction configuration. 
    • NP_ SVC_BLACKBOARD_DATA. Identifies the network policy of the service account that will have an IP address restriction. Network policies always start with the “NP” prefix followed by service account username. The only service account available is called SVC_BLACKBOARD_DATA. 
  • SET_ALLOWED_ID_LIST. Command that specifies the list of IP addresses allowed to your Snowflake tenant using a service account. 
  • SET_BLOCKED_ID_LIST. Command that specifies the list of IP addresses restricted to your Snowflake tenant using a service account. 

Follow this notation to include the IP addresses that you need:

  •  A single IP address: write the IP address in parentheses and between ' signs. ('1.1.1.1')
  • Multiple IP addresses: write all IP addresses in a single parenthesis. Write each IP address between ' signs and separate each IP address with a comma. ( '1.1.1.1','2.2.2.2','3.3.3.3') 
  • Range of IP addresses: use the / sign at the end of an IP address to represent the range. In this example, we allowed all IP addresses in the range of 192.168.1.0 to 192.168.1.255. ('192.168.1.0/24')

Check your IP address restriction configuration 

If you want to verify your IP address restriction configuration, you can use the following commands: 

  • As before, open the side panel in Snowflake and select Worksheets
  • Select Create a new worksheet. You can choose between SQL and Python worksheets. In this example, we selected SQL Worksheet
  • Run the following query.

DESCRIBE NETWORK POLICY NP_SVC_BLACKBOARD_DATA; 

  • In the Results section, you can find the list of allowed and blocked IP addresses.
List of allowed and blocked IP addresses
  • You can also run the following query. 

SHOW NETWORK POLICIES; 

  • In the Results section, you can find the network policies available and number of entries in the allowed IP list and blocked IP list.
SQL worksheet example of a query

Change a Snowflake service account password when there’s an IP address restriction

A service account password can be changed only in a machine which does not have a restricted IP address or is included in the allowed IP addresses list. 

This is because service account password resets are done in Snowflake, where IP address restrictions apply. 

  • To allow an Illuminate user to change a Snowflake service account password, the IP address list can be temporarily altered to include the user machine IP address in the allowed IP address list. 
  • After the Illuminate user changes the service account password, its user machine IP address can be again removed from the allowed list.

You can change a Snowflake service account password following these steps:

  • Sign in to Illuminate as a user with the Developer role. 
  • Open the side panel and select Developer
  • Select Settings
  • Select the Snowflake Account Settings tab. 
  • Under the Service Account list, locate for the SVC_BLACKBOARD_DATA service account. That is the only Snowflake service account available in Illuminate. 
  • Select Change Password
  • Reset the password in the Snowflake menu.
Illuminate Settings screen with Change Password highlighted in the bottom right